SANS Sixth Annual Log
                                    Management Survey

                                   Part I Mor...
6th Annual Log Management Survey



     –  Goals of Survey
         •  Track progress of log management
            indus...
3
© 2010 The SANS™ Institute - www.sans.org
4
© 2010 The SANS™ Institute - www.sans.org
5
© 2010 The SANS™ Institute - www.sans.org
6
© 2010 The SANS™ Institute - www.sans.org
7
© 2010 The SANS™ Institute - www.sans.org
8
© 2010 The SANS™ Institute - www.sans.org
What Logs are Being Collected


  •  Firewalls, routers, switches, IDS/
     IPS, etc.
  •  Servers
  •  Applications
  • ...
Log Management Challenges


  •  Searching and reporting
  •  Analysis
  •  Automation of important event
     alerting
  ...
Trustwave SIEM:
                                    Solutions for any Organization




Sunil Bhargava, VP Product Manageme...
Trustwave: The leader in
                compliance and data security


Found in 1995; 500+ employees; 23 locations on 6 c...
What’s New in Log Collection


•  Some great news on collection
    –  10%       biggest problem
   –  27%           least...
Making Sense of the Logs We Have


Moving on up: Collection to Analysis
•  Extracting value
   –  Automated analysis
   – ...
Getting Logs from New Sources

The Insider Threat and Risk
•  The NEW questions in the survey
   –  49%          from desk...
Extracting more Value



Doing more with logs
•  Evolving SIEM technologies are making it happen

•  Blended threats requi...
Technology Advancements


•  SIEM advancements
  –  Continuous processing
      •  From parsing to detecting control viola...
Blended Solutions


•  Unified Approach
   –  Preventive monitoring
       •  Control violations indicating surveillance
 ...
Solutions for any Organization


•  Complete SIEM on premise
   –  Automate a SOC
   –  Outsource monitoring and administr...
Trustwave: Building the Right Formula




                   Call us: 888.878.7817
            Learn more at: www.trustwav...
2010 Annual
                              Log Management Survey




Varun Kohli
Sr. Product Manager
ArcSight

            ...
ArcSight Highlights



            Company Background                             Analyst Recognition

• ONLY Pure play SI...
Gartner MQ: Six Years of Leadership




www.arcsight.com
Top Use Cases



#
            2008                    2009                    2010

1   Security / system        User act...
Top Logs Being Collected



#
           2008                   2009                    2010

1                           ...
Evolving use cases bring new challenges




#
      2008              2009               2010

1
    Collection      IT Op...
Why existing solutions cannot meet
             these challenges?



        –  Designed for different purpose
Solution 1 ...
How to select the ideal solution?


 Log Management Solution is NOT IDEAL if it:
•    CANNOT simultaneously handle Securit...
Integrated Growth Path



                                                    ArcSight ESM



                        Data...
Summary


•  Validation
   –  Growing space, increasing adoption
•  Use Case Expansion
   –  Beyond security and complianc...
Thank You!



Next Steps

•  Website:           www.arcsight.com/logger

•  Questions:         info@arcsight.com

•  Telep...
Q@SANS.org


www.SANS.org/reading_room/analysts_program
Upcoming SlideShare
Loading in …5
×

SANS Log Management 1

1,662 views
1,575 views

Published on

SANS Sixth Annual Log Management Survey
Part I More Log Data,
More Uses

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,662
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
79
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SANS Log Management 1

