As you remember, I’ve done this webcast/IPC with IANS called “Navigating the Data Stream without Boiling the Ocean: Case Studies in Effective Log Management.” My role as IANS faculty was to moderate the discussion.
My intro slides can be found here. A recording can be found somewhere here – grab it since we had a great panel discussion with a bunch of useful and juicy bits about log management in the real world. Below I am answering some of the fun questions we got at the show for a broader audience of this blog – and sorry for a delay with that.
Q: What, if anything, has anyone done to overcome privacy restrictions in some countries like Germany, France, Italy regarding log collection activity of users?
A: Sorry, but I have to give you a cynical answer. From what I am hearing, those countries are making a choice in favor of - what they think of as – “privacy” over security monitoring and activity auditing. As a result, many of the logging and log review tasks legality is becoming questionable or the burden of performing such tasks grows exponentially. The only advice I can give is to follow the law - even if you screw yourself and your organization in the process. Under democracy, you're supposed to act towards changing the law and not simply ignoring it.
Q: Can you describe your process for determining what to periodically review from your logs? Did a committee comprised of sysadmin and information security team identify what to review?
A: Ideally, such process should and include all stakeholders, namely, people who can benefit from the information in log files. This would certainly include system administrators and a security team. However, it is not uncommon that the security team will do it on its own if other parties show no interest in participating. Regarding the process itself, the key approach to doing is “use cases.“ What do regulations say about logging and log review? What business units ask for, if anything? What level of details you'd prefer to have during incident response? What are the things I trying to accomplish? Look for future blog posts about this subject.
Q: Would you use log management without a SIEM?
A: Absolutely. I would not use a SIEM without log management though; I would also try not to use a SIEM without a good log management tool. For more info on this subject read this, this, this.
Q: Does using a complete SIEM solution reduce the number of staff required?
A: Hard to say what is meant by ”complete” here, but the answer is either “no” or “it depends.”
Overall, I do not like this type of positioning at all: if you are trying to purchase a SIEM solution in order to fire your security analysts, you'll fail miserably. On the other hand, if you'd like to reduce the number of people whose jobs consist of only reading logs every day, then SIEM can help reduce that staffing need so that you can allocate people to more productive security monitoring tasks. Still, the main value of a SIEM tool lies in the skilled personnel that operates it! For example, see this one.
Q: What is your definition of structured and un-structured data [mentioned in the discussion]?
A: Structured data is more like a database table, it has named fields such as “username”, “source IP”, etc. Name=value pairs is another example of log data with structure. On the other hand, plain English text is not structured [at least, not for our purposes of log analysis] and needs to be either structured (“parsed”, tokenized, etc) or directly analyzed using text mining tools.
Q: How visualization tools technically help in log review?
A: See http://secviz.org for more information on the subject than you ever wanted to learn :-) While you're in the subject, get a great book about it.
Q: What level from the log management maturity curve [A.C. - reference to this graph] does HIPAA compliance require?
A: Based on the fact that HIPAA prescribes logging (164.312(b) Audit Controls) and some monitoring for specific events, such as logins (164.308(a)(5)(ii)(C) Log-in Monitoring), I’d venture a guess that HIPAA compliance will require an organization to have a fairly mature log management and security monitoring operation. And is this reality? No, many healthcare organizations are nowhere near that stage with their logging.
Also, see awesome coverage of this webcast from Rocky DeStefano is here at his VisibleRisk blog.
Possibly related posts:
- Fun Logging Webcasts: 4/1/2010 and 5/12/2010
- Open Group Log Webcast Slidea and Q&A: "Enterprise Logging and Log Management: Hot Topics"
- Thursday 3/25 IANS Webcast + Panel on Log Management: "Awesome++"
- Log Management / SIEM Users: "Minimalist" vs "Analyst"
- The Myth of SIEM as "An Analyst-in-the-box" or How NOT to Pick a SIEM-II?
- Log Management + SIEM = ?
- SIEM Bloggables talks about SIEM use cases.