[Owasp-pci-project] Outsourced Log Review
McGovern, James F (HTSC, IT)
James.McGovern at thehartford.com
Fri Jun 19 09:54:56 EDT 2009
I don't think review daily means that you only look at yesterday's logs.
There is nothing preventing (or encouraging) one to look back even
further. I guess I am reacting to the challenge of daily which doesn't
give a waiver for holidays, weekends, etc. This would hint that
supplemental assistance would be necessary for those whose IT shops are
primarily mon thru friday.
Are there any industry benchmarks on the time it takes to review a log?
________________________________
From: owasp-pci-project-bounces at lists.owasp.org
[mailto:owasp-pci-project-bounces at lists.owasp.org] On Behalf Of
Christian Heinrich
Sent: Friday, June 19, 2009 2:32 AM
To: owasp-pci-project at lists.owasp.org
Subject: Re: [Owasp-pci-project] Outsourced Log Review
James,
In my experience log review is not as labor intensive as the SIEM
vendors would like you to believe as it requires approx one hour to
review the logs generated daily from a mix of Windows and UNIX hosts
(approx 200MB) with another hour for a second opinion.
I have an issue with the mandated "daily" review as it is not possible
to detect a breach conducted over a period of days - yes, I know I have
over-simplified this statement.
On Thu, Jun 18, 2009 at 6:41 AM, McGovern, James F (HTSC, IT)
<James.McGovern at thehartford.com> wrote:
I know that OWASP doesn't endorse third parties but one question
I think should be addressed is the notion of log review. If you note
that PCI desires this to occur on a daily basis, it kinda means a
different staffing model than many have thought about to date. One
alternative, would be for us to somehow enumerate choices of where this
may be outsourced.
************************************************************
This communication, including attachments, is for the exclusive
use of addressee and may contain proprietary, confidential and/or
privileged information. If you are not the intended recipient, any use,
copying, disclosure, dissemination or distribution is strictly
prohibited. If you are not the intended recipient, please notify the
sender immediately by return e-mail, delete this communication and
destroy all copies.
************************************************************
_______________________________________________
Owasp-pci-project mailing list
Owasp-pci-project at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-pci-project
--
Regards,
Christian Heinrich - http://sn.im/cmlh_linkedin_profile
OWASP "Google Hacking" Project Lead - http://sn.im/owasp_google_hacking
Speaking Schedule at http://sn.im/cmlh_speaking_schedule
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.
************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-pci-project/attachments/20090619/563f5832/attachment-0001.html
More information about the Owasp-pci-project
mailing list