[Owasp-pci-project] Logging
Anton Chuvakin
anton at chuvakin.org
Thu Aug 6 11:45:21 EDT 2009
> In relation to network packet capture statement I would like to quote your
> recent Blog Post at
> http://chuvakin.blogspot.com/2009/07/blackhat-2009-day-1-laws-of.html:
>
> "Afterwards, Kris from Heartland made a few one comments on DLP: they use it
> for discovery and data auditing, not for data leak prevention (which is
> definitely very reasonable). Another interesting theme (brought up by Ed)
> was not just awareness of what is going on your network (which is hard), but
> also on all the supplier networks that connect to it. This is a curious mix
> of technical security and legal, contractual stuff."
>
> I disagree with implementing DLP only (which is simply a subset of network
> packet capture) but it does demonstrate that there is greater value in (at
> least some) network packet capture over host generated logs.
Perfect chance to continue this great discussion! First, I wanted to
say that I never was against full packet cap; I used it on the
honeynets I ran and it was great. Being able to go and grab that pcap
and learn "how it really happened?" (as an ultimate network audit
tool) is immensely useful. So, there is huge value in having a nice
big pcap of everything that you can fall back to. BTW, I am not
talking only about 'cap what IDS flagged' or some select session
capture, but about actually doing full capture of every packet that
hits that web app. Moreover, there are tools that claim to be able to
search thru pcap with relative efficiency so going thru the data
becomes possible.
With that out of the way, I'd continue to insist that full cap is
*impractical as a security measure for most orgs*, despite being
useful as mentioned above. Reasons include: high data volume, lack of
skills to analyze the packets, low percentage of useful information,
etc. Let me try to summarize my thoughts and post them somewhere since
this is very interesting indeed.
--
Anton Chuvakin, Ph.D
http://www.chuvakin.org
http://chuvakin.blogspot.com
http://www.info-secure.org
More information about the Owasp-pci-project
mailing list