> > > All the current trend toward legislating compliance has > > accomplished is setting the bar very low, and encouraging > > companies to look only at meeting that standard. I've had > > senior IT managers tell me "We are going to do the exact > > minimum, wherever possible." > > No kidding - but, at the same time, those organizations who used to > fly (eh, crawl) BELOW that low bar would benefit if they are kicked > into doing at least *something*. So, I am a bit more positive about > such compliance motivators. In most cases the fine grain auditing we're talking about in this thread (DB, OS, app layer transactions) are wolves too far away from the sleigh. Companies are just beginning to adopt centralized log aggregation for things like host based logs, IDS/IPS traffic, and networking devices. DB, OS, and app transaction logging/monitoring is discussed but always the first to get cut. There's also a major analysis & reporting issue here that can't be ignored. You can look at a Windows, Unix, IDS, or firewall message and any IT or security admin will, generally speaking, know what to do with it. When you wrap correlation or other monitoring value around those log events, people know whey mean. They understand X failed logins in Y minutes is meaningful. But they have a hard time understanding the meaning behind inserts, updates, drops, grants, revokes, etc.. This is because so much context is required to understand each environment. This is true for DB, OS, and app layer auditing. So you have no internal champions (I know I'm repeating myself) for this type of logging. You have higher complexity and lower (immediately observable) benfit. I just don't see companies adopting this granular auditing/logging/monitoring with a few exceptions. There will always be compliance drivers, but like Marcus said it's a big ambiguous "do the minimum" approach and host, IDS, and network logs are easy ways to tackle the audit requirements even if incomplete. Tom _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Thu Mar 22 2007 - 08:52:07 PST