The importance of logging for forensics investigations
ISSA has an interesting article (PDF, members only) in this month's issue. It is titled Computer Forensics Foils Financial Data Theft and it describes how the absence of a specific log file turned investigators onto the trail of a thief.
SIM products generally do a more-or-less acceptable job on collecting log data, extracting useful information from it, and doing some basic analysis. While it does not appear that a SIM was used in this particular example, the article shows how important it is to have a baseline of expected behaviour. The absence of logging that should be there is generally an indication that something is awry. I wonder how many of the commercial SIM's out there have provisions for this sort of detection.
SIM products generally do a more-or-less acceptable job on collecting log data, extracting useful information from it, and doing some basic analysis. While it does not appear that a SIM was used in this particular example, the article shows how important it is to have a baseline of expected behaviour. The absence of logging that should be there is generally an indication that something is awry. I wonder how many of the commercial SIM's out there have provisions for this sort of detection.