Policy, Standards, Regulations & Compliance
Back to list
Re: Compliance Product Recommendation
Aug 01 2007 05:09PM
doug simpson bz
Mark, the tools that I mentioned can help automate a lot more than 25%.
I agree this would be an interesting paper or test.
My % was based on looking at the PCI doc and figuring out what parts these tools can automate. Can one of these tools do all the automation - doubtful.
If we take your log example - there are software tools that can bring those logs into a centralized place and parse through them looking for the perticular entries that you want to read. These tools can also send an alert per specific entires an admin maybe looking for - ie. access denied.
However, to get to this point there needs to be human manual interaction. I know of no software that is truly plug and play. The admin will have ask the question - what entries am i concerned about what alerts do I want how often do I want to collect these logs ... The admin or admins will also have to read these logs or specific entries - more human interaction.
Getting to the point where these tools are humming and the relavant info is getting to the right people in the correct forms - yes it will need manual interaction.
I was just at a client's site where they wanted to enter a list of approved software into our solution and run this against all their 6000 plus workstations. A lot of solutions can automate this saving an admin a lot of time. However, even though the admin does not have to visit each desktop and laptop he/she still needs to read reports that tell him/her if their pcs are compliant to their written policies. Then decide how to remediate which can be automated or a manual process.
In the end the company has to ask the question do we want to spend money and/or time on tools that could help automate this task or stay the course of manually tackling this task.
From: ljknews [mailto:ljknews (at) mac (dot) com [email concealed]]
Sent: Saturday, July 28, 2007 12:04 PM
To: psrc (at) securityfocus (dot) com [email concealed]
Subject: RE: Compliance Product Recommendation
At 4:42 PM +0200 7/28/07, Mark Curphey wrote:
> How can a tool check to see that logs files are reviewed and acted on
> appropriately? They can only check to see if an admin looked at the logs.
> Surely there is a big difference? I don't want someone just looking at them,
> I want them reviewing them and acting appropriately. Maybe that's the
> difference between compliance and good information security!
No, my point is that if they never looked at them (or did not look often
enough) they are not doing it right. The human might ask about review of
logs, but checking for the truth regarding frequency of review is a dull
boring task best done by automation.
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
> Behalf Of ljknews
> Sent: Saturday, July 28, 2007 4:32 PM
> To: psrc (at) securityfocus (dot) com [email concealed]
> Subject: RE: Compliance Product Recommendation
> At 4:10 PM +0200 7/28/07, Mark Curphey wrote:
>> Take # 1 FW's as an example. Best practice (over hyped term) would suggest
>> someone reviews the logs and approves rule changes for a limited period of
>> time. The solutions I have seen don't touch on this.
> The "reviews logs" part is easily susceptible to automation, putting an
> Audit Access Control Entry into the Access Control List for the log. One
> certainly must interview humans to see what actions they are taking based
> on log reviews, but the automated tool gives the assurance that a human
> (for NIST SP 800-53 AU-6) or an automaton (for NIST SP 800-53 AU-6 (1))
> really is reading those logs every hour/day/week/fortnight.
> There seem to be tons of "log management" tools in the field. Are you
> saying that none of them even check on review of logs themselves ?
> Larry Kilgallen
[ reply ]
Re: Compliance Product Recommendation
Aug 09 2007 09:08AM
Paolo Ottolino (paolo ottolino gmail com)
Copyright 2010, SecurityFocus