Penthouse level


Somewhere along the way to this level you realize that all of this data has to reside somewhere. The raw data can be zipped and stored "somewhere else", you rarely need those logs but you probably want to save them for 90 days or so, if regulatory requirements say differently. For instance banking information might be required to keep up to 10 years in some countries. So you need to start thinking about your retention policies regarding different types of data. And you don't have to keep everything on-line either. Store it on backups of some kind, it is cheaper than the terabytes of disk you would need to keep everything on-line. You still have the normalized data to work with, and that is in most cases all you need, if done correctly.

The products you will be working with at this level are very, very powerful and can help you with advanced reporting tools and alerting schemes. They connect to ticketing systems an monitoring suites. They also are able to correlate data from a vast range of devices and software. Usually they come with a bunch of agents/collectors/connectors/daemons and whatnot for various sources of logs with the soul purpose of translating data from a specific device into the normalized format, which can be proprietary or an open format with open API:s so you can write your own log collector agents. Often these products gives you a choice of which approach you can take towards collecting logs. These can be, but not limited to, installing daemons or agents onto a device, triggers in a database, wrappers or listeners, they could be connectors on an appliance or software collectors on a virtual server. The sharp minds in the development departments come up with many interesting solutions, and since you often can write your own agents, you will probably come up with a few new ideas!

Not every log is as easy to read as syslog, where every event is one line. Some fine vendors have decided that if the logs are multiline events they will be easier to read. Yes, if you only use that product, and don't have anything else in your data center. Some log in XML. Remember, these ideas are the best on the market, just ask their developers. With these kinds of logs your normalization agents needs to do magic things. Be sure that you know all your log sources and their formats when shopping for a SIEM/SIM/SEM solution. They need to be able to do this magic or you will lose the correlation part in monitoring. Correlation is only effective if all pieces of the puzzle are available.

Since you've done your homework on the levels below you also have filtered out all the noise by now. So the result in your SOC/NOC monitors are only a few alerts per day, if any. Monthly/weekly/daily reports are mailed out to personnel and management. The bosses have their own webpage which shows red, amber and green lights for systems that are important for their focus area. All logs, from entrance systems to CCTV, Unix boxes to Windows7 clients, routers, switches and WiFi AP's, from New York to Birmingham, through Cape Town, Singapore and Tokyo… OK, a big shop that is. A bit of an exaggeration but you get the drift. You are on top of things, and that's why you earned the penthouse flat.

Comments

Post a Comment

Popular posts from this blog

Overhead lines

Image
One would think that in a climate such as this in southern Australia someone would come up with a better idea than keeping all lines (cable, electricity, telephone etc) up in the air. The wind can be pretty furious at times and city planners insist on planting trees which are known to grow over time. No doubt arborists are having fun coming up with ideas how to keep city planners and power utility companies happy. Once upon a time these cables were drawn in a similar way in Stockholm, where I have lived most of my life. At some point the phone companies decided this wasn't going to work in the long run. IMHO it would make sense to dig ditches into the ground and place all cables there (at least in the cities). Of course it will cost, but I also believe there is an algorithm that will give a number that will turn black a few years time after investment (ROI). Until then I will walk around this country with a smile on my face looking at the funny trees growing along city ...
Read more

Links for August 19th 2009

So the first signs of fall appeared today. First day in weeks I couldn't tak the bike to work. Schools stated today and hence I had to take my older boy to school in the car. Ah well, all good things must come to an end. Maybe I will have the time to take apart the bike and customize it in the ways I always planned to. Or maybe it'll just come to taking out the battery for witner care, as usual. But I'll keep on dreaming. Hacks: Social skills are as important as programming knowledge when it comes to penteration testing [or it could be used in malicious ways of course, but we don't, ringht?] and the creativity amongst people obtaining knowledge never ends to stun me. Hacks: Ethical hackning seems to be popular title to hide behind. Here's a security primer on how things can be done, written in proper English and not the hacker jibberish nerds speak. Hacks: More on social skills , or sort of. How do you use your mail? Do you have different mail accounts for diff...
Read more

R.I.P. Google Reader

For years my preferred application for reading RSS-feeds has been Google Reader. It has proven reliable, fast and most of all - clean in its interface. No clutter, pix or ads. Just plain information from sources of my choice. Now Google has decided to call it quits. Sad day. Call me an information junkie, and I'm fine with it. But I am a bit baffled by the comments on this decision to lay Reader to rest. An amazing majority of comments seem to be asking the question: is RSS an outdated technology? Really? What else is out there in terms of gathering information/news/updates/searches in one application, keeping this in one application, in one unified format? Facebook sucks with its censorship. Tumbler... oh well... no. I am terribly sorry, I just can't think of anything else to use. Here are some thoughts on Reader from Gigaom interview with Chris Wetherell. So I switched to Vienna . It seems to do the job fast and relatively clutter free. I'll go with that for a whil...
Read more