  1. 1. SANS Sixth Annual Log Management Survey Part I More Log Data, More Uses Jerry Shenk, Senior SANS Analyst © 2010 The SANS™ Institute - www.sans.org
  2. 2. 6th Annual Log Management Survey –  Goals of Survey •  Track progress of log management industry •  Identify problems users are having –  More Log Data •  Log server increases •  Log source increases –  More Uses •  More people are finding logs useful 2 © 2010 The SANS™ Institute - www.sans.org
  3. 3. 3 © 2010 The SANS™ Institute - www.sans.org
  4. 4. 4 © 2010 The SANS™ Institute - www.sans.org
  5. 5. 5 © 2010 The SANS™ Institute - www.sans.org
  6. 6. 6 © 2010 The SANS™ Institute - www.sans.org
  7. 7. 7 © 2010 The SANS™ Institute - www.sans.org
  8. 8. 8 © 2010 The SANS™ Institute - www.sans.org
  9. 9. What Logs are Being Collected •  Firewalls, routers, switches, IDS/ IPS, etc. •  Servers •  Applications •  Databases •  Identity Sources (directories, etc.) •  Desktops •  Physical devices – HVAC, badge access, plant control 9 © 2010 The SANS™ Institute - www.sans.org
  10. 10. Log Management Challenges •  Searching and reporting •  Analysis •  Automation of important event alerting •  What vendors need to do •  What users need to do 10 © 2010 The SANS™ Institute - www.sans.org
  11. 11. Trustwave SIEM: Solutions for any Organization Sunil Bhargava, VP Product Management, Trustwave (Formerly Intellitactics) © 2010 The SANS™ Institute - www.sans.org
  12. 12. Trustwave: The leader in compliance and data security Found in 1995; 500+ employees; 23 locations on 6 continents Market leading solutions for NAC, DLP, SIEM, IDS, IPS, UTM, Encryption and Vulnerability scanning Top 10 global Certificate Authority with more than 60,000 SSL certificates issued Benchmark work for HIPAA, GLBA, SOX, ISO 27000 series PCI DSS leader – Trustwave has certified 42 percent of PsPs; 40% of Payment Applications Performed more than 4,000 network and application penetration tests and 740 forensic investigations Fully qualified for all PCI-related work: QSA (2002); ASV (2003); PA-QSA (2005); QIRA (2005) 2009 Frost & Sullivan 2009 NAC Best Practices Forrester 9 out of 10 rating 2010 SC Magazine “Recommended” NAC solution SC Magazine “Finalist” Managed Security Services Encryption 2 © 2009 The SANS™ Institute - www.sans.org
  13. 13. What’s New in Log Collection •  Some great news on collection –  10% biggest problem –  27% least challenging •  Implications –  Today’s challenges… •  Making sense of logs we already receive •  Getting logs from non-traditional sources •  Finding more value in them all 3 © 2010 The SANS™ Institute - www.sans.org
  14. 14. Making Sense of the Logs We Have Moving on up: Collection to Analysis •  Extracting value –  Automated analysis –  Actionable reporting –  Auto-detect •  Control violations •  Deviation from normal activity •  Consolidating –  Logs –  Use cases –  Budgets •  Are all disparate solutions required? 4 © 2010 The SANS™ Institute - www.sans.org
  15. 15. Getting Logs from New Sources The Insider Threat and Risk •  The NEW questions in the survey –  49% from desktops –  48% from physical devices •  New challenges for finding values –  Cross-correlation across disparate types –  If MS-Windows server analysis is already found challenging; how will desktops fare? •  Application logs: question of value re-surfaces –  Are applications auditing requisite details? –  Can your solution analyze those logs? 5 © 2010 The SANS™ Institute - www.sans.org
  16. 16. Extracting more Value Doing more with logs •  Evolving SIEM technologies are making it happen •  Blended threats require blended solutions •  Making advanced SIEM capabilities available to everyone 6 © 2010 The SANS™ Institute - www.sans.org
  17. 17. Technology Advancements •  SIEM advancements –  Continuous processing •  From parsing to detecting control violations –  Embedded data store •  Compressed and indexed •  Embedded knowledge and analytics –  Directly addressing secondary users •  HR, Legal, and Asset owners •  For user activity and asset exposure status –  Analytical Modules: searches, correlations, actionable reports and alerting •  Includes Data Modules: acquisition, parsing, normalization and event taxonomy assignment 7 © 2010 The SANS™ Institute - www.sans.org
  18. 18. Blended Solutions •  Unified Approach –  Preventive monitoring •  Control violations indicating surveillance –  Reactive monitoring •  Enrich alerts with context and history –  Forensic research •  Efficient searching •  Integrated Approach –  Protection technologies •  DLP, Asset Discovery and Encryption –  Access control technologies •  IDM, NAC, VPN and Physical access 8 © 2010 The SANS™ Institute - www.sans.org
  19. 19. Solutions for any Organization •  Complete SIEM on premise –  Automate a SOC –  Outsource monitoring and administration •  Only collect and store on premise –  Send events to MSS for continuous, daily or weekly review •  Completely outsource –  Forward all logs to MSS –  Get reports and alerts as outcomes 9 © 2010 The SANS™ Institute - www.sans.org
  20. 20. Trustwave: Building the Right Formula Call us: 888.878.7817 Learn more at: www.trustwave.com Contact us at: info@trustwave.com 10 © 2009 The SANS™ Institute - www.sans.org
  21. 21. 2010 Annual Log Management Survey Varun Kohli Sr. Product Manager ArcSight © 2010 The SANS™ Institute - www.sans.org
  22. 22. ArcSight Highlights Company Background Analyst Recognition • ONLY Pure play SIEM public company SIEM Leader’s Quadrant - (NASD:ARST) SIX years running • 2000+ Customers in 70+ Countries #1 in Market Share – • 30% Fortune 100 companies; 37% of DJ Last three reports Index companies; 6 out of Top 10 World Banks #1 In-use for both SIEM and Log Management Industry Recognition
  23. 23. Gartner MQ: Six Years of Leadership www.arcsight.com
  24. 24. Top Use Cases # 2008 2009 2010 1 Security / system User activity Detect/prevent event detection monitoring unauthorized access 2 Monitoring IT Forensics analysis / IT Operations controls / forensics correlation 3 Regulatory Forensics analysis / Regulatory compliance correlation compliance 4 Regulatory IT operations IT Operations compliance From reactive to proactive Advanced user/asset management
  25. 25. Top Logs Being Collected # 2008 2009 2010 1 Switch/Router/ OS OS Firewall 2 Switch/Router/ Switch/Router/ Servers Firewall Firewall 3 Applications and Databases Databases Identity data Diverse and advanced use cases
  26. 26. Evolving use cases bring new challenges # 2008 2009 2010 1 Collection IT Operations Searching 2 Analysis and Search Normalization Reporting 3 Multiple Reporting Search vendors/formats 4 Entire Reporting Normalization Lifecycle Analysis across all data – Structured and Unstructured Enrichment of data for smarter analysis
  27. 27. Why existing solutions cannot meet these challenges? –  Designed for different purpose Solution 1 Solution 2 Ideal Solution Security and IT Operations One solution does all Compliance Long-term Short-term Automatic retention retention enforcement Structured data Unstructured data Capture Everything Search Anything –  SIEM and LM are not different –  Missing context on assets/users
  28. 28. How to select the ideal solution? Log Management Solution is NOT IDEAL if it: •  CANNOT simultaneously handle Security, Compliance, and IT Ops •  CANNOT collect from everything •  CANNOT analyze across structured and unstructured data •  HAS tradeoff between fast collection, fast analysis and efficient storage •  DOES NOT normalize events to make them easy to understand •  DOES NOT offer audit-quality log collection •  DOES NOT have pre-packaged content •  DOES NOT offer flexible, economic and long term storage •  DOES NOT have real-time correlation (user model, asset model, etc.)
  29. 29. Integrated Growth Path ArcSight ESM Databases Users Sensitive Data User Activity Security ArcSight Express Monitoring ArcSight Logger ArcSight Transactions Connector Infrastructure Application Transaction Security Fraud Detection www.arcsight.com 9
  30. 30. Summary •  Validation –  Growing space, increasing adoption •  Use Case Expansion –  Beyond security and compliance to identity management and IT operations •  Searching and Reporting –  Normalization and device coverage
  31. 31. Thank You! Next Steps •  Website: www.arcsight.com/logger •  Questions: info@arcsight.com •  Telephone: +1 (888) 415-ARST •  Future webinars: http://www.arcsight.com/webinars/
  32. 32. Q@SANS.org www.SANS.org/reading_room/analysts_program

×