[logs] SIM solution - Objectives ?
Tom Le
dottom at gmail.com
Fri May 25 01:12:44 PDT 2007
> Does it make sense to receive High alerts and take a 15 minute
> response when a login failure happens on a few servers.?
The big challenge here isn't an SLA, which most MSSP's will provide. The
big question is what is a high severity alert? If you rely on IDS/IPS
securities of "high" or "critical" you will generate a ton of false
positives. Does the MSSP have their own severity ranking mechanism? What
factors do they consider... such as correlation analysis, anomaly detection,
vulnerability scan data, host & fw messages in addition to IDS/IPS, asset
value, 0-day information, your corporate security policies and other
customizations.
Finally, is there a human security analyst that needs to review the above
data as part of the SLA and do they have subjective ability to determine
what event(s) comprise a high severity alert? You will have a harder time
getting the MSSP to define what is "high severity" than agreeing to a 15-min
SLA.
Tom Le
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.loganalysis.org/pipermail/loganalysis/attachments/20070525/072ace6c/attachment.html
More information about the LogAnalysis
mailing list