Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Michael R. Farnum

Hitting the Security Nerve

Log capturing - event correlation, forensics, or audit / compliance widget?

4 comments

IT TOPICS:Business Intelligence, Government & Regulation, Security

As a security admin, you know that just about every device on your network spits out some kind of a log. And you also know (or you should know) that keeping track of those logs is an important piece of the puzzle to knowing your security posture. But you have to know the main purpose behind capturing logs before you can make a good decision on what method you will use to capture the logs.

So what is your reasoning behind capturing logs? Are you mainly trying to see what is going on with your network in order to spot potential security issues? If that is the case, then you need to investigate which technologies best do correlation and will help you see things on your network that you would have trouble seeing yourself. These systems are typically complicated and take a lot of planning effort in order to ensure good results. You need to have an intimate knowledge of your network to know avenues of attacks and vital systems so you can setup rules and alerts. They also require maintenance when changes are made on your network. However, if done right, these tools can give you a very good look into your network's security, and they can help find problems much quicker than a human could.

However, if your priority is not alerting and complicated correlation, then perhaps you simply want to capture the logs for forensic purposes and some simpler alerting. If this is the case, then you need to find those technologies that focus on disk space (high native capacity and possible expansion), the least amount of log normalization, and log protection (encryption and nonrepudiation). The reason behind limited log normalization (or none, if you can get it) and protecting logs is in case you have a security violation that will possibly involve a court case. You need to have the ability to prove that the logs are accurate and have not been changed in order to be accepted in court. These boxes also need to have the ability to move logs easily to storage and not have affect the nonrepuditation. The reason you need disk space is because if you are focusing on forensics, you will probably need to keep logs for a while.

Another reason that people have these types of devices is as an audit or compliance widget. Though I personally find this to be be the least important reason behind implementing log management, I also know that if it will get an auditor off my back, I will use it. And many manufacturers build in extensive audit and compliance reporting that are an auditors dream. If this is your need / desire, then make sure you focus on devices that have strong reporting characteristics.

Speaking of reporting, in my experience with these types of devices, I often find that a device is either very strong in one of the above characteristics, or it is very strong in reporting. Very few have strengths in both areas. However, it is my contention that manufacturers should focus heavily on both. Having all the information in the world does you no good if the user has no idea how to retieve it. And the security admins of the world love to have configurable dashboards that they can give to their boss (and the auditors I spoke of above) so they get fewer questions about what is going on in the network.

Most technologies available for log management will have all of the above features in some way, shape, or form, but they will vary in strength. When you are performing your risk analysis, determine what the focus of your company needs to be with log management. An example could be if you are a large enterprise with a very complicated network, then you may need to find a good correlation engine. Or, if you are a smaller firm that has high value intellectual property, you may want to have a box that focuses on forensic capabilities so you be sure to track down violations and recover your losses in a court of law.

Only you can decide on what will be the focus. Choose wisely.

Email this

Digg this

What People Are Saying

Add new comment

I'm not really sure why he

Submitted by Michael R. Farnum on April 10, 2007 - 6:55 A.M.

I'm not really sure why he posted something about scanners on my post about log manangement anyway. Smacks of spam.

Michael R. Farnum

Better to be despised for too anxious apprehensions than ruined by too confident a security.
Edmund Burke (1729 - 1797)

Reply | Report this comment

Er, right. Biometrics and

Submitted by Randy Grein on April 9, 2007 - 10:55 P.M.

Er, right. Biometrics and security go together like, oh, I don't know - borsht and hot fudge. Sorry to rain on your company, but until you PROVE your scanner is secure - open up the code, show the algorythms used to condense a fingerprint (analog data) to a digital signature, AND let a few bright boys hack at it so we can see the flaws it's no more secure than Dibold voting machines.

Oh, the technology is impressive on the surface. But it's frightenly easy to bypass most scanners if you ignore the hype. (eWeek got around one 'secure' scanner by breathing on it!) The only way to be SURE is to demonstrate it by letting someone else try to break it. We need a strong, skeptical group that understands how to cheat the system. Maybe we can get James Randi to step in!

Reply | Report this comment

Vulnerability Assessments and Red Teams

Submitted by Krisjand Rothweiler on January 23, 2009 - 5:09 A.M.

There is absolutly nothing wrong with biomentrics and security, when they are combined properly. There are 3 methods for authentication of an individual; what you know (passcode), what you have (token) and what you are(biometric). Biometric is the hardest of these to reporduce, hence the popularity. Now, I'll concede that it can be beaten given a saavy attacker (like the breath test you mentioned) but that is where, i dunno, the rest of a security policy comes in. If the WHOLE PROGRAM is done right, then the system is tested before and after implementation to ensure that its weaknesses are fixt, patched or that another answer is found.
So, in general, biometrics is great for security, If you know how to use it and noone cuts off your finger.

Reply | Report this comment

For Healthcare IT systems,

Submitted by Sameha on April 7, 2007 - 11:12 A.M.

