SlideShare a Scribd company logo

Anton's Log Management 'Worst Practices'

Anton Chuvakin
Anton Chuvakin

The document outlines common pitfalls in log management practices, emphasizing the importance of proper planning and execution to avoid negative outcomes. It details a series of 'worst practices' that organizations often fall into, such as poor vendor selection and inadequate infrastructure preparation. The author advocates for thorough understanding and research on log management systems to ensure successful implementation and compliance with regulations.

TechnologyBusiness
1 of 25
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Most read
15
16
17
18
19
20
21
22
23
24
25
Log Management “ Worst Practices” Anton Chuvakin, Ph.D., GCIH, GCFA Chief Logging Evangelist LogLogic, Inc Mitigating Risk. Automating Compliance.
Outline Are you convinced: why log management? Hey, why not just ignore the logs, as usual !  How to do log management WRONG – an idiot’s guide  Planning Purchasing Deploying Running Conclusions
Log Data Overview Audit logs Transaction logs Intrusion logs Connection logs System performance records User activity logs Various alerts and other messages Firewalls/intrusion prevention Routers/switches Intrusion detection Servers, desktops, mainframes Business applications Databases Anti-virus VPNs What logs? From Where?
Why Log Management? Threat protection and discovery Incident response Forensics , “e-discovery” and litigation support Regulatory compliance Internal policies and procedure compliance Internal and external audit support IT system and network troubleshooting IT performance management
Log Management Mandate and Regulations Regulations Require LMI SOX GLBA FISMA JPA NIST 800-53 Capture audit records Regularly review audit records for unusual activity and violations Automatically process audit records Protect audit information from unauthorized deletion Retain audit logs PCI HIPAA SLAs Mandates Demand It PCI : Requirement 10 and beyond Logging and user activities tracking are critical Automate and secure audit trails for event reconstruction Review logs daily Retain audit trail history for at least one year COBIT ISO ITIL COBIT 4 Provide audit trail for root-cause analysis Use logging to detect unusual or abnormal activities Regularly review access, privileges, changes Verify backup completion ISO17799 Maintain audit logs for system access and use, changes, faults, corrections, capacity demands Review the results of monitoring activities regularly and ensure the accuracy of logs Controls Require it “ Get fined, Get Sanctioned” “ Lose Customers, Reputation, Revenue or Job” “ Get fined, Go To Jail”
Also: NIST 800-92 “This publication seeks to assist organizations in understanding the need for sound computer security log management. It provides practical, real-world guidance on developing, implementing, and maintaining effective log management practices throughout an enterprise. “
Log Management Process Files, syslog, other Immutable Logs Secure Share Collect SNMP, Email, etc Alert Search, Report and Analytics Store Search Report Make Conclusions “ As needed “ basis
So, You Decided to Acquire a LM Tool … What’s next? What do you want, specifically? How to choose a product? How not to screw it up? How to make sure that it goes smoothly, now and later? Overall, how to be wildly happy … with your log management purchase?
What is a “Worst Practice”? As opposed to the “ best practice ” it is … What the losers in the field are doing today A practice that generally leads to disastrous results , despite its popularity
Log Management Project Lifecycle Determine the need Define scope of log management Select and evaluate the vendor Run proof of Concept – POC Deploy (in phases) Run the tool Expand deployment
1. Determine the Need WP1: Skip this step altogether – just buy something “ John said that we need a correlation engine” “ I know this guy who sells log management tools …” WP2: Define the need in general “ We need, you know, manage logs and stuff”  Questions : Real-time? Platform? Appliance? Service? Correlation? Indexing? RDBMS vs files? Volume of logs? Agents? Collectors? Connectors? Users? Your use cases?
Case Study A – Just Buy a SIEM! Medium-sized financial company New CSO comes in from a much larger organization “We need a SIEM! ASAP!” Can you spell “boondoggle?  Lessons learned: which problem did we solve? Huh!? None?
2. Define scope WP3: Postpone scope until after the purchase “ The vendor says ‘it scales’ so we will just feed ALL our logs” Windows, Linux, i5/OS, OS/390, Cisco – send’em in! WP4: Assume you will be the only user of the tool “ Steak holders”? What’s that?  Common consequence: two or more similar tools are bought Forgetting that logs are useful to many people for many reasons …
Case Study B: “We Use’em All” SANS Log Management Summit 2006 Vendors X, Y and Z claim “Big Finance” as a customer How can that be? Well, different teams purchased different products … About $2.3m wasted on tools that do the same!
3. Initial vendor selection WP5: Choose by price alone Ignore hardware, extra modules, training, service, support, etc costs “OMG, this tool is 30% cheaper. And it is only twice as bad. ”  Advanced version : be suckered by the vendor’s TCO and ROI “formulas” WP6: Choose by relationship or “PowerPoint power” “We got it with the latest router purchase…”
4. Vendor evaluation and POC WP7: Don’t ask for and don’t check references “Our environment is unique” WP8: Don’t do a POC “We can save time!” “We can just choose the best product, right?” “The vendor said it works just peachy ”  WP9: If doing a POC, let vendor dictate how OR ignore what the vendor says “Windows? Sure, we will test on Windows!” “ Proof of concept!? Why prove what we already know! ”
Case Study C: Performance-Shmerformance  Retail organization deciding between two log management products, A and B Vendor A: “We scale like there is no tomorrow”  Vendor B: “We scale like we invented scaling”  “Can you prove it?!” Results : Vendor A claims 75,000 MPS, dies at 2300 (!) Vendor B claims 75,000 MPS, runs at 85000 (!!) <- LogLogic
5. Deployment WP10: Expect The Vendor To Write Your Logging Policy OR Ignore Vendor Recommendations “ Tell us what we need – tell us what you have” forever… WP11: Unpack the boxes and go! “ Coordinating with network and system folks is for cowards!” Do you know why LM projects take months sometimes? WP12: Don’t prepare the infrastructure “ Time synchronization? Pah, who needs it” WP13: Ignore legal team Pain …
Case Study D: Shelfware Forever! Financial company gets a SIEM tool after many months of “evaluations” Vendor SEs deploy it One year passes by A new CSO comes in; looks for what is deployed Finds a SIEM tool – which database contains exactly 53 log records (!) It was never connected to a production network…
6. Running the Tool WP14: Deploy Everywhere At Once “ We need log management everywhere!” WP15: “Save Money” on Vendor Support Contract “ We Have to Pay 18% for What? ”  WP16: Ignore Upgrades “ It works just fine – why touch it?” WP17: Training? They said it is ‘ intuitive ’! “’ A chance to “save” more money here? Suuure.”
Case Study E: Intuitive? To Me It Isn’t! A major retailer procures a log management tool from an integrator A classic “high-level” sales, golf and all  “Intuitive UI” is high on the list of criteria The tool is deployed in production Security engineers hate it – and don’t touch it Simple: UI workflow doesn’t match what they do every day
7. Expanding Deployment WP18: Don’t Bother With A Product Owner “We all use it – we all run it (=nobody does)” WP19: Don’t Check For Changed Needs – Just Buy More of the Same “We made the decision – why fuss over it?” WP20: If it works for 10, it will be OK for 10,000 “1,10,100, …, 1 trillion – they are just numbers”
Case Study F: Today - Datacenter, Tomorrow … Oops! Log management tool is tested and deployed at two datacenters – with great success! PCI DSS comes in; scope is expanded to wireless systems and POS branch servers The tool is prepared to be deployed in 410 (!) more locations “ Do you think it will work?” - “Suuuuure!”, says the vendor Security director resigns …
Conclusions – Serious ! Turn ON logging! Learn about logging and log management Read NIST 800-92 and other guides; do the research! Match what you need with what they have Not doing it as a key source of PAIN Plan carefully – and plan your planning too  Work WITH the vendor – not ‘against’, not ‘without’, not ‘for’ Final word : do big IT projects have “shortcuts” to easy and effortless success – what are they?
Thank You for Attending! Dr Anton Chuvakin, GCIH, GCFA Chief Logging Evangelist LogLogic, Inc http://www.chuvakin.org See www.info-secure.org for my papers, books, reviews, etc and other security and logging resources; check my blog at www.securitywarrior.org

More Related Content

What's hot (20)

PDF
Convincing Stakeholders Data Governance Is Essential
DATAVERSITY
 
PDF
SAP ERP solution map
Paniz Fazlali
 
PDF
Business Analysis - Essentials
Barbara Bermes
 
PDF
Chaos Engineering, When should you release the monkeys?
Thoughtworks
 
PDF
Data Quality
jerdeb
 
PDF
Benefits Identification, Assessment, Validation and Realisation for Informati...
Alan McSweeney
 
PPTX
Data Quality & Data Governance
Tuba Yaman Him
 
DOC
Data Analyst Resume - Ron Banonis
Ron Banonis
 
KEY
Introdução a web semântica e o case da globo.com
Renan Moreira de Oliveira
 
PPTX
Database CI/CD Pipeline
muhammadhashir57
 
PDF
DATA & ANALYTICS
fireflylabz
 
PDF
Building a Data Strategy – Practical Steps for Aligning with Business Goals
DATAVERSITY
 
PPTX
BTABOK / ITABOK
Maganathin Veeraragaloo
 
PDF
Introduction to Impact Mapping
Deborah Wyse
 
PDF
ITIL 4 service value chain data flows (input and outputs)
Rob Akershoek
 
PDF
Demand and Portfolio Management
Intland Software GmbH
 
PDF
Do-It-Yourself (DIY) Data Governance Framework
DATAVERSITY
 
PPTX
Strata sf - Amundsen presentation
Tao Feng
 
PDF
JPL’s Institutional Knowledge Graph II: A Foundation for Constructing Enterpr...
Enterprise Knowledge
 
PDF
Data platform architecture
Sudheer Kondla
 
Convincing Stakeholders Data Governance Is Essential
DATAVERSITY
 
SAP ERP solution map
Paniz Fazlali
 
Business Analysis - Essentials
Barbara Bermes
 
Chaos Engineering, When should you release the monkeys?
Thoughtworks
 
Data Quality
jerdeb
 
Benefits Identification, Assessment, Validation and Realisation for Informati...
Alan McSweeney
 
Data Quality & Data Governance
Tuba Yaman Him
 
Data Analyst Resume - Ron Banonis
Ron Banonis
 
Introdução a web semântica e o case da globo.com
Renan Moreira de Oliveira
 
Database CI/CD Pipeline
muhammadhashir57
 
DATA & ANALYTICS
fireflylabz
 
Building a Data Strategy – Practical Steps for Aligning with Business Goals
DATAVERSITY
 
BTABOK / ITABOK
Maganathin Veeraragaloo
 
Introduction to Impact Mapping
Deborah Wyse
 
ITIL 4 service value chain data flows (input and outputs)
Rob Akershoek
 
Demand and Portfolio Management
Intland Software GmbH
 
Do-It-Yourself (DIY) Data Governance Framework
DATAVERSITY
 
Strata sf - Amundsen presentation
Tao Feng
 
JPL’s Institutional Knowledge Graph II: A Foundation for Constructing Enterpr...
Enterprise Knowledge
 
Data platform architecture
Sudheer Kondla
 

Viewers also liked (20)

PPT
Choosing Your Log Management Approach: Buy, Build or Outsource
Anton Chuvakin
 
PPTX
Log Standards & Future Trends by Dr. Anton Chuvakin
Anton Chuvakin
 
PPT
The Use of Formal Methods on the iFACTS Air Traffic Control Project
AdaCore
 
PPTX
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
Anton Chuvakin
 
PDF
Data Entitlement with WSO2 Enterprise Middleware Platform
WSO2
 
PPTX
Log management principle and usage
Bikrant Gautam
 
PDF
Identity and Entitlement Management Concepts
WSO2
 
PDF
Dominique Cerutti : Leading the disruptions | Zinnov Confluence '16 Munich
Zinnov
 
PDF
Simon Best : Change, disruption and opportunity | Zinnov Confluence '16 Munich
Zinnov
 
PPTX
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
BAKOTECH
 
PDF
Palo alto networks NAT flow logic
Alberto Rivai
 
PDF
Dr David Soldani : Leading the disruptions | Zinnov Confluence '16 Munich
Zinnov
 
PDF
Information Security Benchmarking 2015
Capgemini
 
PDF
Automotive Lighting: Technology, Industry, and Market Trends - 2016 Report by...
Yole Developpement
 
