[logs] Re: Which reports are most important?

From: todd glassey (todd.glassey@private)
Date: Sun May 21 2006 - 13:45:07 PDT


Anton, I think its more granular that that. And the concept of "Top five
reports" is a misnomer.

Reports are created to prove very specific things in the form of corporate
or entity policies. So there are a set of reports or sorted output from
multiple reports making up the 'reporting' for each 'security task' that
implements some policy. Thus, the relation is from the report to the Policy
and Control it provides. In the Audit World these are called Monitoring
Controls and report in the form of Direct testimony as the events that
happen within them.

That said - the power list is the COBIT, ISO17799, or ITIL control list that
the specific reports meet the operating requirements of.

Todd Glassey

----- Original Message ----- 
From: "Anton Chuvakin" <anton@private>
To: <cbrenton@private>
Cc: <LogAnalysis@private>
Sent: Thursday, May 18, 2006 9:16 PM
Subject: [logs] Re: Which reports are most important?


> Chris and all,
>
> IMHO, there can't be a Top 5 list. To make it possible, you have to
> consider the role of the report recipient.
>
> E.g.
>
> Top 5 Reports for a SysAdmin
> Top 5 Reports for a Security Analyst
> Top 5 Reports for a CSO
>
> And yes, I do have the lists - will send it later...
>
> On 5/17/06, Chris Brenton <cbrenton@private> wrote:
> > Hey all,
> >
> > I'm involved with helping SANS organize the logging summit this July. As
> > part of that, I was hit with a question that I thought could be best
> > answered via feedback from the group.
> >
> > What do you feel are the top 5 reports a centralized log management
> > system should provide?
> >
> > For example, a few I came up with:
> >
> > Authentication failures (Web, system access, VPNs, etc.)
> > Access failures (HTTP scripts, recursion requests, etc.)
> > Initialization of new/unknown processes
> > Unexpected outbound traffic through the firewall (IRC, TFTP, SMTP, etc.)
> >
> > I would love to see a similar list from other folks on the list.
> >
> > Cheers,
> > Chris
> >
> >
> > _______________________________________________
> > LogAnalysis mailing list
> > LogAnalysis@private
> > http://lists.shmoo.com/mailman/listinfo/loganalysis
> >
>
>
> -- 
> Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
>      http://www.chuvakin.org
> http://www.securitywarrior.com
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@private
> http://lists.shmoo.com/mailman/listinfo/loganalysis

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Sun May 21 2006 - 21:18:12 PDT