For Healthcare IT systems, use of Biometrics is one of the most advanced technological applications. While complying to various policy for increased security of information in healthcare, the hospital management needs to ensure that each and every patient is tracked, identified and followed up in unique way most efficiently so that every visit takes least time to track down their information with security. I think in this Biometric scanners have a very positive role to play. . I am a representative of an established, biometric software research and development firm named M2SYS Technology based in Atlanta Georgia. We have provided our
Fingerprint Scanner to different healthcare organizations across the globe for superior healthcare management, patient tracking and payments systems. We understand the natural privacy concern associated with fingerprint software. However, it's important to understand that our fingerprint software does not store a physical copy of the image, and without the image nothing can be done with the stored data. Also, all fingerprint data is fully encrypted from the time it leaves the fingerprint scanner to the time it's stored in the database. There is no comparison or storage that takes place in the fingerprint reader itself. I think for best results looking for such research in advanced biometrics can help gain the best solutions for information security and management in Health care organizations.

Reply | Report this comment

Do Railhead right or don't deploy until it IS right

We have met the enemy, and he is us.

Google and DoubleClick, sittin' in a tree (and Magneto Boy)

Federal encryption standardization

LIVE Nov 10, 2009 12:00 PM ET

Architecting Business Intelligence Applications for Change: The Open Solution

LIVE Nov 12, 2009 02:00 PM ET

IDC Research Report: The Business Value of Consolidating on Energy-Efficient Servers
Download this Resource Now!

Top to Bottom Performance Management Excellence at the City of Chicago
View now.

HP Technology Guide for Scalable Business Solutions
Download This Resource Now!

Architecting Business Intelligence Applications for Change: The Open Solution
Register for this webcast today!

Clipper Group Report: HP Provides Enhanced Options for Data Center
Download this Resource Now!

Enterprise Data Governance: Bridging the Business-IT Gap
Register for this live webcast today!

All White Papers | All Webcasts

Computerworld Reports

8 Questions To Ask About Your Intrusion-Security Solution

Computerworld Briefing - Analytics: The Art and Science of Better

Computerworld Briefing: The State of Data

All Computerworld Reports

Receive the latest technology news and information.

	Computerworld Daily News (First Look and Wrap-Up)
	Computerworld Blogs Newsletter
	The Weekly Top 10

View all newsletters

* E-mail Address:

* Industry:

* Job Title:

* Company Size:

* Country:

* State:

I would like to receive offers via e-mail from Computerworld partners.

Michael R. Farnum's Archive

IT Topics

Sponsored Links

Play NetApp's New Data Defense Game.

How Do You Rank as an Innovation Leader? Download Recent Study.

Play NetApp's New Data Defense Game.

Extraordinary times demand Brocade Extraordinary Networks.

No Payments for Up to 6 Months on Orders over $500.

NetScaler VPX : Harness the Power of Virtualized Web App Delivery

64-page prescriptive guide to security, compliance, and IT operations.

Streamline IT Costs. Boost Performance with WAN Optimization

Enterprise Network & Server Monitoring Software. Cross over to Traverse...

Keep your IT expertise up to date. Join the Intel Premier IT Professionals.

Crystal Reports Server: More options. Not more money.

Parallelism is not just for HPC. Create rich apps from desktop to device. Get the eval.

Tolly Performance Report "Citrix NetScaler with nCore Outperforms F5 BIG-IP"

Save up to 61% plus Free Cheesecake

Find IT jobs in the Healthcare industry on Dice.com

With the NEW KODAK i700 Series Scanners get full speed at 300dpi!

Not All QSAs Are Created Equal: What You Should Know Before You Buy

The arrival of Serial Attached SCSI (SAS) marks a new era in storage scalability

The AMD Virtual Experience Virtual Trade Show

New DW Options and Price Points. View Teradata Platform Family Data Sheet.

See how AT&T can help protect your network.

3 Innovations. 3 Free Downloads. Free trials of Windows 7, Windows Server 2008 R2 and Exchange Server 2010.

Take the Netezza TwinFin TestDrive!

Citrix NetScaler with nCore Outperforms F5 BIG-IP - Learn More

New Analytical Platform Options. Download Data Sheet and More.

Get more enterprise mobility value for up to 25% less.

Unified Communications: Thoughts, Strategies and Predictions. Join the discussion.

NYUs M.S. in Management and Systems. Offered Online and On-site.

Increase UPS efficiency without sacrificing protection

Crystal Reports Server: Single server access to reports & dashboards

Create new opportunities. See business making progress now

ESET NOD32 with ThreatSense(R) - Get your free trial now!

Looking to add Unix/Linux functionality to Windows?

Join the conversation about the hottest IT trends with Computerworld on Twitter.

ITwhitepapers.com - Access thousands of white papers on 300+ technical topics.

Leverage Your Cisco infrastructure for Superior Application Performance

Learn about the AMD Virtual Experience

Introducing: Project Icebreaker

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map

CIO

Computerworld

CSO

DEMO

GamePro

Games.net

IDC

IDG

IDG Connect

IDG Knowledge Hub

IDG TechNetwork

IDG Ventures

IDG.net

InfoWorld

ITwhitepapers

ITworld

JavaWorld

LinuxWorld

Macworld

Network World

PC World

The Industry Standard

Copyright © 1994 - 2009 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.

Log capturing - event correlation, forensics, or audit / compliance widget?

What People Are Saying

I'm not really sure why he

Er, right. Biometrics and

Vulnerability Assessments and Red Teams

For Healthcare IT systems,

Related Posts

Today's Top Stories

Hot Posts

Recent Comments

White Papers & Webcasts

Computerworld Reports

Newsletters

Michael R. Farnum's Archive

IT Topics

Sponsored Links