topic Re: Do you use any tool that does automated log reviews? in Governance, Risk, Compliance

Do you use any tool that does automated log reviews?

CY — Sat, 07 Nov 2020 02:28:58 GMT

I am trying to automate this laborious task. Can share if you have any experience using such tools where auditors has no issue with?

Re: Do you use any tool that does automated log reviews?

Steve-Wilme — Mon, 09 Nov 2020 14:48:32 GMT

A SIEM is capable of log centralisation, normalisation and correlation of events. You should be able to set-up rules to alert on single events or combinations of events of interest. It tend to be best to work back from known indicators of attacks to source the relevant events, rather than capture all events and try to figure out what all that data might mean.

Re: Do you use any tool that does automated log reviews?

dcontesti — Mon, 09 Nov 2020 09:27:08 GMT

Are these internal or external auditors? The difference: If they are internal, you could sit with them while you are putting together the requirements for such a tool and have their blessings as you move down the path.

I am not sure about others but have found that building an alliance with the IA team has been beneficial and helps when dealing with external audit.

For external auditors, you may wish to ask them what they are looking for. SOmetimes it varies depending on the auditor assigned to your firm.

We had good luck with Splunk (but they were very expensive), another tool we used was AlienVault. Both satisfied the audit requirements.

PS: this is NOT an endorsement for either tool, just that we used them. Both had issues and required dedicated staff.

Re: Do you use any tool that does automated log reviews?

dcontesti — Mon, 09 Nov 2020 09:48:52 GMT

Found this on the net, might help you when doing your requirements:

https://stackify.com/best-log-management-tools/#:~:text=The%20McAfee%20Enterprise%20Log%20Manager,%2C%20Application%2C%20and%20System%20logs.

Re: Do you use any tool that does automated log reviews?

Titan — Tue, 01 Dec 2020 03:39:46 GMT

I second what this individual stated regarding Splunk and Alienvault (although it looks like AT&T has bought Alienvault). I've personally seen more instances of Splunk being used. However, the ongoing challenge with Splunk (and likely Alienvault as well) is tuning the SIEM so it performs the activities both effectively and efficiently.