Policy, Standards, Regulations & Compliance
Re: Compliance Product Recomendation Jul 27 2007 05:46PM
doug simpson bz (1 replies)
RE: Compliance Product Recommendation Jul 28 2007 02:10PM
Mark Curphey (mark curphey com) (1 replies)
RE: Compliance Product Recommendation Jul 28 2007 02:31PM
ljknews (ljknews mac com) (1 replies)
RE: Compliance Product Recommendation Jul 28 2007 02:42PM
Mark Curphey (mark curphey com) (1 replies)
RE: Compliance Product Recommendation Jul 28 2007 05:04PM
ljknews (ljknews mac com)
At 4:42 PM +0200 7/28/07, Mark Curphey wrote:

> How can a tool check to see that logs files are reviewed and acted on
> appropriately? They can only check to see if an admin looked at the logs.
> Surely there is a big difference? I don't want someone just looking at them,
> I want them reviewing them and acting appropriately. Maybe that's the
> difference between compliance and good information security!

No, my point is that if they never looked at them (or did not look often
enough) they are not doing it right. The human might ask about review of
logs, but checking for the truth regarding frequency of review is a dull
boring task best done by automation.

> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
> Behalf Of ljknews
> Sent: Saturday, July 28, 2007 4:32 PM
> To: psrc (at) securityfocus (dot) com [email concealed]
> Subject: RE: Compliance Product Recommendation
>
> At 4:10 PM +0200 7/28/07, Mark Curphey wrote:
>
>> Take # 1 FW's as an example. Best practice (over hyped term) would suggest
>> someone reviews the logs and approves rule changes for a limited period of
>> time. The solutions I have seen don't touch on this.
>
> The "reviews logs" part is easily susceptible to automation, putting an
> Audit Access Control Entry into the Access Control List for the log. One
> certainly must interview humans to see what actions they are taking based
> on log reviews, but the automated tool gives the assurance that a human
> (for NIST SP 800-53 AU-6) or an automaton (for NIST SP 800-53 AU-6 (1))
> really is reading those logs every hour/day/week/fortnight.
>
> There seem to be tons of "log management" tools in the field. Are you
> saying that none of them even check on review of logs themselves ?
> --
> Larry Kilgallen

--
Larry Kilgallen

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus