Re: SOC common/best practise?

[CP Constantine <conrad () 1211 net>]

On 7/21/2010 4:41 PM, k41zen Me wrote:
>       3) Not enough information about the alert being sent to the correlation engine?

largely, this (in my not so humble experience).

Security decisions are largely driven by context. Log correlation is 
largely about providing context via corroboration. But log entries 
themselves rarely contain actual information, they contain summaries of 
information...

The system I've been building for our CIRT, takes the correlated alerts 
as a driver, and then hooks back to the controls those logs came from, 
to extract and collate the source data into an complete incident report 
that has the entire contextual dataset to give that 'at a glance' big 
picture case file to work from. Then it goes and adds asset/org/tech 
data for the entities present, to bring that case file into the light of 
business process context as well.

Correlation engines are 'just another security control' - they're a good 
hub control to tie other controls together, and produce context via 
corroboration between controls as an initial driver for response action, 
but they still aren't the end product to the workflow chain. (yet).



_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com