Hey Tina, I have done exactly want Lance S. suggested since March of 2000. This can be quite a challenge. Here is an actual real world log monitoring example and maybe one reason your audience may be reluctant to take on this task. I have a cable modem connected to the Internet and deployed a vast array of security measures. I have gathered and correlated the logs and events from a Firewall, NIDS, HIDS, WEB SERVER, EMAIL SERVER, various OS LOGS, and others and witnessed the following: ALERTS EVENTS 123608 256416 Note Events are just that, events that have happened. Alerts are escalated Events that matched some type of signature or have been the correlation of multiple less severe events. Here's what I had to do. Start with the complexity of just securely gathering and monitoring firewall logs, IDS alerts, OS logs, phone switch (PBS) logs, router traps, application logs, and who knows what else. They're all in different formats. I can't effectively review all that data by myself. We must have an expert system do spoof validation, associations, historical analysis, and removal of benign alerts.(etc..) Next, implement a huge database, reduce the data, and maybe run some trend analysis and or do some data warehousing research. What about containment and eradication when a security breach is identified? It is easy to see why this can be a difficult task. There's more but you get the point. Yeah this is completely anal. But it's what entails effective LOG MONITORING. I call it Active Security Monitoring, Analysis and Containment. The eradication procedure is another story. Your audience needs to understand that MOST of the security products they have been deploying over the last couple of years, hopefully, can be quite helpful. However, they must be treated as components of the entire system. Yes, they must be analyzed on a technology by technology basis, but all the technologies unified and diligently monitored can provide a unique window in to what's actually going on from a security standpoint. Sorry for such a long remark. Let me know if you would like to discuss this any further. BTW: As we all know how public domain lists can be, please read the following. I apologize in advance if this email goes against your beliefs, condescends or pokes fun at the product(s) you or your company deploys, or in way pushes the wrong button. This is what I personally have experienced from my and other networks I have monitored. Best Regards, Keith Hayes --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Tue Sep 11 2001 - 12:42:48 PDT