SANS Log Management 2

614 views

Published on

SANS Sixth Annual Log Management Survey
Part II Deriving More Value From Data

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
614
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
19
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

SANS Log Management 2

  1. 1. !"#!$!%&'($"))*+,$-./$ 0+)+/121)'$!*3415 6+3'$778$913%4%)/$0.31$ :+,*1$;3.2$0.31$9+'+ <1335$!(1)=$ !3>$!"#!$+)+,5?' @ AAA>?+)?>.3/
  2. 2. B'( "))*+,$-./$0+)+/121)'$!*3415 !"#$%&"'&()*+,- .*#/0&1*"2*,%%&"'&$"2&3#4#2,3,45& 647)%5*- 87,456'-&1*"9$,3%&)%,*%&#*,&:#+642 ;"*,&<"2&=#5# <"2&%,*+,*&64/*,#%,% <"2&%")*/,&64/*,#%,% ;"*,&>%,% ;"*,&1,"1$,&'647642&$"2%&)%,')$ 2 @ AAA>?+)?>.3/
  3. 3. -./$!13413$7)C31+?1? 3 @ AAA>?+)?>.3/
  4. 4. -./$!.*3C1$7)C31+?1? D%31A+,,?E$3.*'13?E$?A%'C(1?E$ 79!F76!E$1'C> !13413? "GG,%C+'%.)? 9+'+H+?1? 7I1)'%'5$!.*3C1? 91?='.G? 6(5?%C+,$I14%C1?$ J:"KE$H+I/1$ +CC1??E$G,+)'$C.)'3., 4 @ AAA>?+)?>.3/
  5. 5. L1+?.)?$;.3$K.,,1C'%)/ 5 @ AAA>?+)?>.3/
  6. 6. -./$9+'+$M?1;*,)1?? 6 @ AAA>?+)?>.3/
  7. 7. K(+,,1)/1? 7 @ AAA>?+)?>.3/
  8. 8. L1+?.)?$;.3$K.,,1C'%)/ 8 @ AAA>?+)?>.3/
  9. 9. N(+'$:1)I.3?$#11I$'.$9. K.)?%?'1)C5$%)$-./$9+'+$O*'G*' ?:#42,%&9,5@,,4&+,*%6"4% ?"4%6%5,4/-&64&1*"7)/5&$64, 01+)%)/;*,E$6+3?+H,1$01??+/1? ')4/56"4&#47&#&+#*6#9$,&$6%5 ?"4%6%5,45&$#-")5 OG'%.)?$;.3$P).*/($9+'+ =,9)2&$,+,$&$"22642&6%&#&46/,&"156"4 9 @ AAA>?+)?>.3/
  10. 10. N(+'$-./$0+)+/121)'$:1)I.3?$ #11I$'.$9. L1G.3'%)/$+)I$")+,5?%? !1+3C(%)/ ",,.A$P+?5$!*GG.3'$.;$K*?'.2$ 914%C1? N%)I.A?$-./? 10 @ AAA>?+)?>.3/
  11. 11. N(+'$M?13?$#11I$'.$9. L14%1A$-./?$9+%,5 !'+3'$QPDOLP$R(131$%?$+$63.H,12 S1''%)/$?'+3'1I >%,&7#5#&*,7)/56"4&5,/:46A),% BC/$)7,&7#5#&64&%,#*/:,% D4"@&-")*&7#5# D4"@&-")*&$"2% N+'C($D.3$!*3415$#1&'$T1+3 E,&*,#7&5:,&/"33,45% 11 @ AAA>?+)?>.3/
  12. 12. !*22+35 0.31$K.2G+)%1?$K.,,1C'%)/$-./? 0.31$914%C1? 0.31$M?1;*, R.G$K(+,,1)/1$ L1G.3'%)/$+)I$ ")+,5?%? 12 @ AAA>?+)?>.3/
  13. 13. !"#$"%&'()*%$'"#%'# +',+',$* !"(-#.'&&$/# 0$&1*%'&#'2#3&'()*%#.4&51%$", 6 7778/4"/8'&,
  14. 14. 9:1#+',#.4"4,1;1"%#<#="%1>>$,1"*1# ?';@4"- .451&/#'2C H01H01"+&I(,*&H01&J'*'1,2,*%&<)'%30#2& H01H01"+&K02()"'*+,&J'*'1,#& H01H01"+&B,+4#"%8&@7,*%&J'*'1,# A'&>(#B$&/%/C H01H01"+&L'%'.'$,&B,+4#"%8&J'*'1,# !"#$%&'(()"'*+,-.'$,/&)01&2'*'1,2,*%&()'%30#2 !"#$%&/,/"+'%,/&)01&2'*'1,2,*%&(#0/4+%$&30#&$(,+"3"+&+02()"'*+,&2'*/'%,$ !"#$%&+02()"'*+,&50#63)05&'4%02'%"0*&30#&4$,#&'+%"7"%8&#,7",5 !"#$%&%0&/,)"7,#&4*"7,#$')&)01&(#0+,$$"*1&30#&6*05*&'*/&4*6*05*&/'%' !"#$%&%0&/,)"7,#&34))-%,9%&"*/,9&.'$,/&)01&$,'#+:&'*/&#,(0#%$ !"#$%&0(,*&)01-(05,#,/&;<= !"#$%&/,7,)0(,#&+0224*"%8&30#&)01&'*/&$,+4#"%8&2'*'1,2,*% !"#$%&%0&/,)"7,#&.,:'7"0#')&'),#%$&.'$,/&0*&)01&/'%' !"#$%&%0&+02."*,&"*/,9,/&$,'#+:&5"%:&*0#2')">,/&#,(0#%"*1 !"#$%&?@AB&+02()"'*%&)01&'*/&$,+4#"%8&2'*'1,2,*% !"