Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

As a novice at security issues, I find the discussion sounding helpful, but would appreciate HN discussion.

The general issue regarding security and blogs seems obvious: Shouldn't logs be considered one element in security analysis ? - not something I see discussed in my short time here. Anyway, it gives me pause to think, "Where have I implemented log-analysis in my (or my cron's) routine... and planned for follow-up?"



All boils down to the fairly generic statement in the last line:

Logging is an integral part of organizational security policies and best practices and well it should be. But don’t make the mistake of thinking that logging access to records is the same as securing them.


I worked at SenSage, a company that creates a log-archiving/querying product (used by NSA/IRS/Dept-of-Treasury/Navy, banks, insurance companies, telcos, etc.). Our customers all had very good reasons for archiving logs:

* Real-time security never gives complete coverage in an evolving electronic infrastructure ... there always are vulnerabilities that are patched, new services introduced whose risks aren't properly understood at first, etc. Having a log archive lets I.T. personnel look at history in case of breaches to find how certain data was leaked, or find what kinds of attacks were attempted. This history informs I.T. personnel how to improve their real-time security. It's an essential part of the feedback system.

* The most dangerous data theft isn't done by those penetrating a network from outside ... it's done by unscrupulous insiders who have some (needed) measure of access to the data. You need to trust someone. But they're not always honest. Trust, but verify. Archived log data is your only recourse here ... and knowledge that every move is recorded keeps insiders (if you choose to let them know) honest.

* Yes, log archives help prosecute bad actors.

Log data archival is a big commitment, will take tons of disk space and some expensive software (for a large corporation), and should be more than simply a data sink. To be effective you need to be able to continually run standard and custom queries to see what's happening in your network.


I've used log files extensively for security.

Aside from the obvious post-incident investigation, I've set up (nearly-) real-time scanning of logs feeding into programs that scan for abuse-like activity, and feed the output of those into alerting mechanisms and blacklists.

Those tools have proven time and again to be extremely valuable from a security perspective (we still log blacklisted attempts and can see what's trying and failing).


It's actually just a piece so that F5 can pimp the technologies they are selling. See the numbered list towards the bottom of the post.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: