Friday, March 10, 2006

Some fun notes on logs from my SANS presentation

So, as most of you know, a while ago [March 1] I did this fun presentation on "Baselining Logs and Audit Trails for Security" at SANS 2006. Beside an obvious benefit of going to a warm place (Orlando, FL) from a colder New Jersey, it had some other interesting results.

I got great audience response and a bunch of fun question on how to best create log baselines and draw actionable conclusion automatically (or, at least, semi-automatically), which is what the presentation was largely about.

Also, a lot of people complained that while the step from ignoring logs and letting them rot to storing them diligently is a hard one for many companies, the next step from collecting to automated ['cause most folks don't have time for any other kind!] intelligent analysis is way harder and will probably not be undertaken unless smart analysis tools are provided.

Companies might go and build a syslog server, maybe add Kiwi for Windows logs, but most will stop short of implementing analytics on the logs...

The second thought that resulted from the presentation was that log collection and analysis for security is truly the most universal security problem. You think viruses is what everyone fears? Guess what, those running Linux network do not. Spyware? Same answer. Spam? Those who use IM and internal-only mail are largely immune (or you can call on the phone :-)).

At the same time, everybody is drowing in logs which can tell them a lot about their environment and security posture, if and only if they are analyzed!

Dr Anton Chuvakin