SlideShare uma empresa Scribd logo

Buy vs. Build vs. Outsource: What’s Your Best Log Management Strategy?

Anton Chuvakin
Anton Chuvakin

This paper will examine the following considerations for choosing a log management solution for your organization: • Why do you need log management in the first place? • Should you build, buy or outsource your log management solution? • What are the considerations for deciding on the appropriate log management strategy for your business? • Is it better to use a combined log management strategy?

Tecnologia
1 de 7
Buy vs. Build vs. Outsource: What’s the Best Log Management Strategy? Dr. Anton Chuvakin WRITTEN: 2007 DISCLAIMER: Security is a rapidly changing field of human endeavor. Threats we face literally change every day; moreover, many security professionals consider the rate of change to be accelerating. On top of that, to be able to stay in touch with such ever-changing reality, one has to evolve with the space as well. Thus, even though I hope that this document will be useful for to my readers, please keep in mind that is was possibly written years ago. Also, keep in mind that some of the URL might have gone 404, please Google around. Logs—you don’t have to love them, but you have to have them. Logs are essential for adequate threat protection and intrusion discovery, incident response, forensics and even litigation support. They are used to check and enforce internal policies and procedures, as well as to measure IT performance. And they’re invaluable to IT staff when troubleshooting network, system and application issues. But what’s the best way to collect, store, manage, analyze and report on your log data? In other words, what is the best way to handle the “logging monster”? When deciding on a log management solution, you have many choices. You can build a solution of your own in-house, possibly utilizing the open source components. You can outsource log collection and management to a log management service provider, such as MSSP or, in the near future, to a SaaS provider. Or, you can buy an appliance or software solution from a software or appliance vendor. In addition, a preferable option may be to combine two of these options, so that you can take advantage of the benefits of both and mitigate their risks. Still, all of these strategies have both advantages and risks. This paper will examine the following considerations for choosing a log management solution for your organization: • Why do you need log management in the first place? • Should you build, buy or outsource your log management solution? • What are the considerations for deciding on the appropriate log management strategy for your business? • Is it better to use a combined log management strategy? Why collect logs in the first place? Let’s briefly review the nature, sources and importance of logs.
Logs come from everywhere within the IT infrastructure of an organization, whether large or small. Logs of relevance come from a wide variety of applications, network elements and endpoints and include audit logs, transactions, intrusions, connections and dropped connections, system performance records, user activities, and various alerts and other messages. More than 50 GB of logs can be generated daily by a large enterprise, resulting in nearly 20 terabytes of stored data in just a year. Why do you need to collect them? Logs are critical to ensuring and attesting to compliance and other business policies and regulatory mandates. With log data, you gain insight to records of user access — systems used, connection established, files viewed, emails sent — and you can identify successful and failed transactions, as well as system configuration changes in near real-time. Just as 20 years ago, logs are useful to system administrators, security analysts and IT managers. Logs can also help with troubleshooting network problems, and good log management can drastically simplify forensics activities and reduce e-discovery costs. A large percentage of log data is relevant to security; such logs include various audit records generated by the many devices and applications common in business environments. Even business applications generate security data – data that records access decisions or even indicates abuse or exploitation attempts. Collecting and analyzing all of this activity data across the IT environment (and even beyond IT, in the case of physical access monitoring) can illuminate malicious activity or unintentional security threats originating from within or outside the IT environment, so you can stop them faster. The Compliance Conundrum The importance of logs to compliance is increasingly clear to organizations of all sizes. Universally, industry regulations and governmental mandates require companies to collect, store and analyze logs— PCI DSS, SOX, FISMA, GLBA, HIPAA all include these requirements. There are really no exceptions. For example, NIST 800-53 (and NIST 800-92 to a larger extent) requires companies to capture audit records, regularly review them, automatically process them, protect audit info and retain logs. PCI requires companies to log and track user activities, automate and secure audit trail creation, review logs daily and retain an audit trail for at least a year. Furthermore, IT control frameworks like COBIT, ITIL and ISO 27002 also necessitate log collection, retention and analysis. COBIT, for example, recommends using logging to detect unusual or abnormal activities and determine root-cause analysis of mishaps. ISO guidance documents ask companies to maintain logs for information on changes, faults, corrections and capacity demands. Failure to comply with these requirements results in heavy consequences, ranging from monetary fines to essentially losing an ability to run your business to jail time. At the very least, companies can lose customers, reputation and revenue from the negative press associated with security breeches. Logs are no laughing matter; log management is no longer an option.
The Log Management Process A solid log management and intelligence solution is the only efficient way to create audit trails of network and system activity for all of the various uses of that data. Let’s take a look at what’s involved in the process. Log management tools solutions begin with log collection—gathering logs from critical systems, such as network devices, applications, databases and servers—and then storing them securely and unaltered in a centralized location for easy reporting and searching. By regularly reviewing logs, you can see failed logins, denied access attempts, unusual usage patterns – and get an overall feel of ongoing activity. Further, ongoing monitoring also calls for near real-time analysis and response in case action is needed. The ability to send alerts to key personnel when an event occurs is critical. Alerting allows us to monitor the logs and notify an operator if immediate action is needed. LMI allows you to create reports on collected log data, which is essential for compliance efforts. Both near real-time dashboard views and longer-term historical reports are needed. An efficient log management solution must allow organizations to store logs in their raw, unaltered form to ensure data integrity and forensic utility, and in a central repository for fast access. The ability to quickly search thorough large amounts of log data for investigative purposes is invaluable for incident response. Finally, LMI must allow for simplified yet secure log sharing. Typically, compliance and incident response are multi-team efforts that involve personnel from security to IT staff to management staff. Once the logs are collected and stored, fine-grained access control is needed to ensure that data is shared only with authorized stakeholders. Figure 1 illustrates key log management activities. Build, Buy or Outsource—Which Strategy Suits Your Business? Now that the drivers for log management as well as stages of a log management process are clear, let’s review how to actually do it! Deciding you need log management isn’t the hard part; deciding on how to implement it is. What’s the best strategy? Should you build your own solution, buy one off-the-shelf, or outsource log management as a service? Or, is there a combination of the three that would be the best bet? Let’s take a look at the pros and cons of each approach. Build it Many companies, especially smaller ones, choose to build their own LMI solutions. Indeed, you can try to build exactly the solution you need, with the platform, tools and methods you prefer, and aside from labor, there’s no up-front monetary cost. IT
professionals may even relish the challenges of creating a solution for the company and enjoy the challenges that are involved in “tackling the log beast.” But after a while, maintenance costs (due to an ever changing sea of log formats), log types, and log sources grow to overwhelming proportions - and the project often ends up killed. Since the solution is highly specialized, you will need highly specialized staff to add, change or repair the solution whenever necessary. Furthermore, these homegrown solutions are usually not scalable, so as the company grows and more data floods the network, changes, updates and ever-more-frequent overhauls are necessary—leading to even more labor and maintenance costs. During updates and ever-frequent overhauls, downtime can occur, costing you even more time and money. If you do decide to embark on a journey to “home-made log management,” there are a number of open-source tools that can perform some of the essential functions necessary for effective log management. Here are a few… • Log collection: Syslog-ng, kiwi, Snare, Project LASSO, and many others • Secure log centralization: stunnel/SSL, ssh or other encryption tools • Storage: MySQL or you can design your own – possibly indexed! - file-based storage • Analysis: SEC, OSSEC and OSSIM, Swatch, logwatch, logsentry and many other small scripts to solve one specific log-related problem Open source projects such as OSSEC and OSSIM also provide larger building blocks for your system by offering combined functionality. Over time, however, homegrown solutions are not practical, because the need to constantly update the support for changing log formats “gets them” in the end. According to Gartner researchers, “Although [home-grown log management] may prove effective for a limited set of data sources with clearly defined "strings" that the organization is searching for, most organizations quickly run into scalability issues, as well as issues using the data for situational awareness in support of incident response… In most cases, internally developed centralized application log solutions will fall short of meeting organizational requirements.” Outsource it Outsourcing log management is a low-cost way to get started with implementing LMI. Most likely, you won’t have to manage any equipment in-house and you won’t have to hire additional staff to run and maintain it. You’re basically paying someone else to worry about your problems. That sounds ideal, but there are some drawbacks, too. They’re still YOUR problems, and no one else is going to worry about them as much as you do, especially when regulatory compliance is at issue. You might find that a third party isn’t as careful about meeting your requirements in terms of IT policies and industry regulations. There is also a risk of SLAs slipping and potentially even losing control of your data. Plus, volume and log access challenges can arise when data collection and storage is outsourced to a service that may not be tuned into your
