Case Study In Not Managing Logs: DigiNotar

I started a new security podcast recently and in the first episode, I covered the security breech at DigiNotar, the Dutch certificate authority.  One of the prominent findings in the forensic report that was released publicly was the unreliability and unavailability of logs – because, in one case, an administrator erased logs on a server to free up space, and in others, the attacker deleted logs to cover his tracks.  Forwarding ALL logs, whether from Windows systems, firewalls, switches, etc, to a central logging server with very limited access is very key to both forensic analysis after an attack, but also proactive alerting that might indicate an attack is underway, giving time to react before data is lost or damaged.