There are solutions available to facilitate the consolidation and aggregation of both local and remote logs from across the organization using either software tools or hardware appliances.  Missing in current log analysis solutions is the ability to intelligently filter out pertinent information required to determine high risk activities, sending notifications to the relevant people, regardless of their technical ability, documenting issue resolution and establishing workflow to escalating issues as required.

Audit Policies

Auditing for security events on critical computer systems is an essential requirement of a sound security policy.  A Windows audit policy defines which security events have success and/or failure actions audited and recorded in the Security log.  For example, Windows 2003 has nine audit policies but by default only two are enabled.

- Account log-on events: success auditing

- Log-on events: success auditing

The other audit categories (management events, directory service access, object access, policy change, privilege use, process tracking, and system events) are configured for no auditing.  Each organization has to determine their security posture and enable auditing accordingly.  Whatever the configuration in their infrastructure, effective log analysis and monitoring is required to ensure that security, risks, and control objectives can be achieved.

SymSure Solution

Our solution focuses on automating analysis, reporting, alerts and issues management within the organization’s Windows logging environment.  Audit policies are configured and pushed via Group Policies to clients and servers within the environment.  The resulting logs are collated to a centralized SymSure server for analysis and interrogation.  Once completed, SymSure’s monitoring framework examines all electronic activities to detect reportable events and alert the relevant individuals.