« "PodSlurping" | Main | Log Guru Joins LogLogic… »

A Night At SANS: The Log Management Market Has Landed

If I’d said you could pull together around 200 people excited about log management to a 9.30pm panel discussion (on a Sunday night), you’d probably have thought I was mad. Well, that’s just what happened at SANS in Orlando this past Sunday.

Responding to the moderator, about two thirds admitted to being in the room because they are buying a log management intelligence solution in the next 12 months – another sure indicator of the enthusiasm for LMI that we also see in the market. What’s more, the audience clearly understood the difference between LMI and SIEM – some even claimed to be unsure of what SIEM was.

What was interesting to us was the shift in tone amongst the SIEM vendors. Whereas six months ago, many SIEM vendors refused to acknowledge the existence of a log management intelligence market, this time four of five vendors claimed to be better at log management intelligence than SIEM – and to be first and foremost a log management intelligence vendor, not a SIEM vendor. Now, we’re not too sure how they’ve managed to rearchitect their products in the past six months (this is more about positioning than product) but what we do know is that LogLogic and fellow panelist LogRhythm have always been about log data management and intelligence. Credit to ArcSight who was brave enough to admit they are a first and foremost a SIEM vendor.

Here are some observations on the panel dialog which flagged some interesting differentiators in the log management and intelligence market:

Log Intelligence: Log collection is ultimately about intelligence and insight. ArcSight claimed “correlation with vulnerability data”. That’s a good starting point. But what about behavioral analytics, machine learning and linguistic processing? LogLogic algorithms were developed by the same team that developed the Visa International anomaly detection on your buying behavior.

No Log Left Behind: There were lots of questions on log data integrity – primarily for LogLogic (probably because others don’t claim much functionality in this area). ArcSight claimed you need agents for data integrity, whereas of course LogLogic achieves more protection without agents: checksums, encryption, real-time fail over, self-logging, remote log data buffering and such to achieve log data integrity.  Network Intelligence claimed to collect “all the data” but didn’t explain any specific features around protection of “all that data”. (btw - if you'd like a "No Log Left Behind" bumper sticker, drop me an email).

Reporting Speed as a Performance Metric: The audience was looking beyond collection speed. Reporting and search speed were brought up as important success criteria. Reporting speed determines how quickly you can solve incidents and problems, which drives ROI. Network Intelligence admitted that their reporting speed slows as the data set grows. Both Network Intelligence and SenSage parse at reporting run-time, not on database insertion. SANS testing has proved that with LogLogic, reporting speed is independent of the size of the data set – no matter how much information is analyzed, reporting and search speeds are mere seconds.

Efficient Log Data Archival: The audience had great interest in the compression of raw log data archives. ArcSight claims “Oracle compression” (which we know is really data expansion) and SenSage claims proprietary algorithms that achieve about 10:1 compression. LogLogic on the other hand utilizes industry-standard algorithms that achieve 12:1 compression on raw logs and 20:1 on summarized metalogs.

Unknown Log Types: Both ArcSight and Sensage have “agent builders” that customers can use to develop support for unknown log types. Only LogLogic can deliver out of the box support for unknown log types based on linguistic processing and machine learning algorithms. You can point unknown log types at the LogLogic appliance and be able to alert on, report on, search and archive this information. ArcSight and SenSage just shift the development work from their developers onto the shoulders of the customers with their “agent builders”. With LogLogic there is no work at all.

Overall this was a great panel and it clearly demonstrated a variety of approaches to log management and intelligence. One approach rooted in the SIEM solutions of old. And, a fresh approach rooted in enterprise-class log management and intelligence solutions.

A year ago all the chatter was SIEM. Now its log management and intelligence.

~ Dominique

Posted March 02, 2006 in Log Management & Intelligence | Permalink

Visit loglogic.com

Subscribe to this blog’s feed

• June 2008
• May 2008
• April 2008
• March 2008
• February 2008
• January 2008
• December 2007
• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007
• January 2007
• December 2006
• November 2006
• October 2006
• September 2006
• August 2006
• July 2006
• June 2006
• May 2006
• April 2006
• March 2006
• February 2006
• January 2006
• December 2005
• November 2005
• October 2005
• September 2005

Blogroll

• CynergisTek
• Bruce Schneier
• InfoSecDaily

Compliance

• Continuity Central
• Compliance Pipeline
• SOX Compliance Journal
• Sarbanes-Oxley 101

Good Reading

• Log Management ROI
• Log Management Best Practices
• SANS Institute Log Management White Paper

LogLogic

• O’Reilly
• Anton Chuvakin
• LogLogic.Com
• Jian Zhen

LogLogic Partners

• Juniper Networks
• ONStor
• Counterpane
• Bluecoat

Sites We Watch

• The Merc
• CRN
• IT Architect
• The Reg
• Security Focus
• Slashdot
• TechWeb
• SANS
• C/Net
• CIO Insight
• InformationWeek
• Jamie Lewis - Burton Group
• eWeek
• IT Manager's Journal
• MIT Magazine
• VNU