« December 2007 | Main | February 2008 »
SANS Security Laboratory Thought Leadership Interview With Dr Anton Chuvakin
Here is an insightful interview with me done by Stephen Northcutt at SANS. I share a bunch of thoughts on logging and log management. For example, what is my #1 logging pet peeve, what's the #1 logging mistake, will we ever see log standards, why are we looking at an increase in the number of log types we need to look at, etc.
It starts like this: "Dr. Anton Chuvakin from LogLogic has agreed to be interviewed by the Security Laboratory and we certainly thank him for his time! He is probably the number one authority on system logging in the world, and his employer is probably the leading vendor for logging, so we appreciate this opportunity to share in his insights."
Posted January 31, 2008 in Innovation , Log Management & Intelligence | Permalink | TrackBack (0)
« December 2007 | Main | February 2008 »
Fight the Log Silos!
While the world of logging is full of inconsistencies and troubles (e.g. ugly logs!), there is one that beats many others: siloed approach to logs!
There is little that I hate more than siloed approach to logs. A situation when you have your security team "owning" network IDS logs, network team having firewall and router logs (as well as all SNMP traps) and, say, a system admins possessing the logs from servers and desktop is not only sad, counterproductive, inefficient and wasteful, but also dangerous.
Where does such approach to logs (when they are divided by both technical and political chasms!) breaks down most painfully? In case of an incident response, of course. This is where instead of one query across all logs and all log sources (or whatever needed subset of logs or log sources), you'd end up with having run around, beg, connect, wait, swear, wait, download logs, dig in many places at once, wait, grep, suffer with many UIs, swear more, etc. All of the above instead of connecting to your shiny new log management system and running a few reports, drilldowns and searches across the relevant logs!
Where else does it break down? Compliance, of course! Most regulations and mandates don't call out logs by the type of the log source, but apply to all logs across. Thus one system to verify the compliance status is much more productive compared to digging in many systems.
Ideally, you'd break down the silo walls by deploying a log management platform across the entire organization and then letting every team that needs logs to get them from the system in a controlled fashion, via the interface or a web API (BTW, LogLogic platform has a web API to get logs!). Apart from being a trend (e.g. see recent ESG report on that), it will make your IT and security operations that much more efficient - and pleasant!
On the other hand, what is bizarre is that some newer vendors, who claim to do log management, actually work to propagate, not combat, the siloed approach. For example, selling the tool for $5000 to each of the many separate teams within the organization IMHO must be made illegal :-) as it builds walls, not bridges; digs holes and overall "silo-izes" your IT operation...
Posted January 25, 2008 in Log Management & Intelligence | Permalink | TrackBack (0)
« December 2007 | Main | February 2008 »
Webcast: Best Practices for Selecting a Log Management Solution
Tuesday, January 29, 2008 11:00 am
Spend an hour with the Log Management & Intelligence leaders on best practices for selecting a Log Management & Solution.
On this webcast, you will learn:
(*) Should you build, buy, outsource or combine strategies?
(*) What are the 10 most important things to ask your Log Management & Intelligence vendor?
(*) What are the best practices being used by leading organizations?
Register Now: https://loglogicevents.webex.com/loglogicevents/onstage/g.php?t=a&d=921732127
Posted January 25, 2008 in | Permalink | TrackBack (0)
« December 2007 | Main | February 2008 »
NERC CIP Rules Out - Logs In!
NERC security rules [PDF], that were updated and became mandatory last week, might well become "a new PCI DSS" and trigger "a golden age" of security in the energy industry: the rules are mandatory, they are specific (more specific than a lot of other regulatory security guidance) and there is an enforcement body (NERC) that can make life miserable for those not complying.
Here are some log-related examples from the guidance:
"R5.1.2. The Responsible Entity shall establish methods, processes, and procedures that generate logs of sufficient detail to create historical audit trails of individual user account access activity for a minimum of ninety days. "
"R6.4. The Responsible Entity shall retain all logs specified in Requirement R6 for ninety calendar days."
"R6.5. The Responsible Entity shall review logs of system events related to cyber security
and maintain records documenting review of logs. "
So, again: have logs, retain them ("Top 11 Reasons to Collect and Preserve Computer Logs") and review them ("Top 11 Reasons to Look at Your Logs"). Or, better, have a log management tool do it for you!
Posted January 24, 2008 in Compliance , Log Management & Intelligence , LogMatters | Permalink | TrackBack (0)
« December 2007 | Main | February 2008 »
Poll: What are your top challenges with logs and logging?
This poll is especially fun: What are your top challenges with logs and logging? Vote here.
Past polls were:
Posted January 21, 2008 in Innovation , Log Management & Intelligence | Permalink | TrackBack (0)
« December 2007 | Main | February 2008 »
Webcast: Best Practices in Starting Your PCI DSS Compliance Initiatives
Thursday, Jan. 24, at 2 p.m. EST/11 a.m. PST This event will explore best practices for maintaining, harmonizing and future-proofing your PCI log management efforts. Engage with experts on preparing successfully for a PCI assessment. Learn how log management and intelligence can help with your PCI compliance projects, including implementation steps, with goals and tasks for each step. Featured speakers Jason Chan, director of product management, applications, LogLogic, Inc. Tony Spurlin, managing principal, Arsenal Security Group Mike Rothman, president and principal analyst, Security Incite Matt Anthony, vice president of direct marketing, SecureWorks Register now: http://www.iian.ibeam.com/events/haym001/24970/index.jsp?adid=LLWP
Posted January 16, 2008 in | Permalink | TrackBack (0)
« December 2007 | Main | February 2008 »
SANS-LogLogic Third Annual Log Management Survey
How do organizations use their log data? What are their challenges in log data analysis? What are their perceptions versus their practices? Take the third annual SANS/LogLogic Log Management Survey and help us find out. https://www.surveymonkey.com/s.aspx?sm=DYVWON0E2arhQAuzSe6_2bUw_3d_3d
Posted January 16, 2008 in | Permalink | TrackBack (0)
« December 2007 | Main | February 2008 »
Logging Poll #4 "Who Looks at Logs?" Analysis
Time to analyze my final 2007 poll on logs. In it, I asked who actually looks at logs at the organization. Here is what came up: results are here and also included below.
What can we conclude from this?
First, an obvious conclusion is in order! No matter how many times one can utter the word "compliance," logs are still most useful for mundane (one would hope!) system administration. Yes, indeed, sysadmins are the primary consumers of logs - yesterday, today, and - likely! - tomorrow as well.
Second, I am saddened by the fact that application developers have not warmed up to logs, at least not en masse (and not according to this limited poll...). I am guessing when they start thinking of logging when creating their applications, they will be more aware of the fact that you can troubleshoot the applications using logs ...
Third, incident response team showing that low is some kind of fluke, I am sure. Everybody knows that logs are indispensable during incident response. Yes, even if only a little logging was enabled or even logging defaults left in place, logs often reveal answers unobtainable via any other mechanisms.
Next poll coming soon!
Posted January 08, 2008 in Innovation , Log Management & Intelligence , LogEd , LogLogic News | Permalink | TrackBack (0)
February 2008
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | |||||
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 | 14 | 15 | 16 |
| 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 |
Categories
Archives
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005