Wednesday, April 07, 2010

Open Group Log Webcast Slidea and Q&A: “Enterprise Logging and Log Management: Hot Topics”

As you remember, I’ve done this webcast with Open Group called “Enterprise Logging and Log Management: Hot Topics.”

Here are the slides from the webcast. Full recording with voice can be found here. Below I am answering some of the fun questions we got at the show for a broader audience of this blog.


Q: As the log management curve matures [reference to this graph], how do you ensure that the log data is secure?

A: Check out my “Top 11 Reasons to Secure and Protect Your Logs.” In reality, access control, occasionally hashing (yes, sometimes even with MD5) and sometimes encryption of archived logs is the “state of the art” for log protection. Think about it! People don’t encrypt and poorly protect SSNs, payment card numbers and their own key intellectual property… do you think they will protect logs well? Thus this is in mane cases an academic question…


Q: What do you mean by “use cases” here, is it the same concept as in software engineering or it has diff context here?

A: Yes, same use case definition – pardon for a bit of PM-speak. Example brief SIEM use cases are here.


Q: Are there any templates or best practices to decide as what to log in order to cover wide range of domains/purposes e.g. hacking, policy,

A: This is a million dollar question, really. What exactly needs to be logged for PCI has been discussed here and here and I was involved in some consulting projects to define that for a particular company (recent project example). In the near future, an attempt will be made to answer this question more consistently… sorry, can’t say more yet, but watch this blog for updates.


Q: How have you dealt with the trade off of logging requirements & mandates vs scale & performance needs in the area of application architecture? 

A: Poorly? :-) In most cases the mandate/security requirement HAS TO WIN and the only way for the developer to present this situation as “a tradeoff” is to avoid the security guy like a plague until the application is fielded – and the present this fake “dilemma.” In reality, if your application crashes or slows to the crawl when you enable logging of, say, all transactions, it needs to go back to the drawing board. Think of an example: can you field a payment app that can operate without logging all transactions? There is no tradeoff here.


Q: Would you please suggest a log management application?

A: Free tools are listed here and some commercial ones are here; you can pay me to select the right tool for your requirements  since log management is broad enough and complex enough to make “one best log management tool” a pipe dream at best. Are you collecting Cisco ASA log data or Oracle Finacials audit table? For PCI DSS or against web application attacks? Or maybe for web server debugging? These are other cases will have different “best app choices.” You can try reading this to learn maybe you need to write your very own log analysis application.


Q: What is your opinion of OVAL/CVE and SCAP as standards for log management?

A: CEE by MITRE is an active effort to create such set of log standards; NIST plan to later adopt them as “EMAP” (SCAP’s logging brother). As we work on the standard, I occasionally blog about it here. Right now the team is actively engaged at weekly workgroup calls and email discussions, mostly focusing on finalizing the taxonomy draft (the famous “O-A-S”), “logging profiles” and other fun things.


Possibly related posts:

Dr Anton Chuvakin