Hello,
I have been mostly lurking here, but have to throw in my two cents. I
work for
"insert large organization which should know better". Everyone there is
aware
of the need for log analysis. There are just no resources to do it. Yes,
this is bad
management, bad security practice, bad on every level. However, that does
not
change the fact that the resources are not there, nor are likely to be there
any time
in the near future. Yes, management knows about the issue. Given some
knowledge of
this particular industry, we are not a rare
case. I am certain that there are many others out there in this position. I
believe that
a service like this has merit, though not in it's current form. I would not
send logs out
via email in any case, some of them would just be too large, not even
considering the
security implications.
However, we might consider, given appropriate contracts and NDA's, a VPN
arrangement
where the logs were transferred. For this service to be of use you would
need to be able
to handle multiple gigs of log data quickly and securely and of course be
willing to have
your arrangements scrutinized on site and your code and configurations gone
over with a
fine tooth comb.
I know you are not in a position to do this now, but I thought I would
throw in some ideas
on how it could work.
Adrian
----- Original Message -----
From: "Jay D. Dyson" <jdysonat_private>
To: "Log Analysis" <loganalysisat_private>
Sent: Tuesday, June 18, 2002 2:46 PM
Subject: Re: [logs] OT: 'Automated Log Analysis'
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 18 Jun 2002, NixGuru wrote:
>
> > > It's a good idea, but the implementation is fraught with
> > > complications that I would sooner prefer to avoid.
> >
> > This is one of my main concerns: how to build a trustworthy relation
> > with a potential user of the analysis system? Especially considering
> > that, from a clients perspective, the logs are sent to a third party,
> > they are in cleartext, and who knows for what they will be used?
>
> That sort of trust is difficult to earn and easy to lose. This
> strikes me as a case of "best of intentions" (and we all know what road is
> paved with those).
>
> > As you say, you would prefer to have such an analysis tool locally. And
> > I agree. BUT. And here's the big BUT. There are a huge amount of sites
> > that do not monitor their logs at all. Simply because they don't have
> > the resources. Be it time, funding, knowledge or whatever. They just
> > don't have it. So, to at least offer some sort of analysis, which in
> > itself is an advanced process, these non-analyzed sites can simply
> > e-mail their logs to the service, and receive a report.
>
> Most folks I've encountered who didn't monitor their logs were
> unaware that they *should* monitor their logs. I can't tell you how many
> recovery efforts in which I've been involved wherein everyone at the
> affected site didn't understand how an attacker got through their
> firewall. When asked where the firewall logs were and who reviewed them,
> the Doe-in-the-Headlights look told the whole story.
>
> It's not a matter of resources, nor is it typically a matter of
> funding. It's more a matter of simple awareness.
>
> I encourage you to GPL your log analysis tool and release it for
> local use. If you're wanting to build trust in your proposed solution,
> that would be a very good start.
>
> - -Jay
>
> ( ( _______
> )) )) .--"There's always time for a good cup of coffee"--.
>====<--.
> C|~~|C|~~| (>------ Jay D. Dyson -- jdysonat_private ------<) | =
|-'
> `--' `--' `-- I'll be diplomatic...when I run out of ammo. --' `------'
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (TreacherOS)
> Comment: See http://www.treachery.net/~jdyson/ for current keys.
>
> iD8DBQE9D6o/GI2IHblM+8ERAlWoAKCBUyaL29G9hBN/dQCJZ6vrefTMtgCgonrT
> x4QNC7Ecvd0IvdNRpZ10IGU=
> =YZny
> -----END PGP SIGNATURE-----
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: loganalysis-unsubscribeat_private
> For additional commands, e-mail: loganalysis-helpat_private
>
---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Tue Jun 18 2002 - 15:40:40 PDT