List Info

Thread: Re: on database logging
Re: on database logging
user name
 2007-03-21 22:51:39 
Anton Chuvakin wrote:
>> All the current trend toward legislating compliance
has
>> accomplished is setting the bar very low, and
encouraging
>> companies to look only at meeting that standard.
I've had
>> senior IT managers tell me "We are going to do
the exact
>> minimum, wherever possible."
> 
> No kidding - but, at the same time, those organizations
who used to
> fly (eh, crawl) BELOW that low bar would benefit if
they are kicked
> into doing at least *something*. So, I am a bit more
positive about
> such compliance motivators.

I'm not.  The other aspect of working towards compliance is
that
organisations often only focus on those things that you have
to be
compliant with.  Given limited IT Security budgets this is
sometimes at
the expense of what could actually be important.  It also
sometimes
leads to the thinking - "We're SOX/PCI/CoBIT etc etc
compliant and
therefore secure".

> 
>> In log analysis terms, that means that the logs to
to a big
>> bucket which is periodically dumped into the
compost
>> heap.
> 
> Indeed, this is common but compare this to a) never
enabling logging
> or b) disabling logging or c) storing logs based on
short default
> retention policy on each device? A huge improvement,
isn't it?

And the value add is?  You spend all that money on log
aggregation and
retention but do nothing with the logs?  Where is the
security and
business benefit here?  What exactly is the business case? 
"Gee it'd be
nice if we had all these logs in one place" wouldn't be
moving my dollars.

> 
>> Nobody'll look in the bucket until someone passes
>> legislation requiring people to LOOK at it. And, of
course,
>> when that happens, they'll do the exact minimum,
&c...
> 
> Well, this already happened: e.g. PCI. It doesn't
define what
> "looking" means, but running a log analysis
tool sure beats just
> running a tape drive to save the logs...

Unless 'looking' is defined, linked to business requirements
and
security outcomes/benefits, then what exactly are you
analysing?  Again,
what's the value add?

Regards

James Turnbull

-- 
James Turnbull <jameslovedthanlost.net>
---
Author of Pro Nagios 2.0
(http://w
ww.amazon.com/gp/product/1590596099/)

Hardening Linux
(http://w
ww.amazon.com/gp/product/1590594444/)
---
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&s
earch=0x0C42DF40)


_______________________________________________
LogAnalysis mailing list
LogAnalysislists.shmoo.com
h
ttp://lists.shmoo.com/mailman/listinfo/loganalysis
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )