Tuesday, April 18, 2006

Book review "Security Log Management: Identifying Patterns in the Chaos"

It is not often that I review a genuinely bad book, but this is one such rare occasion. It so happens that log analysis is my primary area of focus for the last several years and thus I could not miss a book titled “Security Log Management.”

Yuck! The book starts from a hodge-podge of examples, which, if entertaining at times, doesn’t lead to any meaningful lessons and thus doesn’t deliver the value it could have produced. The same applies to material selection for the book, which, as a result, suffers from a compete lack of logical structure. Even the Ch 1 “Log Analysis: Overall Issues” barely touched on analyzing logs and clearly didn’t cover any “overall issues.” Also, authors have undoubtedly trademarked the concept of a random irrelevant picture or graph...

In addition, the book reveals many areas where authors are deeply befuddled. ESM chapter (‘Enterprise Security Management’) is one such example, where such confusion reigns supreme. They can talk about ‘ESM process’ and claim that ‘ESM is not a tool’ in one sentence and then describe ‘ESM tools’ in the next one. On top of that, if you are looking for some arcane security humor, try understanding their ROI calculation in the chapter (‘Cost of problem’ + ‘Cost of solution’ …)

One would think that they can get something as (relatively) simple as firewall reporting right (chapter 3). One would think that – and one would be wrong… The reader is still left with no answers to questions such as ‘what summaries, statistics and reports he/she should collect and how to do it.’

As far as style is concerned, the book carries unfortunate signs of being written by a group of authors who didn’t talk to each other much. Furthermore, what adds insult to injury is truly excessive amount of quoted source code, which plainly doesn’t belong in the book, but on the website, CD, etc (were editors asleep at the wheel?)

To conclude, the book does have some relationship to patterns and chaos: the patterns in your brain will immediately turn into chaos after you are done reading it, provided you would even finish it. My suggestion is to avoid this largely useless title and save the money for better books (such as Bejtlich’s or countless others).

Dr Anton Chuvakin, GCIA, GCIH, GCFA (http://www.chuvakin.org) is a
recognized security expert and book author. A frequent conference speaker, he also represents the company at various security meetings and standard organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and the upcoming "Hacker's Challenge 3". Anton also published numerous papers on a broad range of security subjects, such as incident response, intrusion detection, honeypots and log analysis. In his spare time he maintains his security portal http://www.info-secure.org and two blogs.

Dr Anton Chuvakin