AU-6, AU-7 and AU-9 On the Cheap

SIEM or SEIM or Log Correlation tools are generally considered expensive. I won’t get into the particulars of what is or is not expensive for you or your customer. It also depends on system size and what your enterprise may or may not already have in place. So do check into those things before continuing.I was recently having a conversation with a friend who was lamenting that Loggly and LogEntries weren’t authorized and that their Management team had put the kibosh on self-hosting Splunk (let alone a Splunk cloud install). What’s a security dude to do?The answer lies in open-source. More specifically, Graylog. And I don’t mean enterprise, I mean loading up Graylog, probably as a Docker container, and start implementing some of the marketplace plug-ins. I would also recommend tying Graylog to LDAP so that there aren’t additional accounts to manage. It was a no brainer to me, but you never know about other people’s politics.Now that Graylog is running and accepting log data, you can update your baseline configuration so that only the service account for the forwarding service on your workloads can access the audit logs. System admins and DevOps should only...
Read more

This is still a Thing

It’s been over 2 years since I’ve last vented about FISMA / FedRAMP. I am now committing to doing more posts. I’m thinking biweekly (one every other week). Not just venting and therapy, but actual process and analysis. Look for an example later this week.This is still a Thing was originally published in How is that Assurance Evidence? on Medium, where people are continuing the conversation by highlighting and responding to this story.
Read more