Re: Review of logs/audit trail - whose responsibility?

[krymson () gmail com]

<- snip ->
> From my point of view, IT should be the one reviewing the logs. These logs
contain technical information and IT is the only one aware of what is going
on and what should NOT happen.
<- /snip ->

Of course, IT has many other things to do as well, which are probably more important/mission critical to getting things 
done. If you put log review against pretty much any other task general IT does, the log review will get put lower (not 
just because some people hate it, but because no customer is likely waiting for it to happen).

Keep in mind there are different types of logs. Some are security-related in nature. Others are just application 
specific and hold really no security value, but rather value to app debuggers.

As others have said, it should be done by someone with enough knowledge to make sense of logs, but also (ideally) 
someone who is not generating the logs themselves. This last part is an ideal and probably not practical for any but 
the largest or most security-necessary organizations. Most of the time, network or IT staff, or even overworked 
security staff end up doing it in between all the other things they monitor (or just let some SEIM do it...as long as 
they're standard logs).

The reviewer also should have the ability or power to dig deeper into any strange log entries, ask questions of 
necessary persons, dig in the dark corners that may hold answers, and possibly even start the ball rolling on invoking 
incident response/containment. They should also have some knowledge on why log entries might be made and able to make 
suggestions on how to fix any issues in them. Otherwise the whole exercise just becomes a daily sign-off and ignore 
"task."



<- snip ->
Dear all,

a simple question:

we all agree that there must be logs and audit trails to enable tracing back
and monitoring of suspicious activities

Logs should be reviewed regularly to identify abnormal activities

however, who should "ideally" be responsible for this regular (daily)
monitoring of logs?

Is it IT, IT Security or Computer Audit?

I know that each company might implement it differently, but from a
conceptual point of view, in terms of security, what will be the most
appropriate choice?

thanks for your comments

Regards,
Ronish

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------