Hi all,
Just wondering what your takes are on the logging solutions out there.
Specifically as regards to PCI DSS. I know there are a TON of companies
focusing their efforts on helping fulfill req 10 and audit trails. It seems
like there are quite a few out there who can effectively correlate and perform
forensics on log data. My concern is that it still seems there is a hole or
something missing in the overall picture.
Obviously, we're not all going to be monitoring these log servers/appliances
24/7 (unless you hire people to do 24/7 in shifts), so what if an attack (i.e.
brute force ala TJ Maxx) successfully occurs over the weekend or when someone
ISN'T watching or tending to their cellphone/pager/email/etc for whatever
reason?
Yes, the logging appliance will capture the attack and record it, but assuming
no action or intervention was taken, by that time the system(s) will have been
compromised.
So again, it seems like many companies are focusing in on the forensics aspect,
which I believe is important, especially in court. But what about doing more
actively to prevent attacks? What about automated remediation and active
response?
I'm trying not to be biased here, but the only company I've seen who has taken
big steps towards this is TriGeo. Has anyone else here heard of them? Or have
any experience using their solution? I've only sat in on a demo and have read a
bunch of whitepapers, and most other SIMs/logging solutions/etc pale in
comparison.
It just seems easier/less confusing to use overall. I've also sat in on Cisco
MARS, CSA, and RSA EnVision demos and wasn't nearly as impressed with any of
these solutions.
CSA, potentially coming the closest in terms of endpoint security/policy
enforcement, seems interesting, but not nearly as flexible or powerful in terms
of policies, rule sets, and automated defined responses per a specific action.
I'm just trying to get a sense here from what others have done, but it seems
hard to find a good amount of people who can or are willing to share. Maybe
it's because most of us are still working at it and have the same questions I
do, or haven't even thought of it yet (in which case: you better get on it!).
Or is it because many people are just secretive about the whole thing? I guess
I could understand why if so... but why not just tell us a) what you're using,
and b) why you like it - I don't see anything that could jeopardize your
company in providing such information.
Oh well, I'm really trying to push TriGeo with my managers but I've been
finding it difficult. They're partial to Cisco MARS/CSA because we already have
a Cisco contact/sales engineer and outside consultants who also strongly advise
mostly Cisco stuff. I just think most people here are deep into the Cisco
mindset. So sometimes it's hard thinking outside the box.
Any opinions would be greatly appreciated.
Thanks!
-J
