[logs] SIM solution - Objectives ?

saudi sans saudisans at gmail.com
Thu May 31 19:39:19 PDT 2007 

Hi,

Thanks for the inputs - I have still not concluded.

- Logging Firewall DENIES does not give anything relevant. Maybe it
can give some trending data where.

- Logging Firewall ACCEPT can be voluminous.  We can use that to track
the "Top 10 Attackers " ACCEPT traffic . I am not sure how it will
benefit us.


What I should check on Firewall could be

- Changes to rulebase - However this seems impossible. People like
Checkpoint only say a new policy has been installed - They donot make
a log entry what change was made in the rulebase before ths install.

I am yet to see any rulebase change logs in Firewalls like Netscreen
and CiscoPix which even captures that a rulebase has been installed or
what has been changed in the rulebase.






On 5/30/07, David Corlette <dcorlette at novell.com> wrote:
> Hello,
>
> I agree with a previous poster that this SLA concept seems to be a strange approach to the issue.  Assuming that the rules used to correlate raw events into actionable alerts are automated, it shouldn't make any difference to the MSSP how they alert you.  If they are doing it manually - well, that's not going to scale very well.
>
> On your end you *do* want to set up "SLAs" for incident response, ideally tied to an auditable workflow-based response process.  You'd want to include automated escalation if the incident is not resolved within N minutes, based on severity and the type of incident.
>
> You *also* want to do longer-term trend analysis based on reporting, and ideally your SIM solution can provide some reports that can be used to support compliance based in detective controls.
>
> > We have SLAs that if a High alert comes vendor should inform us within
> > 15 minutes , for medium alert it is 30 minutes .....etc.
> >
> > Are corporates [who have some level of maturity in this space] using
> > SIM solutions to do real time response or are we using it for weekly
> > reports and then doing trend analysis ?
> >
> > Does it make sense to receive High alerts and take a 15 minute
> > response when a login failure happens on a few servers.?
>
>

More information about the LogAnalysis mailing list