Re: [loganalysis] why read your logs?

From: Keith Hayes (hayesat_private)
Date: Tue Sep 11 2001 - 11:58:46 PDT

  • Next message: Bryan Andersen: "Re: [loganalysis] why read your logs?"

    Hey Tina,
    I have done exactly want Lance S. suggested since March of 2000.
    This can be quite a challenge.  Here is an actual real world log monitoring
    example and maybe one reason your audience may be reluctant to take on this
    I have a cable modem connected to the Internet and deployed a vast array of
    security measures.
    I have gathered and correlated the logs and events from a
    and others and witnessed the following:
    123608     256416
    Note Events are just that, events that have happened.
    Alerts are escalated Events that matched some type of signature or have been
    correlation of multiple less severe events.
    Here's what I had to do.
    Start with the complexity of just securely gathering and monitoring firewall
    logs, IDS alerts,
    OS logs, phone switch (PBS) logs, router traps, application logs, and who
    knows what else.
    They're all in different formats.
    I can't effectively review all that data by myself.
    We must have an expert system do spoof validation, associations, historical
    analysis, and removal of benign alerts.(etc..)
    Next, implement a huge database, reduce the data, and maybe run some trend
    analysis and
    or do some data warehousing research.
    What about containment and eradication when a security breach is identified?
    It is easy to see why this can be a difficult task.
    There's more but you get the point.
    Yeah this is completely anal. But it's what entails effective LOG
    I call it Active Security Monitoring, Analysis and Containment.  The
    eradication procedure is another story.
    Your audience needs to understand that MOST of the security products they
    have been deploying over the
    last couple of years, hopefully, can be quite helpful. However, they must be
    treated as components of the entire system.
    Yes, they must be analyzed on a technology by technology basis, but all the
    technologies unified and diligently monitored
    can provide a unique window in to what's actually going on from a security
    Sorry for such a long remark. Let me know if you would like to discuss this
    any further.
    BTW: As we all know how public domain lists can be, please read the
    I apologize in advance if this email goes against your beliefs, condescends
    pokes fun at the product(s) you or your company deploys, or in way pushes
    the wrong button.
    This is what I personally have experienced from my and other networks I have
    Best Regards,
    Keith Hayes
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private

    This archive was generated by hypermail 2b30 : Tue Sep 11 2001 - 12:42:48 PDT