PDF
Zinnov Zones for IoT Services 2017
Zinnov
 
PPTX
Security Operation Center - Design & Build
Sameer Paradia
 
PDF
Zinnov Zones 2016 - Product Engineering Services
Zinnov
 
PDF
SIEM vs Log Management - Data Security Solutions 2011
Andris Soroka
 
PPTX
Build an Information Security Strategy
Andrew Byers
 
PDF
Building an effective Information Security Roadmap
Elliott Franklin
 
Choosing Your Log Management Approach: Buy, Build or Outsource
Anton Chuvakin
 
Log Standards & Future Trends by Dr. Anton Chuvakin
Anton Chuvakin
 
The Use of Formal Methods on the iFACTS Air Traffic Control Project
AdaCore
 
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
Anton Chuvakin
 
Data Entitlement with WSO2 Enterprise Middleware Platform
WSO2
 
Log management principle and usage
Bikrant Gautam
 
Identity and Entitlement Management Concepts
WSO2
 
Dominique Cerutti : Leading the disruptions | Zinnov Confluence '16 Munich
Zinnov
 
Simon Best : Change, disruption and opportunity | Zinnov Confluence '16 Munich
Zinnov
 
End to End Security With Palo Alto Networks (Onur Kasap, engineer Palo Alto N...
BAKOTECH
 
Palo alto networks NAT flow logic
Alberto Rivai
 
Dr David Soldani : Leading the disruptions | Zinnov Confluence '16 Munich
Zinnov
 
Information Security Benchmarking 2015
Capgemini
 
Automotive Lighting: Technology, Industry, and Market Trends - 2016 Report by...
Yole Developpement
 
Zinnov Zones for IoT Services 2017
Zinnov
 
Security Operation Center - Design & Build
Sameer Paradia
 
Zinnov Zones 2016 - Product Engineering Services
Zinnov
 
SIEM vs Log Management - Data Security Solutions 2011
Andris Soroka
 
Build an Information Security Strategy
Andrew Byers
 
Building an effective Information Security Roadmap
Elliott Franklin
 
Ad

Similar to Anton's Log Management 'Worst Practices' (20)

PPTX
Implementing and Running SIEM: Approaches and Lessons
Anton Chuvakin
 
PPTX
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
Anton Chuvakin
 
PPT
NIST 800-92 Log Management Guide in the Real World
Anton Chuvakin
 
PPTX
Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
Anton Chuvakin
 
PPT
Six Mistakes of Log Management 2008
Anton Chuvakin
 
PPTX
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
Anton Chuvakin
 
PPTX
Something Fun About Using SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
PPT
CSI NetSec 2007 Six MIstakes of Log Management by Anton Chuvakin
Anton Chuvakin
 
PPTX
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
PPTX
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
PPT
O'Reilly Webinar Five Mistakes Log Analysis
Anton Chuvakin
 
PPTX
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Anton Chuvakin
 
PPTX
9780840024220 ppt ch10
Kristin Harrison
 
PPTX
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
Anton Chuvakin
 
PPTX
Log management
epoxxy
 
PPT
Application Logging Good Bad Ugly ... Beautiful?
Anton Chuvakin
 
PPT
Best practises for log management
Brian Honan
 
PPT
Logs & The Law: What is Admissible in Court?
loglogic
 
PPTX
Zero Day Response: Strategies for the Security Innovation in Corporate Defens...
Anton Chuvakin
 
PPT
ITSM Toolset Selection
rajanam
 
Implementing and Running SIEM: Approaches and Lessons
Anton Chuvakin
 
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
Anton Chuvakin
 
NIST 800-92 Log Management Guide in the Real World
Anton Chuvakin
 
Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
Anton Chuvakin
 
Six Mistakes of Log Management 2008
Anton Chuvakin
 
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
Anton Chuvakin
 
Something Fun About Using SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
CSI NetSec 2007 Six MIstakes of Log Management by Anton Chuvakin
Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
O'Reilly Webinar Five Mistakes Log Analysis
Anton Chuvakin
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Anton Chuvakin
 
9780840024220 ppt ch10
Kristin Harrison
 
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
Anton Chuvakin
 
Log management
epoxxy
 
Application Logging Good Bad Ugly ... Beautiful?
Anton Chuvakin
 
Best practises for log management
Brian Honan
 
Logs & The Law: What is Admissible in Court?
loglogic
 
Zero Day Response: Strategies for the Security Innovation in Corporate Defens...
Anton Chuvakin
 
ITSM Toolset Selection
rajanam
 
Ad

More from Anton Chuvakin (20)

PPTX
Detection Engineering Maturity - Helping SIEMs Find Their Adulting Skills
Anton Chuvakin
 
PPTX
Future of SOC: More Security, Less Operations
Anton Chuvakin
 
PPTX
SOC Meets Cloud: What Breaks, What Changes, What to Do?
Anton Chuvakin
 
PPTX
Meet the Ghost of SecOps Future by Anton Chuvakin
Anton Chuvakin
 
PPTX
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
Anton Chuvakin
 
PPTX
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Anton Chuvakin
 
PPTX
20 Years of SIEM - SANS Webinar 2022
Anton Chuvakin
 
PPTX
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
Anton Chuvakin
 
PPTX
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
Anton Chuvakin
 
PPTX
SOCstock 2021 The Cloud-native SOC
Anton Chuvakin
 
PPTX
Modern SOC Trends 2020
Anton Chuvakin
 
PPTX
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton Chuvakin
 
PPTX
Generic siem how_2017
Anton Chuvakin
 
PPTX
Tips on SIEM Ops 2015
Anton Chuvakin
 
PPTX
Five SIEM Futures (2012)
Anton Chuvakin
 
PPTX
RSA 2016 Security Analytics Presentation
Anton Chuvakin
 
PPTX
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
PPTX
SIEM Primer:
Anton Chuvakin
 
PPTX
On Content-Aware SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
PPTX
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Anton Chuvakin
 
Detection Engineering Maturity - Helping SIEMs Find Their Adulting Skills
Anton Chuvakin
 
Future of SOC: More Security, Less Operations
Anton Chuvakin
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
Anton Chuvakin
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Anton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
Anton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Anton Chuvakin
 
20 Years of SIEM - SANS Webinar 2022
Anton Chuvakin
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
Anton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
Anton Chuvakin
 
SOCstock 2021 The Cloud-native SOC
Anton Chuvakin
 
Modern SOC Trends 2020
Anton Chuvakin
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton Chuvakin
 
Generic siem how_2017
Anton Chuvakin
 
Tips on SIEM Ops 2015
Anton Chuvakin
 
Five SIEM Futures (2012)
Anton Chuvakin
 
RSA 2016 Security Analytics Presentation
Anton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
SIEM Primer:
Anton Chuvakin
 
On Content-Aware SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Anton Chuvakin
 

Recently uploaded (20)

PDF
Predicting the unpredictable: re-engineering recommendation algorithms for fr...
Speck&Tech
 
PDF
TrustArc Webinar - Data Privacy Trends 2025: Mid-Year Insights & Program Stra...
TrustArc
 
PPTX
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
PPTX
Top iOS App Development Company in the USA for Innovative Apps
SynapseIndia
 
PDF
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
PPTX
Building a Production-Ready Barts Health Secure Data Environment Tooling, Acc...
Barts Health
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PPTX
Building and Operating a Private Cloud with CloudStack and LINBIT CloudStack ...
ShapeBlue
 
PDF
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
PPTX
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
PDF
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
PDF
Wojciech Ciemski for Top Cyber News MAGAZINE. June 2025
Dr. Ludmila Morozova-Buss
 
PDF
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
PDF
July Patch Tuesday
Ivanti
 
PPTX
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PPTX
Darren Mills The Migration Modernization Balancing Act: Navigating Risks and...
AWS Chicago
 
PDF
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
PDF
Building Resilience with Digital Twins : Lessons from Korea
SANGHEE SHIN
 
PDF
CloudStack GPU Integration - Rohit Yadav
ShapeBlue
 
Predicting the unpredictable: re-engineering recommendation algorithms for fr...
Speck&Tech
 
TrustArc Webinar - Data Privacy Trends 2025: Mid-Year Insights & Program Stra...
TrustArc
 
Building Search Using OpenSearch: Limitations and Workarounds
Sease
 
Top iOS App Development Company in the USA for Innovative Apps
SynapseIndia
 
Empower Inclusion Through Accessible Java Applications
Ana-Maria Mihalceanu
 
Building a Production-Ready Barts Health Secure Data Environment Tooling, Acc...
Barts Health
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
Building and Operating a Private Cloud with CloudStack and LINBIT CloudStack ...
ShapeBlue
 
Log-Based Anomaly Detection: Enhancing System Reliability with Machine Learning
Mohammed BEKKOUCHE
 
Webinar: Introduction to LF Energy EVerest
DanBrown980551
 
Complete JavaScript Notes: From Basics to Advanced Concepts.pdf
haydendavispro
 
Wojciech Ciemski for Top Cyber News MAGAZINE. June 2025
Dr. Ludmila Morozova-Buss
 