#$%&%0&,9+,,/&CDEDDD&)01&2,$$'1,&(,#&$,+0*/&+0)),+%"0*&0*&'&$"*1),&'(()"'*+, !"#$%&%0&(#07"/,&+,*%#')">,/&)01&$,'#+:&'*/&#,(0#%"*1&'+#0$$&2'*8&'(()"'*+,$ !"#$%&7"$4')&:,%,#01,*,04$&*,%50#6&$,+4#"%8&(0)"+8&+0*3"14#'%"0* !"#$%&30+4$,/&$,+4#"%8&2'*'1,2,*%&7,*/0#&%0&,9+,,/&FEDDD&+4$%02,#$ !"#$%&,*/&%0&,*/&'4%02'%"+&(0)"+8&1,*,#'%"0*&30#&3"#,5'))$E&#04%,#$E&'*/&$5"%+:,$ !"#$%&$,+4#"%8&#4),&1,*,#'%"0*&.'$,/&0*&1#'(:"+')&#,(#,$,*%'%"0* !"#$%&%0&'4%02'%"+'))8&1,*,#'%,&=<B,+&34))8-2,$:,/&0#&:4.-'*/-$(06,&G<?&+0*3"14#'%"0*$&30#&24)%"-7,*/0#$
  15. 15. D)@@'&%$",#EF1&#GHHH#?)/%';1&/ 3 6 7778/4"/8'&,
  16. 16. !"#"$%&&'()$*+,$ -(&(,./.&0$1'23.4 5.667.$8/6(9: 1+)'07+&;$-(2<.07&,=$>+3.2&(&9.=$?7;<$(&@$A+/B)7(&9. ?1%=$C:.$1.9'2704$5737;7+&$+D$E-A F GGGH;(&;H+2,
  17. 17. ?1%$.&I7;7+&$JF7&F#$1KE-$L)(0D+2/ Simplifying Enhancing Optimizing IT & Compliance Security Network Operations Compliance reports Real-time security IT monitoring across for regulations and alerting and analysis the infrastructure internal policy Alert / Reporting Auditing Forensics Network Visibility correlation baseline Purpose-built database RSA enVision Log Management platform security network applications / physical and storage devices devices databases virtual servers
  18. 18. I7;7+&M$N2+/$E3.&0$A+)).907+&$ 0+$O';7&.;;$?.B+207&, Business RSA enVision - Operational Executive Statistics & Detailed Reports Compliance or Security Analyst Archer Business level dashboards Compliance process management Individual log System entries or alerts Administrator 2007 May 16 17:14:21 CDT -04:00 %CDP-4-NVLANMISMATCH:Native vlan mismatch detected on port 5/24 TJ-DC-PSA-FW-204-01: NetScreen device_id=TJ-DC-PSA-FW-204-01 [Root]system-information-00536: IKE<221.239.59.66> Phase 2 msg ID <8d16a105>: Responded to the peer's first message. (Feb 20 00:02:15)<000> J
  19. 19. P.)B$8;$P.)B$Q+' !"#$$%&'%()*+ ,-./01(,234567'(4#&#'%/%&1(-*%(8#*%*9 ,%&:(%;/#0$(179 !"#$%&'()(*&$+&,%--(.%&/%$0*112&(,34%1/5/*1 !-<<%&1(=,>(%&?0*07&(8-*17/%<*@(A7*1(0&(1"%(A7<1#$9 "11A955<*#%&B0*07&C$01"0-/C87/51D5E%*1;F<#8108%5.:;A5E%*1F<#8108% G%(H0$$(1%$$(I7-(0J( #&:("7H( =,>(8#&(*7$B%( I7-<(-*%(8#*% 4 F GGGH;(&;H+2,
  20. 20. Am I secure right Which of my How do I respond now? assets are at risk? effectively? Am I compliant? Situational Threat/Risk Mitigation Measurement Awareness Asssement & Remediation & Reporting
  21. 21. !"#$%&#"''()'&!"# *+,%-*& .(*('-*(")&/+-##%)'%0&()&,%-#1*(.% 2%34/%&0%/4,(*5&*+,%-*&/".6#%7(*5&8+(#%& ()/,%-0()'&,%-/*(")&*(.%&-)3&%99(/(%)/5 :,"$(3%&/".6#%*%&0%/4,(*5&$(0(;(#(*5& 9,".&*+%& 0.-##%0*&",'-)(<-*(")0&*"&*+%&#-,'%0*&%)*%,6,(0%0 !/-#%&1 =99%/*($%#5&9(*&8(*+()&-)5&",'-)(<-*(")0& ()9,-0*,4/*4,%&0(<%&-)3&;43'%*&/")0*,-()*0
  22. 22. >,-/5&?4#$%,@&A:&"9&:,"34/*0&-)3&B-,C%*()' *+4#$%,D)%*9",%)0(/0E/". 888E)%*9",%)0(/0E/". FGHEGIGEJKKK

×