As I was drinking cognac on the upper deck of a 747, flying TPE-SFO back from a client meeting, the following idea crossed my mind: CAN one REALLY do a decent job with log management (including log review) if their budget is $0 AND their “time budget” is 1 hour/week? I got asked that when I was teaching my SANS SEC434 class a few months ago and the idea stuck in my head – and now cognac, courtesy of China Airlines, helped stimulate it into a full blog post.
So, $0 budget points to using open-source, free tools (duh!), but 1hr/week points in exactly the opposite direction: commercial or even outsourced model.
The only slightly plausible way it that I came up with is:
- Spend your 1st hour building a syslog server; it can be done, especially if starting from a old Linux box that you found in the basement (at $0); don’t forget logrotate or equivalent
- Spend a few next weeks (i.e. hours) configuring various Unix, Linux and network devices (essentially, all syslog log sources) to log to it
- Consider deploying Snare on a few Windows boxes (if needed); it would likely be easier to do than doing remote pull – too much tuning might be needed
- Next, drop a default OSSEC install on your log server and – gasp! – enable all alerts
- Spend the next few hours (in the next few weeks) turning off the ones that are too numerous, irrelevant or don’t trigger any action in your environment.
- If you log volume fits within a free splunk license size (500MB/day), also spend an hour deploying splunk on your log server and have it index all gathered logs
- Now you’d be spending your “one log hour each week” on reviewing alerts and (if installed) digging in splunk for additional details
- Congrats! $0 and 1hr/week gave you semblance of log management and even monitoring….
What do you think? It just might work for organizations with severe time AND money constraints.
Enjoy the post … while it lasts.
BTW, on a completely unrelated note: do you think EVERY organization above a certain size NEEDS a SIEM? Or WILL NEED a SIEM in the future?
