RSA 2010: Why you want to look at your change log in conjunction with your event log

David Spark here reporting for Tripwire at the 2010 RSA Conference in San Francisco.

Tripwire’s edge over other competitors in the log management space is their ability to see the connections between log events and changes on your network. The man responsible for integrating that critical feature is Robert DiFalco, Tripwire’s CTO. During our interview, DiFalco explained what integrating events and changes means by way of example.

A common occurrence with a SIEM tool is to see brute force logins. Where someone attempts five or six times to access your system, and then gets in. Problem is some organizations have 80 to 90 thousand brute force logins every single week. It’s simply not possible to look at all those events. By attaching change information to those logins, you get another level of understanding. If there is a change event connected to a brute force login, then that’s something you have to concern yourself with. Not only does Tripwire tell you there’s been a change to a file, but you can drill in deeper to see what actual changes were actually made to the file.

Check out more of Tripwire’s coverage from the 2010 RSA Conference in San Francisco.

Tagged as: event management, IT Security, IT Security and Data Protection, log management, RSA, RSA 2010, RSAC

This post was written by…

David Spark has contributed 110 posts to The State of Security.

Twitter @dspark

Contact David Spark

David Spark is a veteran tech journalist and founder of Spark Media Solutions, a media consulting and production company. Acting as the "media" of "social media," Spark Media Solutions helps its clients be seen as leading voices in their field through brand-quality media production and distribution through top tier media channels.