SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the End Nigh?

SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the End Nigh? by Anton Chuvakin 2023

Technology

The Future of Log Centralization fo
SIEMs and DFIR
Is the End Nigh?
Dr. Anton Chuvakin
https://medium.com/anton-on-security
https://cloud.withgoogle.com/cloudsecurity/podcast
Office of the CISO, Google Cloud
August 2023

Outline
● Logs … still centralized?
○ What worked well?
○ What was always a challenge?
● What changed?
○ So, should we still centralize?
● What does the possible future look like?

Time Machine to 2003!
● Log centralization
● Syslog dominates
● Syslog UDP is still cool (in a late
1980s kinda way)
● SIEM does not exist, yet SIM and
SEM do
● Log management is a generic term,
not a market name…

The, ahem, Recent Past
● Log centralization …
can be distributed.
● Distributed?
Centralization? Huh?

Scenario 1 Multi-cloud at Scale
● Big presence in Google Cloud
● Also, big presence in another
cloud
● AND finally, still sizable
present on premise
● Where do the logs go?

Scenario 2 Useful Logs, “Useless” Logs
● Megabytes of alerts
● Gigabytes of priority logs
● AND petabytes of information logs
● Now, add observability traces
● Do we centralize … at per GB
price?

Scenario 3 Very SaaSy (But not SASE!)
● Lots of SaaS use - CRM, HR,
marketing, etc
● CASB in use
● No data centers
● Do we centralize log at …
eh…well…eh… WHERE?

“Will the future be more secure? It'll be just as
insecure as it possibly can, while still
continuing to function. Just like it is today.”
-- Marcus Ranum (in ~early 2000)

So You Want to Decentralize?
● How to assure retention?
○ … and impress our “friends”, the auditors!?
○ … and assure evidence availability for IR
● How to normalize?
● How to correlate?
● How to ML?

Decisions, Decisions, etc
“Damn the torpedoes, we are centralizing
anyway”
● Compliance mandates (PCI DSS, etc)
● Need guaranteed data retention
● Have a scope of data to normalize
“Hold your horses, we need to think about it”
● Still need to centralize …
● … but not everything
● Centralized/distributed for low stakes data
“Decentralized all the way!”
● Heavy cloud, and especially SaaS use
● No center to centralize into
● Focus on best-effort search
● “Magical” normalization (OCSF)

Why Bite the Bullet and CENTRALIZE ANYWAY!?!
● Specific mandate that says “centralize logs”
○ Centralize does not mean ONE place.
● Contractual pressure to have logs available in 100%
cases
○ “If you need it done, you do it yourself!”
● Cost effective (=cloud-native) tool is available to store
logs … and not pay “per GB”...
● Don’t pay for 4 copies of the same data…

Example from Query.AI
Multi-vendor, “open” federated
search across many vendor
technologies

Recommendations
● Stick to centralized approach to logs/data that you alert on or
analyze directly
○ Use cloud-native, SaaS SIEM platform for this
● Be ready for the world where you cannot centralize all logs in one
place
○ Start reviewing the tools that support distributed queries over
decentralized stores
○ Beware of their inherent limitations, however
● Long term, assume centralized/decentralized model for log
analysis

Resources
● “Log Centralization: The End Is Nigh?”
● “Anton Chuvakin Discusses “20 Years of SIEM – What’s Next?”” SANS
webinar
● “20 Years of SIEM: Celebrating My Dubious Anniversary” blog
● “On “Output-driven” SIEM” blog (2012)
● “Anton and The Great XDR Debate, Part 1”
● … and of course https://medium.com/anton-on-security
● and https://cloud.withgoogle.com/cloudsecurity/podcast/

In this on demand webinar, join Storage Switzerland and Cloudian as we describe three ways cloud storage and on-premises storage can complement each other. Learn how the new world of multi-cloud storage coupled with scalable on-premises storage can: * Achieve limitless scalability and seamless capacity expansion * Enable unified data management across clouds and on-prem * Consolidate object and file data to a single storage environment * Reduce costs and eliminate complexity

Advanced Administration, Monitoring and Backup

MongoDB

Sailthru has been using MongoDB for 4 years, pushing the system to scale. Maintaining a high degree of client-side customizability while growing aggressively has posed unique challenges to our infrastructure. We have maintained high uptime and performance by using monitoring that covers expected use patterns as well as monitoring that catches edge cases for new and unexpected access to the database. In this session, we will talk about Sailthru's use of MongoDB Management Service (MMS), as well as areas in which we have implemented custom monitoring and alerting tools. I will also discuss our transition from a hybrid backup solution using on-premise hardware and AWS snapshots, to using backups with MMS, and how this has benefited Sailthru.

AWS Big Data Demystified #1.2 | Big Data architecture lessons learned

Omid Vahdaty

A while ago I entered the challenging world of Big Data. As an engineer, at first, I was not so impressed with this field. As time went by, I realised more and more, The technological challenges in this area are too great to master by one person. Just look at the picture in this articles, it only covers a small fraction of the technologies in the Big Data industry… Consequently, I created a meetup detailing all the challenges of Big Data, especially in the world of cloud. I am using AWS & GCP and Data Center infrastructure to answer the basic questions of anyone starting their way in the big data world. how to transform data (TXT, CSV, TSV, JSON) into Parquet, ORC,AVRO which technology should we use to model the data ? EMR? Athena? Redshift? Spectrum? Glue? Spark? SparkSQL? GCS? Big Query? Data flow? Data Lab? tensor flow? how to handle streaming? how to manage costs? Performance tips? Security tip? Cloud best practices tips? In this meetup we shall present lecturers working on several cloud vendors, various big data platforms such hadoop, Data warehourses , startups working on big data products. basically - if it is related to big data - this is THE meetup. Some of our online materials (mixed content from several cloud vendor): Website: https://big-data-demystified.ninja (under construction) Meetups: https://www.meetup.com/Big-Data-Demystified https://www.meetup.com/AWS-Big-Data-Demystified/ You tube channels: https://www.youtube.com/channel/UCMSdNB0fGmX5dXI7S7Y_LFA?view_as=subscriber https://www.youtube.com/channel/UCzeGqhZIWU-hIDczWa8GtgQ?view_as=subscriber Audience: Data Engineers Data Science DevOps Engineers Big Data Architects Solution Architects CTO VP R&D

Don’t give up, You can... Cache!

Stefano Fago

SecOps Armageddon: A look into the future of security & operations

Phillip Maddux

A few questions about large scale machine learning

Theodoros Vasiloudis

ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...

DynamicInfraDays

I Know What You Did Last Summer

Martin Packer

Abstract: So, it’s got a “tongue-in-cheek” title but what’s it all about? I think one of the least well appreciated aspects of z/OS and its middleware is the richness of instrumentation it gives you: Here I describe it and just some of the ways you can get value from SMF. While I'm aware MY concerns might not match YOUR concerns EXACTLY there's much common ground. I'd like to make you smarter - or appear to be. :-)

SOCstock 2021 The Cloud-native SOC

Simply Business' Data Platform

Dani Solà Lagares

Infrastructure - a journey from datacentres to cloud

Equal Experts

Python in Industry

Dharmit Shah

5 facets of cloud computing - Presentation to AGBC

Raymond Gao

eDreams: mayor supervisión de la seguridad con Elastic Stack

Elasticsearch

Distributed systems and consistency

seldo

Machine Learning Intro for Anyone and Everyone

bigdata trunk

A fun and math free introduction to Machine Learning. It provides a step to step approach for everyone to get started with Machine Learning using Microsoft Azure ML This was presented at https://www.siliconvalley-codecamp.com/Session/2017/machine-learning-intro-for-anyone-and-everyone You can subscribe to our channel and see other videos at https://www.youtube.com/channel/UCp7pR7BJNnRueEuLSau0TzA

LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...

LogDNA

Google IO - When Bigquery meeet Node.js

Simon Su

Future of SOC: More Security, Less Operations

SOC Meets Cloud: What Breaks, What Changes, What to Do?

SOC Meets Cloud: What Breaks, What Changes, What to Do? originally presented at Mandiant mWise 2023 by Dr Anton Chuvakin of Google Cloud Office of the CISO Cloud changes everything (does it though?), including how we do threat detection and incident response in the SOC. As we continue to transform our attack surfaces, how do we make sure our detection and response are done "the cloud way"? There were also cases where both business and IT migrated to the cloud, but security was left behind and had to approach cloud challenges with on-premise tools and practices. How should a SOC born before cloud deal with cloud? What to watch for? What changes? What breaks? What stays the same?

Similar to SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the End Nigh?

A DevOps Checklist for Startups

Rick Manelius

Privacy preserving machine learning

Michał Kuźba

Webinar: Cloud Storage vs. On-Premises Storage

Storage Switzerland

Advanced Administration, Monitoring and Backup

MongoDB

AWS Big Data Demystified #1.2 | Big Data architecture lessons learned

Omid Vahdaty

Don’t give up, You can... Cache!

Stefano Fago

SecOps Armageddon: A look into the future of security & operations

Phillip Maddux

A few questions about large scale machine learning

Theodoros Vasiloudis

ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...

DynamicInfraDays

I Know What You Did Last Summer

Martin Packer

SOCstock 2021 The Cloud-native SOC

Simply Business' Data Platform

Dani Solà Lagares

Infrastructure - a journey from datacentres to cloud

Equal Experts

Python in Industry

Dharmit Shah

5 facets of cloud computing - Presentation to AGBC

Raymond Gao

eDreams: mayor supervisión de la seguridad con Elastic Stack

Elasticsearch

Distributed systems and consistency

seldo

Machine Learning Intro for Anyone and Everyone

bigdata trunk

LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...

LogDNA

Google IO - When Bigquery meeet Node.js

Simon Su

Similar to SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the End Nigh? (20)

A DevOps Checklist for Startups

Privacy preserving machine learning

Webinar: Cloud Storage vs. On-Premises Storage

Advanced Administration, Monitoring and Backup

AWS Big Data Demystified #1.2 | Big Data architecture lessons learned

Don’t give up, You can... Cache!

SecOps Armageddon: A look into the future of security & operations

A few questions about large scale machine learning

ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...

I Know What You Did Last Summer

SOCstock 2021 The Cloud-native SOC

Simply Business' Data Platform

Infrastructure - a journey from datacentres to cloud

Python in Industry

5 facets of cloud computing - Presentation to AGBC

eDreams: mayor supervisión de la seguridad con Elastic Stack

Distributed systems and consistency

Machine Learning Intro for Anyone and Everyone

LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...

Google IO - When Bigquery meeet Node.js

More from Anton Chuvakin

Future of SOC: More Security, Less Operations

SOC Meets Cloud: What Breaks, What Changes, What to Do?

Meet the Ghost of SecOps Future by Anton Chuvakin

Meet the Ghost of SecOps Future by Anton Chuvakin Meet the Ghost of SecOps Future Today’s SOC has an increasingly difficult job protecting growing and expanding organizations. The landscape is changing and the SOC needs to change with the times or risk falling behind the evolution of business, IT, and threats. But you have choices! Your future fate is not set in stone and can be changed: some optimize what they have without drastic upheaval, while others choose to truly transform their detection and response. Join us as we show you a vision of what the SOC will look like in the near future and how to choose the best course of action today. Originally aired at https://cloudonair.withgoogle.com/events/2023-dec-security-talks Video https://youtu.be/KbQbuFAPY2c?si=0llv1v_CkVtvsyms

SOC Lessons from DevOps and SRE by Anton Chuvakin

Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth

20 Years of SIEM - SANS Webinar 2022

10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin

Can We REALLY 10X the SOC? by Dr Anton Chuvakin Many organizations promise to transform your security operations center (SOC) with technology, advice or their personnel. However, what does it take to really transform your SOC to be ready for future threats? Is this an impossible problem? Is this something that can be only done by well funded organizations? Let's explore these and other questions in this talk. https://www.sans.org/cyber-security-training-events/blue-team-summit-2021/#agenda

SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends

Modern SOC Trends 2020

Anton's 2020 SIEM Best and Worst Practices - in Brief

Generic siem how_2017

Tips on SIEM Ops 2015

Five SIEM Futures (2012)

RSA 2016 Security Analytics Presentation

Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin

End-User Case Study: Five Best and Five Worst Practices for SIEM Implementing SIEM sounds straightforward, but reality sometimes begs to differ. In this session, Dr. Anton Chuvakin will share the five best and worst practices for implementing SIEM as part of security monitoring and intelligence. Understanding how to avoid pitfalls and create a successful SIEM implementation will help maximize security and compliance value, and avoid costly obstacles, inefficiencies, and risks

Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin

Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin

SIEM Primer:

Log management and compliance: What's the real story? by Dr. Anton Chuvakin

Title: Log management and compliance: What's the real story? by Dr. Anton Chuvakin One of the problems in making an Enterprise Content Management (ECM) strategy work with compliance initiatives is that compliance needs accountability at a very granular level. Consequently, IT shops are turning to log management as a solution, with many of those solutions being deployed for the purposes of regulatory compliance. The language however, regarding log management solutions can sometimes be vague which can lead to confusion. This session will lend some clarity to the regulations that affect log management. Topics will include: Best practices for how to best mesh compliance ECM and compliance strategies with log management Tips and suggestions for monitoring and auditing access to regulated content, with a focus on Microsoft Sharepoint logging. An examination of a handful of the regulations affecting how organizations view log management and information security including The Payment Card Industry Data Security Standard (PCI DSS), ISO 27001, The North American Electric Reliability Council (NERC), HIPAA and the HITECH Act.

On Content-Aware SIEM by Dr. Anton Chuvakin

More from Anton Chuvakin (20)

Future of SOC: More Security, Less Operations

SOC Meets Cloud: What Breaks, What Changes, What to Do?

Meet the Ghost of SecOps Future by Anton Chuvakin

SOC Lessons from DevOps and SRE by Anton Chuvakin

Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth

20 Years of SIEM - SANS Webinar 2022

10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin

SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends

Modern SOC Trends 2020

Anton's 2020 SIEM Best and Worst Practices - in Brief

Generic siem how_2017

Tips on SIEM Ops 2015

Five SIEM Futures (2012)

RSA 2016 Security Analytics Presentation

Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin

Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin

SIEM Primer:

Log management and compliance: What's the real story? by Dr. Anton Chuvakin

On Content-Aware SIEM by Dr. Anton Chuvakin

Recently uploaded

FIDO Alliance Osaka Seminar: Overview.pdf

Epistemic Interaction - tuning interfaces to provide information for AI support

Alan Dix

Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024 https://alandix.com/academic/papers/synergy2024-epistemic/ As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.

Bits & Pixels using AI for Good.........

Alison B. Lowndes

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...

Ramesh Iyer

In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.

FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf

Connector Corner: Automate dynamic content and events by pushing a button

DianaGray10

Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to: Create a campaign using Mailchimp with merge tags/fields Send an interactive Slack channel message (using buttons) Have the message received by managers and peers along with a test email for review But there’s more: In a second workflow supporting the same use case, you’ll see: Your campaign sent to target colleagues for approval If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team But—if the “Reject” button is pushed, colleagues will be alerted via Slack message Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors. And... Speakers: Akshay Agnihotri, Product Manager Charlie Greenberg, Host

UiPath Test Automation using UiPath Test Suite series, part 3

DianaGray10

Neuro-symbolic is not enough, we need neuro-*semantic*

Frank van Harmelen

Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”. All of this illustrated with link prediction over knowledge graphs, but the argument is general.

Elevating Tactical DDD Patterns Through Object Calisthenics

Dorra BARTAGUIZ

After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!

Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...

Jeffrey Haguewood

Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows. We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases. This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams. Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.

JMeter webinar - integration with InfluxDB and Grafana

RTTS

Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application. In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics. Length: 30 minutes Session Overview ------------------------------------------- During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana: - What out-of-the-box solutions are available for real-time monitoring JMeter tests? - What are the benefits of integrating InfluxDB and Grafana into the load testing stack? - Which features are provided by Grafana? - Demonstration of InfluxDB and Grafana using a practice web application To view the webinar recording, go to: https://www.rttsweb.com/jmeter-integration-webinar

How world-class product teams are winning in the AI era by CEO and Founder, P...

From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...

FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf

PCI PIN Basics Webinar from the Controlcase Team

ControlCase

AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...

Transcript: Selling digital books in 2024: Insights from industry leaders - T...

BookNet Canada

The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more. Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/ Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.

FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf