[logs] Re: on database logging

From: James Turnbull (james@private)
Date: Wed Mar 21 2007 - 19:51:39 PST

Anton Chuvakin wrote:
>> All the current trend toward legislating compliance has
>> accomplished is setting the bar very low, and encouraging
>> companies to look only at meeting that standard. I've had
>> senior IT managers tell me "We are going to do the exact
>> minimum, wherever possible."
> No kidding - but, at the same time, those organizations who used to
> fly (eh, crawl) BELOW that low bar would benefit if they are kicked
> into doing at least *something*. So, I am a bit more positive about
> such compliance motivators.

I'm not.  The other aspect of working towards compliance is that
organisations often only focus on those things that you have to be
compliant with.  Given limited IT Security budgets this is sometimes at
the expense of what could actually be important.  It also sometimes
leads to the thinking - "We're SOX/PCI/CoBIT etc etc compliant and
therefore secure".

>> In log analysis terms, that means that the logs to to a big
>> bucket which is periodically dumped into the compost
>> heap.
> Indeed, this is common but compare this to a) never enabling logging
> or b) disabling logging or c) storing logs based on short default
> retention policy on each device? A huge improvement, isn't it?

And the value add is?  You spend all that money on log aggregation and
retention but do nothing with the logs?  Where is the security and
business benefit here?  What exactly is the business case?  "Gee it'd be
nice if we had all these logs in one place" wouldn't be moving my dollars.

>> Nobody'll look in the bucket until someone passes
>> legislation requiring people to LOOK at it. And, of course,
>> when that happens, they'll do the exact minimum, &c...
> Well, this already happened: e.g. PCI. It doesn't define what
> "looking" means, but running a log analysis tool sure beats just
> running a tape drive to save the logs...

Unless 'looking' is defined, linked to business requirements and
security outcomes/benefits, then what exactly are you analysing?  Again,
what's the value add?


James Turnbull

James Turnbull <james@private>
Author of Pro Nagios 2.0

Hardening Linux
PGP Key (http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x0C42DF40)

LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Thu Mar 22 2007 - 08:44:14 PST