IANS Navigating the Data Stream without Boiling the Ocean: Case Studies in Effective Log Management by Dr. Anton Chuvakin

Navigating the Data Stream without Boiling the Ocean:
Case Studies in Effective Log Management
Dr. Anton Chuvakin: IANS Faculty
Panel members from large organizations using log management/SIEM tools
[names removed due to not having permission to post them
See IANS site http://www.iansresearch.com for full details]

Agenda
SIEM and Log Management
Common Pitfalls and Lessons
Discussion Questions
Q&A
Webcast Q&A posted at http://chuvakin.blogspot.com/search/label/questions
Sponsor Presentation

SIEM and Log Management
LM:
Log Management
Focus on all uses for logs
SIEM:
Security Information
and Event Management
Focus on security use of logs and other data

Intro to Log Management
Drivers for logging and log management
What to log? Logging policy
Log collection and retention
Log review procedures
Security monitoring
Log forensics
Other uses for log data

Log Management Maturity Curve

Top Log Management Mistakes
Not logging at all.
Approaching logs in silo’ed fashion
Storing logs for too short a time
Prioritizing the log records before collection
Ignoring the logs from applications
Not looking at the logs
Only looking at what youknow is bad
Thinking that compliance=log storage

Discussion Questions: What to Log?
What do you log?
Devices? Systems? Applications?
What approach was taken to determine ‘what to log?’? What process was followed?
What data are you logging and why are you logging it?
How you deal with custom log formats, e.g from custom applications?
Structured and unstructured data: do you parse all or only index some data?
Retention policy: how? What? For how long?

Discussion Questions: How to Do Log Management?
What are you doing with the log data? What do you review?
What motivated you to review logs?
What logs are looked at periodically?
What logs are looked at only after an incident?
What tools used for log review? LM or SIEM?
Who reviews logs?
What roles are looking at logs? Who uses each of the tools?

Discussion Questions: Tools
Choosing tools
How were the tools chosen?
What are the top 3 requirements that were used?
Operating tools:
What each tool does? SIEM and LM
Joint SIEM and LM architecture
Logger in front? Other architecture choices?
Key: How to figure what to filter from LM to SIEM?
From correlation rules? Or devices? or use cases?

Discussion Questions: Compliance and Use Cases
Investigative use case
Any lessons learned on how to investigate incidents using log data?
Is compliance a driver or a use case for you?
How operations team uses LM tools?
Any unusual use cases for log data (=apart from security/compliance/operations)
Non-security use case for SIEM?
Do business people use it?

Discussion Questions: Issues?
Issues
Any SIEM “flooding” issues?
Not knowing what to log?
Challenges with custom applications?
Dream a bit 
What would you like to have in your LM and SIEM tools?

Audience Q&A

Questions?
Dr. Anton Chuvakin
Email:anton@chuvakin.org
Site:http://www.chuvakin.org
Blog:http://www.securitywarrior.org
Twitter:@anton_chuvakin
Consulting:http://www.securitywarriorconsulting.com

More on Anton
Consultant: http://www.securitywarriorconsulting.com
Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide
Standard developer: CEE, CVSS, OVAL, etc
Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager

IANS Navigating the Data Stream without Boiling the Ocean: Case Studies in Effective Log Management by Dr. Anton Chuvakin

by Anton Chuvakin on Apr 19, 2010

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 1

Statistics

IANS Navigating the Data Stream without Boiling the Ocean: Case Studies in Effective Log Management by Dr. Anton Chuvakin — Presentation Transcript