• Save
IANS Navigating the Data Stream without Boiling the Ocean: Case Studies in Effective Log Management by Dr. Anton Chuvakin
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

IANS Navigating the Data Stream without Boiling the Ocean: Case Studies in Effective Log Management by Dr. Anton Chuvakin

on

  • 1,771 views

IANS Navigating the Data Stream without Boiling the Ocean: Case Studies in Effective Log Management by Dr. Anton Chuvakin

IANS Navigating the Data Stream without Boiling the Ocean: Case Studies in Effective Log Management by Dr. Anton Chuvakin

Statistics

Views

Total Views
1,771
Views on SlideShare
1,770
Embed Views
1

Actions

Likes
1
Downloads
0
Comments
0

1 Embed 1

http://www.slideshare.net 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • What makes a log management program effective? Log management activities must be prioritized in order to operate your security team effectively. We will review and analyze best practices for implementing log management programs as well as address SIEMs’ influence on the goal of optimization. This virtual discussion is ideal for risk, compliance, and security managers, as well as anyone looking for new approaches to gain intelligence from their log data.

IANS Navigating the Data Stream without Boiling the Ocean: Case Studies in Effective Log Management by Dr. Anton Chuvakin Presentation Transcript

  • 1. Navigating the Data Stream without Boiling the Ocean:
    Case Studies in Effective Log Management
    Dr. Anton Chuvakin: IANS Faculty
    Panel members from large organizations using log management/SIEM tools
    [names removed due to not having permission to post them
    See IANS site http://www.iansresearch.com for full details]
  • 2. Agenda
    SIEM and Log Management
    Common Pitfalls and Lessons
    Discussion Questions
    Q&A
    Webcast Q&A posted at http://chuvakin.blogspot.com/search/label/questions
    Sponsor Presentation
  • 3. SIEM and Log Management
    LM:
    Log Management
    Focus on all uses for logs
    SIEM:
    Security Information
    and Event Management
    Focus on security use of logs and other data
  • 4. Intro to Log Management
    • Drivers for logging and log management
    • 5. What to log? Logging policy
    • 6. Log collection and retention
    • 7. Log review procedures
    • 8. Security monitoring
    • 9. Log forensics
    • 10. Other uses for log data
  • Log Management Maturity Curve
  • 11. Top Log Management Mistakes
    Not logging at all.
    Approaching logs in silo’ed fashion
    Storing logs for too short a time
    Prioritizing the log records before collection
    Ignoring the logs from applications
    Not looking at the logs
    Only looking at what youknow is bad
    Thinking that compliance=log storage
  • 12. Discussion Questions: What to Log?
    What do you log?
    Devices? Systems? Applications?
    What approach was taken to determine ‘what to log?’? What process was followed?
    What data are you logging and why are you logging it?
    How you deal with custom log formats, e.g from custom applications?
    Structured and unstructured data: do you parse all or only index some data?
    Retention policy: how? What? For how long?
  • 13. Discussion Questions: How to Do Log Management?
    What are you doing with the log data? What do you review?
    What motivated you to review logs?
    What logs are looked at periodically?
    What logs are looked at only after an incident?
    What tools used for log review? LM or SIEM?
    Who reviews logs?
    What roles are looking at logs? Who uses each of the tools?
  • 14. Discussion Questions: Tools
    Choosing tools
    How were the tools chosen?
    What are the top 3 requirements that were used?
    Operating tools:
    What each tool does? SIEM and LM
    Joint SIEM and LM architecture
    Logger in front? Other architecture choices?
    Key: How to figure what to filter from LM to SIEM?
    From correlation rules? Or devices? or use cases?
  • 15. Discussion Questions: Compliance and Use Cases
    Investigative use case
    Any lessons learned on how to investigate incidents using log data?
    • Is compliance a driver or a use case for you?
    • 16. How operations team uses LM tools?
    • 17. Any unusual use cases for log data (=apart from security/compliance/operations)
    Non-security use case for SIEM?
    Do business people use it?
  • 18. Discussion Questions: Issues?
    Issues
    Any SIEM “flooding” issues?
    Not knowing what to log?
    Challenges with custom applications?
    Dream a bit 
    What would you like to have in your LM and SIEM tools?
  • 19. Audience Q&A
  • 20. Questions?
    Dr. Anton Chuvakin
    Email:anton@chuvakin.org
    Site:http://www.chuvakin.org
    Blog:http://www.securitywarrior.org
    Twitter:@anton_chuvakin
    Consulting:http://www.securitywarriorconsulting.com
  • 21. More on Anton
    Consultant: http://www.securitywarriorconsulting.com
    Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
    Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide
    Standard developer: CEE, CVSS, OVAL, etc
    Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
    Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager