24/7 Response?

Kjersten / Catherine,

That is exactly the case.  Choosing a log monitoring system is critical to meeting 10.6.  Even with dedicated IT staff we cannot review logs everyday without a tool to separate the music from the noise.  Logs are 1000’s of events in a minute in our environment.  We use two things to get this done.  First we have an outside company that monitors all of our desktops and servers for virus / malware, as well as our web application firewall.  This costs a lot and wouldn’t be able to be done by most.  It has been absolutely essential in our PCI compliance.  Second we have purchased software from NNT that is a log aggregator called Log Tracker.  This was completely reasonable and a small investment and it does a fantastic job alerting us to what needs to be reviewed and what doesn’t.

We are upgrading to a newer version of log tracker right now which is suppose to have even more integration with the PCI standards.  Hope this helps.  I know all of that costs money so it is difficult to do.  With some of the Microsoft tools you can do some of the same things but you need to understand the events.  You have to look for events and correlate them, such as you see that someone has entered a bad password 5 times (that isn’t really an issue) but if you see it across several accounts and within seconds of each other you know that there is something going on.

Our external service that monitors our web application firewall (which protects against XSS and other database attacks) calls us at all hours and notifies us of any issues that are happening on the web.  We also get notifications and alerts when there is a suspected virus or malware attack.  The logging system also uses SMS messages to notify IT staff that there is something that needs to be reviewed.

Thanks,

Dave Alton

CIO

Center Theatre Group

o:213-972-7539 | c:213-973-2834

Hope you don't mind if I jump in. 

We have purchased SIEM (security event and information monitoring) software to fulfill how we read requirement 10.6: "Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS)." 

We believed that it would be impossible for anyone here to review all our logs every day so chose a logging/monitoring tool to do so.  With this tool we can set alerts to send to text or email which also then fulfills the 24/7 response requirement.

Kjersten / Catherine,

That is exactly the case.  Choosing a log monitoring system is critical to meeting 10.6.  Even with dedicated IT staff we cannot review logs everyday without a tool to separate the music from the noise.  Logs are 1000’s of events in a minute in our environment.  We use two things to get this done.  First we have an outside company that monitors all of our desktops and servers for virus / malware, as well as our web application firewall.  This costs a lot and wouldn’t be able to be done by most.  It has been absolutely essential in our PCI compliance.  Second we have purchased software from NNT that is a log aggregator called Log Tracker.  This was completely reasonable and a small investment and it does a fantastic job alerting us to what needs to be reviewed and what doesn’t.

We are upgrading to a newer version of log tracker right now which is suppose to have even more integration with the PCI standards.  Hope this helps.  I know all of that costs money so it is difficult to do.  With some of the Microsoft tools you can do some of the same things but you need to understand the events.  You have to look for events and correlate them, such as you see that someone has entered a bad password 5 times (that isn’t really an issue) but if you see it across several accounts and within seconds of each other you know that there is something going on.

Our external service that monitors our web application firewall (which protects against XSS and other database attacks) calls us at all hours and notifies us of any issues that are happening on the web.  We also get notifications and alerts when there is a suspected virus or malware attack.  The logging system also uses SMS messages to notify IT staff that there is something that needs to be reviewed.

Thanks,

Dave Alton

CIO

Center Theatre Group

o:213-972-7539 | c:213-973-2834

Hope you don't mind if I jump in. 

We have purchased SIEM (security event and information monitoring) software to fulfill how we read requirement 10.6: "Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion-detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS)." 

We believed that it would be impossible for anyone here to review all our logs every day so chose a logging/monitoring tool to do so.  With this tool we can set alerts to send to text or email which also then fulfills the 24/7 response requirement.