On 3/21/07, Anton Chuvakin <anton@private> wrote: > > > DBA's > > implement it reluctantly. It requires a compliance mandate and even > then > > encounters various levels of resistance. When you look at other log > > analysis projects (such as security event monitoring or log > aggregation), > > Huh? What does "log aggregation" mean here? Shouldn't database logs part > of it?! "Log aggregation" in the above context means implementing centralized logging. Most database logs at most companies are not sent to a centralized log server. "Security event monitoring" means either an internal SIM/SIEM or outsourcing to an MSSP. Companies are only beginning to adopt solutions around these two areas. Sure, companies do some of this to varying degrees (e.g. they send all Unix logs to a centralized server), but my point is that when you are adopting a new policy/process/paradigm, you tend to implement it in stages. The stages that are likely to internal champions are the system, security, and network logging/monitoring. This is because the use of centralized log aggregation or SIM/SIEM/MSSP solutions greatly improve the quality of work these users (system, security, and network admins). The application admins and DBA's have traditionally never championed auditing. It's a nuisance to them. They offer resistance and often implement it reluctantly. It's hard enough trying to convince customers to adopt a new technology when all the technical recommenders agree. A vendor recommends a whiz bang solution and everyone agrees it's needed and useful. You still have to sell management on cost vs. benefits. Now imagine a scenario where the technical recommenders (DBA's, application admins) are reluctant the minute the topic comes up. You might want to consider hiring a focus group (like San Jose Focus) to talk to DBA's and IT security managers. You'll be able to dig even deeper into this issue. It's been money well spent IME for product & marketing analysis. Tom _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Thu Mar 22 2007 - 08:59:33 PST