Richard Bejtlich (TaoSecurity) wrote an excellent and extensive overview of the recent SANS Log Management Summit 2006. He mentions that Chris Brenton and Mike Poor unveiled the SANS Top 5 Essential Log Reports. I had not know about this report before. The list is:
- Attempts to Gain Access through Existing Accounts
- Failed File or Resource Access Attempts
- Unauthorized Changes to Users, Groups and Services
- Systems Most Vulnerable to Attack
- Suspicious or Unauthorized Network Traffic Patterns
Richard provides some detail on a talk by Lawyer Ben Wright about log management and legal issues. Ben provided three suggestions regarding log management.
- Policy should stress preferences, not statements saying “We will do X.”
- Keep records of the fact you reviewed logs.
- Only a company’s full audit committee should know about all monitoring methods — neither employees nor the CEO should know what is watched or stored.
A version of this talk was provided on a SANS Webcast Ask The Expert: “The Law of IT System Logs”.