How to Prevent Critical Gaps in Your Security Monitoring
Presentation on how to prevent gaps in your security monitoring infrastructure, presented at Triangle InfoSecCon and hopefully at FIRST 2009 in Kyoto, Japan.
Presentation on how to prevent gaps in your security monitoring infrastructure. This was presented with Dave Schwartzburg at Triangle InfoSecCon and has been submitted for acceptance to FIRST 2009 in Kyoto, Japan.

Security events such as user activity logs, network intrusion detection system (NIDS) alerts, server logs, and network device records are indispensable footprints that allow security investigators to trace activity and monitor problems. Without reliable event sources, monitoring is a futile exercise-there is no way to discern between the lack of activity and unrecorded activity. Security professionals must monitor interruptions in event sources to help ensure reliable and accurate metrics, preserve investigative integrity, and provide assurance that attackers cannot hide in event gaps.

This presentation details how the Cisco Computer Security Incident Response Team (CSIRT) uses open-source tools to improve integrity in its security monitoring. It introduces tools and processes to keep security events continually recorded, including how to maintain proper device configurations, how to maintain agreements with support staff, and how to monitor event feeds for gaps.