RE: Logging Archival Solutions?

["Ahsan Khan" <jahilkhan () verizon net>]

Hi,

        It depends what you want to achieve by implementing a log collection
solution.

        A SIM Device like RSA solution will Collect all the data as fast as
possible (may be faster then other products in the market) but may not
create a relationship between an attack happening to MS windows server where
packet is traveling from a Cisco router to a switch to a server. 

        Normally if ones Edge Devices / Firewalls are from a single Vendor
and servers and other devices are from others it's a good idea to have 2
different solutions in place which can understand each other.

        Cisco MARS has achieve this by integrating into MS MOM solution. So
now from Edge Device to Switching to Firewall to VLANS to the server a
packet flow is traceable which enable us very quickly to isolate and
identify a situation.

        More over if one has an IPS solution implemented and integrated into
above setup it works great (Considering every thing is configuring right).

        Please note that effectiveness of these solutions also depends
knowledge of Administrator and available resources. If configure right these
solution provide alerting systems which can alert a security team of an
attack happening if detected rapidly.

One can spend hours on this discussion but a person with the knowledge of
current setup is the best judge for implementing the solution.


Regards
Ahsan Khan


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of jplee3 () yahoo com
Sent: Monday, August 27, 2007 12:46 PM
To: security-basics () securityfocus com
Subject: Logging Archival Solutions?

Hi all,
   Just wondering what your takes are on the logging solutions out there.
Specifically as regards to PCI DSS. I know there are a TON of companies
focusing their efforts on helping fulfill req 10 and audit trails. It seems
like there are quite a few out there who can effectively correlate and
perform forensics on log data. My concern is that it still seems there is a
hole or something missing in the overall picture.

Obviously, we're not all going to be monitoring these log servers/appliances
24/7 (unless you hire people to do 24/7 in shifts), so what if an attack
(i.e. brute force ala TJ Maxx) successfully occurs over the weekend or when
someone ISN'T watching or tending to their cellphone/pager/email/etc for
whatever reason? 
Yes, the logging appliance will capture the attack and record it, but
assuming no action or intervention was taken, by that time the system(s)
will have been compromised.

So again, it seems like many companies are focusing in on the forensics
aspect, which I believe is important, especially in court. But what about
doing more actively to prevent attacks?  What about automated remediation
and active response?

I'm trying not to be biased here, but the only company I've seen who has
taken big steps towards this is TriGeo. Has anyone else here heard of them?
Or have any experience using their solution? I've only sat in on a demo and
have read a bunch of whitepapers, and most other SIMs/logging solutions/etc
pale in comparison. 
It just seems easier/less confusing to use overall. I've also sat in on
Cisco MARS, CSA, and RSA EnVision demos and wasn't nearly as impressed with
any of these solutions. 
CSA, potentially coming the closest in terms of endpoint security/policy
enforcement, seems interesting, but not nearly as flexible or powerful in
terms of policies, rule sets, and automated defined responses per a specific
action.

I'm just trying to get a sense here from what others have done, but it seems
hard to find a good amount of people who can or are willing to share. Maybe
it's because most of us are still working at it and have the same questions
I do, or haven't even thought of it yet (in which case: you better get on
it!). Or is it because many people are just secretive about the whole thing?
I guess I could understand why if so... but why not just tell us a) what
you're using, and b) why you like it - I don't see anything that could
jeopardize your company in providing such information.

Oh well, I'm really trying to push TriGeo with my managers but I've been
finding it difficult. They're partial to Cisco MARS/CSA because we already
have a Cisco contact/sales engineer and outside consultants who also
strongly advise mostly Cisco stuff. I just think most people here are deep
into the Cisco mindset. So sometimes it's  hard thinking outside the box. 

Any opinions would be greatly appreciated.


Thanks!
-J