I would imagine its probably overwhelming to try and sift through all that log data for larger corporations. We generally collect around 35-40 million logs a day which I'm sure is a drop in the bucket compared to most shops. We looked at the SIEM(LEM) almost as an additional IDS tool. Which I believe is actually in one of the market highlights on the LEM page. I wonder how others look at it? Is it considered just a receptacle to go back and sift through log data once the breach has occurred like you mentioned? Is it just a compliance requirement. Being heavily involved in the IDS realm we know how much TLC goes into getting a box set up properly. You have to massage it and tweak it constantly. But once done it becomes an extremely powerful tool. We are constantly tweaking and changing our LEM box as well to adhere to our needs, and our compliance needs. I don't think there is any excuse to just get it set up and let it sit. We check logs daily. It may not be fun but it needs to be done, plus its a PCI requirement Honestly I would rather be sifting through reports, log data daily than having to explain to my higher ups why we didn't catch the intrusion that may have compromised our network.
↧