LLMs.txt: Easily Control How AI Crawls Your Site
Keploy
 
July Patch Tuesday
Ivanti
 
✨Unleashing Collaboration: Salesforce Channels & Community Power in Patna!✨
SanjeetMishra29
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
Darren Mills The Migration Modernization Balancing Act: Navigating Risks and...
AWS Chicago
 
HCIP-Data Center Facility Deployment V2.0 Training Material (Without Remarks ...
mcastillo49
 
Building Resilience with Digital Twins : Lessons from Korea
SANGHEE SHIN
 
CloudStack GPU Integration - Rohit Yadav
ShapeBlue
 

Anton's Log Management 'Worst Practices'

  • 1. Log Management “ Worst Practices” Anton Chuvakin, Ph.D., GCIH, GCFA Chief Logging Evangelist LogLogic, Inc Mitigating Risk. Automating Compliance.
  • 2. Outline Are you convinced: why log management? Hey, why not just ignore the logs, as usual !  How to do log management WRONG – an idiot’s guide  Planning Purchasing Deploying Running Conclusions
  • 3. Log Data Overview Audit logs Transaction logs Intrusion logs Connection logs System performance records User activity logs Various alerts and other messages Firewalls/intrusion prevention Routers/switches Intrusion detection Servers, desktops, mainframes Business applications Databases Anti-virus VPNs What logs? From Where?
  • 4. Why Log Management? Threat protection and discovery Incident response Forensics , “e-discovery” and litigation support Regulatory compliance Internal policies and procedure compliance Internal and external audit support IT system and network troubleshooting IT performance management
  • 5. Log Management Mandate and Regulations Regulations Require LMI SOX GLBA FISMA JPA NIST 800-53 Capture audit records Regularly review audit records for unusual activity and violations Automatically process audit records Protect audit information from unauthorized deletion Retain audit logs PCI HIPAA SLAs Mandates Demand It PCI : Requirement 10 and beyond Logging and user activities tracking are critical Automate and secure audit trails for event reconstruction Review logs daily Retain audit trail history for at least one year COBIT ISO ITIL COBIT 4 Provide audit trail for root-cause analysis Use logging to detect unusual or abnormal activities Regularly review access, privileges, changes Verify backup completion ISO17799 Maintain audit logs for system access and use, changes, faults, corrections, capacity demands Review the results of monitoring activities regularly and ensure the accuracy of logs Controls Require it “ Get fined, Get Sanctioned” “ Lose Customers, Reputation, Revenue or Job” “ Get fined, Go To Jail”
  • 6. Also: NIST 800-92 “This publication seeks to assist organizations in understanding the need for sound computer security log management. It provides practical, real-world guidance on developing, implementing, and maintaining effective log management practices throughout an enterprise. “
  • 7. Log Management Process Files, syslog, other Immutable Logs Secure Share Collect SNMP, Email, etc Alert Search, Report and Analytics Store Search Report Make Conclusions “ As needed “ basis
  • 8. So, You Decided to Acquire a LM Tool … What’s next? What do you want, specifically? How to choose a product? How not to screw it up? How to make sure that it goes smoothly, now and later? Overall, how to be wildly happy … with your log management purchase?
  • 9. What is a “Worst Practice”? As opposed to the “ best practice ” it is … What the losers in the field are doing today A practice that generally leads to disastrous results , despite its popularity
  • 10. Log Management Project Lifecycle Determine the need Define scope of log management Select and evaluate the vendor Run proof of Concept – POC Deploy (in phases) Run the tool Expand deployment
  • 11. 1. Determine the Need WP1: Skip this step altogether – just buy something “ John said that we need a correlation engine” “ I know this guy who sells log management tools …” WP2: Define the need in general “ We need, you know, manage logs and stuff”  Questions : Real-time? Platform? Appliance? Service? Correlation? Indexing? RDBMS vs files? Volume of logs? Agents? Collectors? Connectors? Users? Your use cases?
  • 12. Case Study A – Just Buy a SIEM! Medium-sized financial company New CSO comes in from a much larger organization “We need a SIEM! ASAP!” Can you spell “boondoggle?  Lessons learned: which problem did we solve? Huh!? None?
