« Visa PCI Fines On The Rise... | Main | Anton's Security Tip of the Day #6: The Other Web Log »

User Activity Monitoring. It All Starts With A Log

User activity monitoring starts with effective logging. Logs provide the fingerprint of a users activity across the network. InformationWeek illustrates this well.

Managers must not only monitor system access, but also let employees know their system changes can be tracked. Employers should be wary of people unwilling to share their knowledge about systems or uncomfortable with the fact that their activities accessing systems or data can be tracked.

Mike picks-up on this over at Security Insights (subscribe to his daily email - worth the read):

But that's far from the only place insiders can cause damage. It ain't easy, but there are a couple of tips to help deter the behavior and then detect it. First is logging. You should be logging all administrative changes. Duh! But here's the nuance. Store the logs somewhere else and do not provide access to the administrators. Thus, they can't tamper with the logs to cover their tracks. They'll need to think twice before setting backdoors and the like.

Both Mike and InformationWeek get at one of the key tenets of an effective LMI solution - chain of custody. Even administrators shouldn't have access to your set of immutable log data. And you also want controls over some reports and alerts. All this can be managed very easily with the right solution.

You LMI policies should also incorporate two other elements. Who is "watching the watchers" (often IT Audit takes on this role in larger enterprises) and, who is auditing the policy - do you, for instance, have automated reports and alerts as to the status of logging?

Posted December 14, 2006 in Compliance | Permalink

---

Visit loglogic.com

Subscribe to this blog’s feed

• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007
• January 2007
• December 2006
• November 2006
• October 2006
• September 2006
• August 2006
• July 2006
• June 2006
• May 2006
• April 2006
• March 2006
• February 2006
• January 2006
• December 2005
• November 2005
• October 2005
• September 2005

Blogroll

• CynergisTek
• Bruce Schneier
• InfoSecDaily

Compliance

• Continuity Central
• Compliance Pipeline
• SOX Compliance Journal
• Sarbanes-Oxley 101

Good Reading

• Log Management ROI
• Log Management Best Practices
• SANS Institute Log Management White Paper

LogLogic

• O’Reilly
• Anton Chuvakin
• LogLogic.Com
• Jian Zhen

LogLogic Partners

• Juniper Networks
• ONStor
• Counterpane
• Bluecoat

Sites We Watch

• The Merc
• CRN
• IT Architect
• The Reg
• Security Focus
• Slashdot
• TechWeb
• SANS
• C/Net
• CIO Insight
• InformationWeek
• Jamie Lewis - Burton Group
• eWeek
• IT Manager's Journal
• MIT Magazine
• VNU