christian.heinrich at owasp.org
Thu Jun 4 20:14:00 EDT 2009
I would agree with you mostly here, in my experience the SIEM vendors fall
> far short of their marketing. For medium sized enterprises you're better
> off with a custom solution, integrating the best products that fit your
> needs. However for larger enterprises there can still be a compliant and
> value added SIEM solution if you understand you're own team needs to be the
> logging and PCI experts to define the logging and monitoring, and to do the
> investigation of escalated events. Especially so for the custom
> applications. You don't want to accept the logging application defaults, or
> the vendors recommendations without detailed a review understanding what are
> your ricks and what are the compliance issues.
It is in the best of interest of the merchant to accept the default PCI DSS
reporting provided by the SIEM vendor in order to transfer their liability
and duty of care by arguing that the SIEM vendor was the Subject Matter
Expert in the event of a breach.
My recommendation would be to engineer a solution based on directing Windows
> Event Log to multiple syslog servers which then normalize this data into a
> DB as people then gain experience with logging rather then blinding trusting
> the claims of the SIEM vendor.
> Yes, that's a great combination and fits a lot of needs, it's best if the
> syslog is securely tunneled or isolated rather than sent clear text over the
I am yet to meet a QSA who has knowledge of Datagram Transport Layer
Security (DTLS) and therefore see it implemented for syslog.
> But as I stated previously because the PCI SSC allow an SIEM solution then
> the merchant can claim that the "magic box" didn't alert them to a breach.
> I agree. I expect this sort of claim to happen, but I don't expect it will
> be found compliant once the breach is investigated. Other claims of
> compliance before a breach have been debunked.
Can you please cite examples of this because from what I last read on
Hannaford (back in September 2008) were still complaint with PCI DSS after
PCI SSC tried to claim this as part of their media spin campaign?
> I would also like to highlight that there is greater value in network
> packet capture over syslog, Windows Event Log and custom Application
> This is interesting, I'm not sure I follow. I don't think you're comparing
> network IDS and packet capture to Logging and Monitoring are you?
I wasn't referring to NIDS, rather network packet capture.
I assume that by "monitoring" you are referring to reviewing logs rather
then SNMP Traps, uptime, etc monitoring?
Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://sn.im/cmlh_speaking_schedule
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Owasp-pci-project