  • 13. 2. Define scope WP3: Postpone scope until after the purchase “ The vendor says ‘it scales’ so we will just feed ALL our logs” Windows, Linux, i5/OS, OS/390, Cisco – send’em in! WP4: Assume you will be the only user of the tool “ Steak holders”? What’s that?  Common consequence: two or more similar tools are bought Forgetting that logs are useful to many people for many reasons …
  • 14. Case Study B: “We Use’em All” SANS Log Management Summit 2006 Vendors X, Y and Z claim “Big Finance” as a customer How can that be? Well, different teams purchased different products … About $2.3m wasted on tools that do the same!
  • 15. 3. Initial vendor selection WP5: Choose by price alone Ignore hardware, extra modules, training, service, support, etc costs “OMG, this tool is 30% cheaper. And it is only twice as bad. ”  Advanced version : be suckered by the vendor’s TCO and ROI “formulas” WP6: Choose by relationship or “PowerPoint power” “We got it with the latest router purchase…”
  • 16. 4. Vendor evaluation and POC WP7: Don’t ask for and don’t check references “Our environment is unique” WP8: Don’t do a POC “We can save time!” “We can just choose the best product, right?” “The vendor said it works just peachy ”  WP9: If doing a POC, let vendor dictate how OR ignore what the vendor says “Windows? Sure, we will test on Windows!” “ Proof of concept!? Why prove what we already know! ”
  • 17. Case Study C: Performance-Shmerformance  Retail organization deciding between two log management products, A and B Vendor A: “We scale like there is no tomorrow”  Vendor B: “We scale like we invented scaling”  “Can you prove it?!” Results : Vendor A claims 75,000 MPS, dies at 2300 (!) Vendor B claims 75,000 MPS, runs at 85000 (!!) <- LogLogic
  • 18. 5. Deployment WP10: Expect The Vendor To Write Your Logging Policy OR Ignore Vendor Recommendations “ Tell us what we need – tell us what you have” forever… WP11: Unpack the boxes and go! “ Coordinating with network and system folks is for cowards!” Do you know why LM projects take months sometimes? WP12: Don’t prepare the infrastructure “ Time synchronization? Pah, who needs it” WP13: Ignore legal team Pain …
  • 19. Case Study D: Shelfware Forever! Financial company gets a SIEM tool after many months of “evaluations” Vendor SEs deploy it One year passes by A new CSO comes in; looks for what is deployed Finds a SIEM tool – which database contains exactly 53 log records (!) It was never connected to a production network…
  • 20. 6. Running the Tool WP14: Deploy Everywhere At Once “ We need log management everywhere!” WP15: “Save Money” on Vendor Support Contract “ We Have to Pay 18% for What? ”  WP16: Ignore Upgrades “ It works just fine – why touch it?” WP17: Training? They said it is ‘ intuitive ’! “’ A chance to “save” more money here? Suuure.”
  • 21. Case Study E: Intuitive? To Me It Isn’t! A major retailer procures a log management tool from an integrator A classic “high-level” sales, golf and all  “Intuitive UI” is high on the list of criteria The tool is deployed in production Security engineers hate it – and don’t touch it Simple: UI workflow doesn’t match what they do every day
  • 22. 7. Expanding Deployment WP18: Don’t Bother With A Product Owner “We all use it – we all run it (=nobody does)” WP19: Don’t Check For Changed Needs – Just Buy More of the Same “We made the decision – why fuss over it?” WP20: If it works for 10, it will be OK for 10,000 “1,10,100, …, 1 trillion – they are just numbers”
  • 23. Case Study F: Today - Datacenter, Tomorrow … Oops! Log management tool is tested and deployed at two datacenters – with great success! PCI DSS comes in; scope is expanded to wireless systems and POS branch servers The tool is prepared to be deployed in 410 (!) more locations “ Do you think it will work?” - “Suuuuure!”, says the vendor Security director resigns …
  • 24. Conclusions – Serious ! Turn ON logging! Learn about logging and log management Read NIST 800-92 and other guides; do the research! Match what you need with what they have Not doing it as a key source of PAIN Plan carefully – and plan your planning too  Work WITH the vendor – not ‘against’, not ‘without’, not ‘for’ Final word : do big IT projects have “shortcuts” to easy and effortless success – what are they?
  • 25. Thank You for Attending! Dr Anton Chuvakin, GCIH, GCFA Chief Logging Evangelist LogLogic, Inc http://www.chuvakin.org See www.info-secure.org for my papers, books, reviews, etc and other security and logging resources; check my blog at www.securitywarrior.org

Editor's Notes

  • #2: Not LOGGING worst practices