Wednesday, May 02, 2007

My Impressions of SANS Log Management Summit 2007

So, as I mentioned before (here and here), I attended a recent SANS Log Management Summit 2007. Here are my notes and impressions.

First, I really enjoyed the event, both from speaking and listening point of view. I did two panel presentations (one on log management implementation issues and one "vendor shootout") as well as my "award-winning" :-) Lunch and Learn presentation on choosing a log management approach: buy, build or outsource (or combine!). Vendor shootout panel also was pretty exciting (unlike one last year where one of our competitors sent a sales weenie masquerading as a "CTO" who spouted drivel for, like, 15 minutes :-)); we got some fun questions (like "name one feature that you do WORST!?") as well as fun answers. While cynics might grumble that vendors only go to such events for competitive information, the panel was genuinely interesting and thought-provoking.

Among other interesting observations, I noticed that logging for operational uses was much better represented and more frequently mentioned compared to last year; logging for security and compliance were certainly there in full force, but logging for operational uses, which is the oldest, classic use for logs, seems to be making a comeback and people really buy (or build - and then suffer :-)) log management tools to deal with the challenge.

On the market side, Summit pretty much proved that there is a log management market now with its own players, requirements, use cases, etc. At the same time, buyers are much more aware of what they are actually signing up for when they call a log management vendor. Still, I saw a share of people who made really bizarre decisions in regards to their logging...

Also, I was excited that Stephen Northcutt mentioned the MITRE CEE logging standard project, that I've been involved in (since before its name got changed from a more exciting one - guess it! :-) - to this bland "CEE"...) Log standards are definitely way overdue. Even a simple "what should be logged" recommendation (part of CEE, of course) will come incredibly handy.

Finally, somebody asked me how did the summit compare to last years? I liked this one a bit more; content was a bit more useful (even though, obviously, not new to me) and there was much less confusion about what log management actually is (e.g. much less SIEM dirt was thrown around :-)).

Other people's summit notes are here (I am sure more will be posted soon and I will update this)

Dr Anton Chuvakin