Page 2 of 2 FirstFirst 12
Results 11 to 14 of 14

Thread: How often should Admins review their logs? Also logging login attempts...

  1. #11
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252
    Excellent. Thank you everyone for your advice! A lot of great ideas!

    TH13 on your questions:
    What are the requirements of the system?
    What is your standard logging architecture?
    What has your organization decided is an acceptable level of logging?
    I don't think the organization has done that for it's servers - as it appears this change they want to make - not logging came out of the blue. A risk assessment does not appear to have been done. BTW - they want to turn off all logging of login attempts across all AD servers - again from that approach, I do not believe a risk assessment was done. A presumption I am making - based on the information I have right now is that IT is responding to the some pain - the pain of disk space being chewed up by logging - and are looking for a quick fix.

    The problem that I have observed is that this IT organization has to do that a lot of the time, because IT is looked down upon or as seen as not critical to the organization - which is interesting considering the amount of revenue that passes through the systems each day. I agree, we need to start from the bottom up, not from the top down and not just react to a situation or crisis - we need to establish a proactive IT organization to help drive the business - this situation only highlights and underscores that need.

    Thanks again for the information - once I am back in town - I will be approaching IT, along with my colleagues, on this matter.
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  2. #12
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    IT is responding to the some pain - the pain of disk space being chewed up by logging - and are looking for a quick fix.
    Well, this sounds like a bad descision was made. It is well understood that all log data is not valuable but the organization has to define what data is valuable and "clip" off the rest. If this was done, disk space would not be an issue. Also, mandates may *require* you to retain this data long term (SOX for instance). Tossing log data because it's a pain is a baaad thing to do. Your management chain does not seem to be bound to organizational descisions. In other words, the patients are running the assylum.

    The problem that I have observed is that this IT organization has to do that a lot of the time, because IT is looked down upon or as seen as not critical to the organization
    This is because security was not considered from the beginning. You have to win the hearts and minds of an executive in your organization and work hard to sell the *fact* that good security results in more efficient and ultimately a more profitable business.

    There are many ways to approach this but it is key to get executive buy in or you're done before you even begin.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #13
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    There are many ways to approach this but it is key to get executive buy in or you're done before you even begin.
    It is _very_ important to select this exec carefully. Failure to do so results in a waste of time....

    Selection criteria:-

    1. The chosen exec must have some grasp of IT issues, principles and practice.

    2. The chosen exec must have a good grasp of the business processes within the organization.

    3. The chosen exec _must_ have influence at the highest levels of the organization.

    4. The chosen exec _must_ be trusted at the highest levels of the organization.

    5. The chosen exec must be able to grasp the theory of risk assessment and it's consequences.

    6. The chosen exec should trust the IT dept.

    Three and four above are absolutely essential... Get as many of the others as you possible can. Throwing darts at the internal phone book is remarkably ineffective when trying to locate the appropriate exec...
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #14
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252
    TH13 and TS - thanks again - great advice! Yes - as you may be able to discern this is an organization built on other technologies and now IT was "back-ended" into it as a necessity, however, the necessity for IT, not to mention security, has had a less than favorable welcome. I wish you could be where I am at right now - everyone in this community would be aghast at what I discover at times - especially this week.

    You are both correct - I need to - like post-haste contact my colleague and manager on this topic - TH13 - SOx and 21 CFR Part 11 escaped my thoughts until you mentioned it - I bet the IT AD group forgot that as well - I was too peeved at the idea of a blanket turn off of logging to see clearly.

    I believe the executives will be a challenge - there is another issue I was just told about today that made my jaw go through the table - basically personnel in security - doing forensics investigations in IT - no - not yet - they are untrained in anything with IT security - don't even ask about forensics. And that was the start of it. AUUGH!

    ...
    ..
    .

    I just had an epiphany... what we are dealing with may be in part why I am experiencing what I am and posted my whining me'ah: http://www.antionline.com/showthread...hreadid=273222

    Thanks again for the great advice and wisdom on this!
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •