[logs] SIM solution - Objectives ? (Firewall logging)

[Paul Melson]

-----Original Message-----
Subject: [logs] SIM solution - Objectives ? (Firewall logging)

> I love it when people take this logic and extend it such that a switching
firewall is asked to log 100+ 
> bytes of data per session.  The firewalls tend to work really well then. 
>
> If you never reconcile the bank account, why keep all those little
receipts from Starbucks?

In case of an audit..? :)

Seriously, though, that's the idea.  Keep all the records you can so that
you have access to whatever you need in an investigation while at the same
time hoping you need none of them.


> Would it not be better to say that we are going to take X effort and spend
it looking at a set of N 
> rolled-up events and action owners to fix stuff. Yes, it's asymptotic,
imperfect, and more art than 
> science, but it has precedents in many other areas and will likely meet
"good enough"
> standards. 

Better than what?  Better than nothing?  Definitely.  Better than drowning
people in log data by asking them to read through millions of log events
daily?  Probably.  But I think a "best-effort" approach is going to have a
hard time meeting compliance requirements if you try and claim it as a
control (which it is).

What you're really called to do is define those specific events that you
will monitor for and let the SIM, log analyzer, Perl script, or whatever
isolate them for your review and review them all.  Best effort log analysis
beyond that, searching for specific historic events in an investigation or
looking at trends and metadata over time, should be out of scope or at least
very vaguely defined for any compliance stuff you're dealing with.

PaulM