The document discusses effective log management and shared insights from case studies involving SIEM (Security Information and Event Management) tools. It highlights common pitfalls in log management, outlines essential practices for logging, and poses discussion questions about logging strategies and tools. Dr. Anton Chuvakin, an expert in the field, also emphasizes the importance of understanding what to log, how to manage logs, and the relevance of compliance in log practices.

1. Navigating the Data Stream without Boiling the Ocean: Case Studies in Effective Log ManagementDr. Anton Chuvakin: IANS FacultyPanel members from large organizations using log management/SIEM tools [names removed due to not having permission to post themSee IANS site http://www.iansresearch.com for full details]

2. AgendaSIEM and Log Management Common Pitfalls and LessonsDiscussion QuestionsQ&AWebcast Q&A posted at http://chuvakin.blogspot.com/search/label/questionsSponsor Presentation

3. SIEM and Log Management LM:Log ManagementFocus on all uses for logsSIEM: Security Information and Event ManagementFocus on security use of logs and other data

4. Intro to Log Management Drivers for logging and log management

5. What to log? Logging policy

6. Log collection and retention

7. Log review procedures

8. Security monitoring

9. Log forensics

10. Other uses for log dataLog Management Maturity Curve

11. Top Log Management MistakesNot logging at all.Approaching logs in silo’ed fashionStoring logs for too short a timePrioritizing the log records before collectionIgnoring the logs from applicationsNot looking at the logsOnly looking at what youknow is badThinking that compliance=log storage

12. Discussion Questions: What to Log?What do you log? Devices? Systems? Applications?What approach was taken to determine ‘what to log?’? What process was followed?What data are you logging and why are you logging it?How you deal with custom log formats, e.g from custom applications?Structured and unstructured data: do you parse all or only index some data?Retention policy: how? What? For how long?

13. Discussion Questions: How to Do Log Management?What are you doing with the log data? What do you review? What motivated you to review logs?What logs are looked at periodically?What logs are looked at only after an incident?What tools used for log review? LM or SIEM?Who reviews logs?What roles are looking at logs? Who uses each of the tools?

14. Discussion Questions: ToolsChoosing toolsHow were the tools chosen?What are the top 3 requirements that were used?Operating tools:What each tool does? SIEM and LMJoint SIEM and LM architectureLogger in front? Other architecture choices?Key: How to figure what to filter from LM to SIEM?From correlation rules? Or devices? or use cases?

15. Discussion Questions: Compliance and Use CasesInvestigative use caseAny lessons learned on how to investigate incidents using log data?Is compliance a driver or a use case for you?

16. How operations team uses LM tools?

17. Any unusual use cases for log data (=apart from security/compliance/operations)Non-security use case for SIEM?Do business people use it?

18. Discussion Questions: Issues?IssuesAny SIEM “flooding” issues?Not knowing what to log?Challenges with custom applications?Dream a bit What would you like to have in your LM and SIEM tools?

19. Audience Q&A

20. Questions?Dr. Anton Chuvakin Email:anton@chuvakin.orgSite:http://www.chuvakin.orgBlog:http://www.securitywarrior.orgTwitter:@anton_chuvakinConsulting:http://www.securitywarriorconsulting.com

21. More on AntonConsultant: http://www.securitywarriorconsulting.comBook author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etcConference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwideStandard developer: CEE, CVSS, OVAL, etcCommunity role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, othersPast roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager