« February 2006 | Main | April 2006 »
What LogLogic Really Does
Redmonk's post last week on the Log Management & Intelligence (LMI) market has been drawing quite a bit of attention. Some of it on the mark, some of it not.
SecurityIncite is the latest to weigh in, agreeing that this in a seperate market. Where this post misses the mark is understanding what LogLogic does. We do collect Log data. More logs, from more sources, at faster rates than anyone in the industry. We don't stop there.
Using machine learning and behavioral anomly detection we then provide real-time alerting and reporting. This moves LMI from reactive to proactive mode. By detecting subtle shifts in IT behavior and trends we enable customers to prevent harmful activity and mitigate risk before it becomes business impacting. So, we are analyzing it in real-time.
We also provide correlation. This is often a misunderstood offering from LMI vendors. LogLogic provides root-cause correlation of log data from any device type and vendor by IP address, user name, system name, geography, time and such. Correlation is available for alerts, search, ad-hoc and scheduled reports.
Unlike with most other solutions, correlation for alerts and search can be achieved for pre-defined strings and for any keyword, Boolean combination of keywords or complex regular expressions.
- An example of a correlated alert: “if x regular expression occurs more than three times per minute across the IT infrastructure including servers, routers and applications, then trigger an alert via e-mail or SNMP”.
- An example of a correlated search: “look for y regular expression or z user name across the IT infrastructure including servers, network devices and applications from time period a to b in the past”.
LogLogic is unique in then providing a platform for unchanged and tamper-proof storage of log data. Up to 24 terabytes on a single appliance. We also provide the engine that determines who gets access to what.
Then, through easy-to-use templates, you can assemble more than 13,000 different reports - have them generated and distributed automatically - or, make use of our Complaince Suite that provides more than 175 reports and alerts on COBIT 4.0 processes.
Not all vendors go beyond providing a "rear view mirror" into LMI. LogLogic does - and provides much more.
Posted March 27, 2006 in LogMatters | Permalink | TrackBack (0)
« February 2006 | Main | April 2006 »
LogLogic LX/ST Score High Points with InfoWorld
InfoWorld's Paul Venezia just posted a very positive review of the LogLogic 3 LX/ST appliances, scoring it with a Very Good rating. Key points Paul highlighted include our log source autodetection capability, reporting capability, and LogLogic's power and relative lack of complexity. He at one point tried to "blast" the LX 2000 with up to a 150% burst rate of syslog messages, but was surprised he wasn't able to knock 'em down! And, with the ST 3000, he threw in the towel when he realized he couldn't even generate enough traffic to approach the ST's 50,000 mps rate!
Paul summed up his review by stating the power of the overall architecture is obvious. "LogLogic's Series 3 appliances are ready to make a molehill out of your mountain of logs." Given the high ranking, LogLogic will most likely be considered for InfoWorld's annual best products award in December.
We'll cross our fingers!
Posted March 24, 2006 in Log Management & Intelligence | Permalink | TrackBack (0)
« February 2006 | Main | April 2006 »
Redmonk Recognizes LMI Market
"Log management and analysis is not a subset of security incident management (SIM). In fact SIM is a subset of log management."
That's the word from Redmonk. In the latest in several pieces from Redmonk on log management and intelligence, James Govenor provides lucid perspectives on the log managment and intelligence market. It's evolution has been an interesting one - from a market based on homegrown solutions, to one of start-ups providing niche solutions, to now, enterprise class players.
Somewhere along the way the LMI got all tangled up in security event management. There is no question that logs are useful in undertaking security event management but that doesnt mean the markets are the same. What makes them different? Simple. Use cases.
SIEM solves a very distinct problem - correlating a narrow range of security events well - principally to reduce false positives from IDS/IPS systems (OK - I know this is a pretty narrow definition). Log data in the broadest context is used across a much broader range of use cases. What a SIEM dashboard might be to the CSO, an LMI dashboard based on COBIT might be to the CIO or Compliance Officer. LMI is as much about application logs - both homegrown and commercial - as it is about security events.
Redmonk is right to view LMI through the lens of a compliance orientated architecture. Compliance is a major market driver right now. Underpinning that is a desire to automate business and IT processes. For instance, to achieve SOX compliance you might deploy COBIT. Log data can be used to report, alert, evidence and enforce around 50% of COBIT controls. That's a pretty significant degree of process automation. Same goes for PCI.
As an aside, it's also amusing to watch the SIEM vendors suddenly embracing log management messaging. Arsight today hosted a web cast titled "Logs to Logic: Turning Log Piles into Log Intelligence". To which we say, imitation is the best form of flattery. Thanks guys!
Welcome to the LMI market.
Posted March 24, 2006 in Log Management & Intelligence | Permalink | TrackBack (0)
« February 2006 | Main | April 2006 »
Log Guru Joins LogLogic…
We continue to grow our world-class team, today announcing that Anton Chuvakin joins us as director, product management from netForensics where he was chief security strategist.
He is the author of a book “Security Warrior” and a contributor to “Know Your Enemy II”, “Information Security Management Handbook”, “Critical Threads 2006” and the upcoming “Hacker’s Challenge 3”. Anton maintains the Info-secure security portal and blogs at O’Reilly and on his own blog.
Anton is also a frequent speaker and writer on log management intelligence related topics including “Log Mining for Security”, “Log Analysis for Incident Response”, “Log Mining and Advanced Analysis”, “Security Metrics”, “What Every Organization Should Monitor and Log”.
Expect to see more of Anton here and www.chuvakin.org.
Posted March 21, 2006 in LogLogic News | Permalink | TrackBack (0)
« February 2006 | Main | April 2006 »
A Night At SANS: The Log Management Market Has Landed
If I’d said you could pull together around 200 people excited about log management to a 9.30pm panel discussion (on a Sunday night), you’d probably have thought I was mad. Well, that’s just what happened at SANS in Orlando this past Sunday.
Responding to the moderator, about two thirds admitted to being in the room because they are buying a log management intelligence solution in the next 12 months – another sure indicator of the enthusiasm for LMI that we also see in the market. What’s more, the audience clearly understood the difference between LMI and SIEM – some even claimed to be unsure of what SIEM was.
What was interesting to us was the shift in tone amongst the SIEM vendors. Whereas six months ago, many SIEM vendors refused to acknowledge the existence of a log management intelligence market, this time four of five vendors claimed to be better at log management intelligence than SIEM – and to be first and foremost a log management intelligence vendor, not a SIEM vendor. Now, we’re not too sure how they’ve managed to rearchitect their products in the past six months (this is more about positioning than product) but what we do know is that LogLogic and fellow panelist LogRhythm have always been about log data management and intelligence. Credit to ArcSight who was brave enough to admit they are a first and foremost a SIEM vendor.
Here are some observations on the panel dialog which flagged some interesting differentiators in the log management and intelligence market:
Log Intelligence: Log collection is ultimately about intelligence and insight. ArcSight claimed “correlation with vulnerability data”. That’s a good starting point. But what about behavioral analytics, machine learning and linguistic processing? LogLogic algorithms were developed by the same team that developed the Visa International anomaly detection on your buying behavior.
No Log Left Behind: There were lots of questions on log data integrity – primarily for LogLogic (probably because others don’t claim much functionality in this area). ArcSight claimed you need agents for data integrity, whereas of course LogLogic achieves more protection without agents: checksums, encryption, real-time fail over, self-logging, remote log data buffering and such to achieve log data integrity. Network Intelligence claimed to collect “all the data” but didn’t explain any specific features around protection of “all that data”. (btw - if you'd like a "No Log Left Behind" bumper sticker, drop me an email).
Reporting Speed as a Performance Metric: The audience was looking beyond collection speed. Reporting and search speed were brought up as important success criteria. Reporting speed determines how quickly you can solve incidents and problems, which drives ROI. Network Intelligence admitted that their reporting speed slows as the data set grows. Both Network Intelligence and SenSage parse at reporting run-time, not on database insertion. SANS testing has proved that with LogLogic, reporting speed is independent of the size of the data set – no matter how much information is analyzed, reporting and search speeds are mere seconds.
Efficient Log Data Archival: The audience had great interest in the compression of raw log data archives. ArcSight claims “Oracle compression” (which we know is really data expansion) and SenSage claims proprietary algorithms that achieve about 10:1 compression. LogLogic on the other hand utilizes industry-standard algorithms that achieve 12:1 compression on raw logs and 20:1 on summarized metalogs.
Unknown Log Types: Both ArcSight and Sensage have “agent builders” that customers can use to develop support for unknown log types. Only LogLogic can deliver out of the box support for unknown log types based on linguistic processing and machine learning algorithms. You can point unknown log types at the LogLogic appliance and be able to alert on, report on, search and archive this information. ArcSight and SenSage just shift the development work from their developers onto the shoulders of the customers with their “agent builders”. With LogLogic there is no work at all.
Overall this was a great panel and it clearly demonstrated a variety of approaches to log management and intelligence. One approach rooted in the SIEM solutions of old. And, a fresh approach rooted in enterprise-class log management and intelligence solutions.
A year ago all the chatter was SIEM. Now its log management and intelligence.
~ Dominique
Posted March 02, 2006 in Log Management & Intelligence | Permalink | TrackBack (0)
November 2007
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 |
Categories
Archives
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005