Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Navigating the Data Stream without Boiling the Ocean: <br />Case Studies in Effective Log Management<br />Dr. Anton Chuvak...
Agenda<br />SIEM and Log Management <br />Common Pitfalls and Lessons<br />Discussion Questions<br />Q&A<br />Webcast Q&A ...
SIEM and Log Management <br />LM:<br />Log Management<br />Focus on all uses for logs<br />SIEM: <br />Security Informatio...
Intro to Log Management <br /><ul><li>Drivers for logging and log management
What to log? Logging policy
Log collection and retention
Log review procedures
Security monitoring
Log forensics
Other uses for log data</li></li></ul><li>Log Management Maturity Curve<br />
Top Log Management Mistakes<br />Not logging at all.<br />Approaching logs in silo’ed fashion<br />Storing logs for too sh...
Discussion Questions: What to Log?<br />What do you log? <br />Devices? Systems? Applications?<br />What approach was take...
Discussion Questions: How to Do Log Management?<br />What are you doing with the log data? What do you review? <br />What ...
Discussion Questions: Tools<br />Choosing tools<br />How were the tools chosen?<br />What are the top 3 requirements that ...
Upcoming SlideShare
Loading in …5
×

IANS Navigating the Data Stream without Boiling the Ocean: Case Studies in Effective Log Management by Dr. Anton Chuvakin

1,456 views

Published on

IANS Navigating the Data Stream without Boiling the Ocean: Case Studies in Effective Log Management by Dr. Anton Chuvakin

Published in: Technology
  • Be the first to comment

IANS Navigating the Data Stream without Boiling the Ocean: Case Studies in Effective Log Management by Dr. Anton Chuvakin

  1. 1. Navigating the Data Stream without Boiling the Ocean: <br />Case Studies in Effective Log Management<br />Dr. Anton Chuvakin: IANS Faculty<br />Panel members from large organizations using log management/SIEM tools<br /> [names removed due to not having permission to post them<br />See IANS site http://www.iansresearch.com for full details]<br />
  2. 2. Agenda<br />SIEM and Log Management <br />Common Pitfalls and Lessons<br />Discussion Questions<br />Q&A<br />Webcast Q&A posted at http://chuvakin.blogspot.com/search/label/questions<br />Sponsor Presentation<br />
  3. 3. SIEM and Log Management <br />LM:<br />Log Management<br />Focus on all uses for logs<br />SIEM: <br />Security Information <br />and Event Management<br />Focus on security use of logs and other data <br />
  4. 4. Intro to Log Management <br /><ul><li>Drivers for logging and log management
  5. 5. What to log? Logging policy
  6. 6. Log collection and retention
  7. 7. Log review procedures
  8. 8. Security monitoring
  9. 9. Log forensics
  10. 10. Other uses for log data</li></li></ul><li>Log Management Maturity Curve<br />
  11. 11. Top Log Management Mistakes<br />Not logging at all.<br />Approaching logs in silo’ed fashion<br />Storing logs for too short a time<br />Prioritizing the log records before collection<br />Ignoring the logs from applications<br />Not looking at the logs<br />Only looking at what youknow is bad<br />Thinking that compliance=log storage<br />
  12. 12. Discussion Questions: What to Log?<br />What do you log? <br />Devices? Systems? Applications?<br />What approach was taken to determine ‘what to log?’? What process was followed?<br />What data are you logging and why are you logging it?<br />How you deal with custom log formats, e.g from custom applications?<br />Structured and unstructured data: do you parse all or only index some data?<br />Retention policy: how? What? For how long?<br />
  13. 13. Discussion Questions: How to Do Log Management?<br />What are you doing with the log data? What do you review? <br />What motivated you to review logs?<br />What logs are looked at periodically?<br />What logs are looked at only after an incident?<br />What tools used for log review? LM or SIEM?<br />Who reviews logs?<br />What roles are looking at logs? Who uses each of the tools?<br />
  14. 14. Discussion Questions: Tools<br />Choosing tools<br />How were the tools chosen?<br />What are the top 3 requirements that were used?<br />Operating tools:<br />What each tool does? SIEM and LM<br />Joint SIEM and LM architecture<br />Logger in front? Other architecture choices?<br />Key: How to figure what to filter from LM to SIEM?<br />From correlation rules? Or devices? or use cases?<br />
  15. 15. Discussion Questions: Compliance and Use Cases<br />Investigative use case<br />Any lessons learned on how to investigate incidents using log data?<br /><ul><li>Is compliance a driver or a use case for you?
  16. 16. How operations team uses LM tools?
  17. 17. Any unusual use cases for log data (=apart from security/compliance/operations)</li></ul>Non-security use case for SIEM?<br />Do business people use it?<br />
  18. 18. Discussion Questions: Issues?<br />Issues<br />Any SIEM “flooding” issues?<br />Not knowing what to log?<br />Challenges with custom applications?<br />Dream a bit <br />What would you like to have in your LM and SIEM tools?<br />
  19. 19. Audience Q&A<br />
  20. 20. Questions?<br />Dr. Anton Chuvakin <br />Email:anton@chuvakin.org<br />Site:http://www.chuvakin.org<br />Blog:http://www.securitywarrior.org<br />Twitter:@anton_chuvakin<br />Consulting:http://www.securitywarriorconsulting.com<br />
  21. 21. More on Anton<br />Consultant: http://www.securitywarriorconsulting.com<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager<br />

×