Monday, December 09, 2013

SANS Top 6 Log Reports Reborn!

This story goes back years - many, many years. It starts with “SANS Top 5 Log Reports” [PDF] in 2006, and then continues with me volunteering to update it in 2009. I did a lot of work on it in 2009-2010, but never got it to a stage where I was 100% happy with it.  Then in 2011, I joined Gartner and therefore was unable to finish it. Only in 2012 I found a new author who polished it before handing it to SANS for publication.

The document has now been published as “The 6 Categories of Critical Log Information” (with a subtitle of “Top 6 SANS Essential Categories of Log Reports 2013”, v 3.01)

At its center are these top log report categories:

  1. Authentication and Authorization Reports
  2. Systems and Data Change Reports
  3. Network Activity Reports
  4. Resource Access Reports
  5. Malware Activity Reports
  6. Failure and Critical Error Reports

The document can be used to figure out what to log, what to report on and what reports to review for various purposes.

So, enjoy! A lot of work of many smart people went into this. Thanks A LOT to those who contributed to it over the years. Special thanks go to Marcus Ranum, the original logging guru, and the enlightened members of the SANS GIAC Alumni mailing list.

P.S. Those of you who have read our Log Management book have seen an earlier and somewhat more wordy version of it. This one is better!

Related posts and the entire history of this effort:

Monday, December 02, 2013

Monthly Blog Round-Up – November 2013

Here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month:
  1. Why No Open Source SIEM, EVER?” contains some of my SIEM thinking from 2009. Is it relevant now? Well, you be the judge.
  2. Simple Log Review Checklist Released!” is often at the top of this list – the checklist is still a very useful tool for many people. “On Free Log Management Tools” is a companion to the checklist (updated version)
  3. My classic PCI DSS Log Review series is popular as well. The series of 18 posts cover a comprehensive log review approach, useful for building log review processes and procedures, whether regulatory or not. It is also described in more detail in our Log Management book.
  4. Top 10 Criteria for a SIEM?” came from one of my last projects I did when running my SIEM consulting firm in 2009-2011.
  5. “New SIEM Whitepaper on Use Cases In-Depth OUT!” (dated 2010) presents a whitepaper on select SIEM use cases in depth (the paper link is now RESTORED!)

In addition, I’d like to draw your attention to a few recent posts from my Gartner blog:

Current research on using big data approaches for security:

Current research on security patch management:
(see my published Gartner research here)

Also see my past monthly and annual “Top Popular Blog Posts” – 2007, 2008, 2009, 2010, 2011, 2012.

Disclaimer: all content at SecurityWarrior blog was written before I joined Gartner on Aug 1, 2011 and is solely my personal view at the time of writing. For my current security blogging, go here.

Previous post in this endless series:

Dr Anton Chuvakin