fluctuating business needs. To top it off, possible compliance violations will likely still fall on you and not on the service provider. Before choosing an outsourced solution, determine what portion of your logs will be managed by the service—is it all or just some? Know how you will gain access to your logs, so you can show them to auditors. Overall, for many organizations, especially the ones that are challenged to hire and retain IT staff and IT security professionals, the advantages of outsourcing are indeed compelling, and this option will continue to be viable and popular. Buy it As of today, procuring a log management tool from a vendor is fast becoming the most popular option. Fewer organizations are choosing to “build their own.” Vendor tools, such as LogLogic, have matured in recent years in both product capabilities and ease of deployment and operation. The option to buy a log management solution from the vendor is compelling: a commercial log management vendor will typically guarantee support for the log sources that you need, thereby mitigating the biggest risk and challenge of “home- grown” solutions’ constant updates, and will also expand support for new and changed logs and add new cutting-edge log analysis methods These tools can be very effective—you pay a set price and get a turn-key solution for log aggregation and analysis. All vendors offer support for wide ranges of diverse log sources, ongoing product improvements and innovations. Plus, if anything goes wrong, you have a scapegoat – a support person to scream at! But, as with other approaches, there are also risks. Sometimes skilled staff is needed to get value out of a purchased product, which still needs to be installed, run and maintained. Vendor longevity is also a problem—who do you turn to if the company who made the solution goes out of business? Choosing a company with experience will assure both vendor longevity as well as a stream of ongoing improvements. Combining approaches Because each strategy has its benefits and drawbacks, a combined strategy is often the best option. For example, you can purchase a solution and then enhance it with internal custom development on top of it. Or you can combine commercial vendor tools with open-source tools. You can also buy a tool and then outsource some of its management to an external provider. This allows you to maintain more control, but still lessen the workload on your IT staff. Combining solutions helps to mitigate some of the risks of individual solutions, however, it comes at a cost. Sometimes, you might even need to pay twice. Still, a larger upfront investment may prove cost-effective in the long run.
A “buy, then build on top” approach is often the most effective strategy to implementing a robust LMI solution that meets your specific – and evolving – business requirements. By combining the two, you can capture the advantages of both approaches, which include: • You get on-going support, upgrades and patches from the solution provider. • You’re assured reliable performance. • You can build the analysis tools you want. • You can present the data you want to the people who need it. • You can outsource the routine log management tasks to the vendor and only take on those you want to take on. In short, pick a vendor with a rich set of APIs that allows you to build on top of a commercial platform. Turn on the Logs! To conclude, if you do nothing else, turn logging on. Assess the role of log data in meeting compliance requirements, mitigating security risks, enabling audit and improving availability. Then implement the log management strategy that suits your business. Finally, avoid a build-only approach because it limits scalability and ends up costing more than it’s worth. If you have to build, build on top of a robust log management platform from a vendor. Considerations for Choosing an LMI Solution Before you decide on a log management approach and implement your new solution, you have a lot to consider. Trillions of log messages and hundreds of terabytes of data must be handled. Here are some questions you can ask yourself as you begin your quest for the best possible solution: 1. Are you collecting and aggregating 100% of all log data from all data sources on the network? 2. Are your logs transported and stored securely? 3. Are there packaged reports that suit your needs? Can you create the needed reports to organize collected log data quickly? 4. Can you set alerts on anything in the logs? 5. Are you looking at log data on a daily basis? Can you prove that you are? 6. Can you perform fast, targeted searches for specific data? 7. Can you contextualize log data (comparing application, network and database logs) when undertaking forensics and other operational tasks? 8. Can you readily prove that security, change management, and access control policies are in use and up to date?
9. Can you securely share log data with other applications and users? ABOUT THE AUTHOR: This is an updated author bio, added to the paper at the time of reposting in 2009. Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of books "Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and others. Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management (see list www.info-secure.org) . His blog http://www.securitywarrior.org is one of the most popular in the industry. In addition, Anton teaches classes and presents at many security conferences across the world; he recently addressed audiences in United States, UK, Singapore, Spain, Russia and other countries. He works on emerging security standards and serves on the advisory boards of several security start-ups. Currently, Anton is developing his security consulting practice, focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.

Recomendados

Loyalty360 Engagement Expo: The Loyalty Divide
Loyalty360 Engagement Expo: The Loyalty Divide Loyalty360 Engagement Expo: The Loyalty Divide
Loyalty360 Engagement Expo: The Loyalty Divide Acxiom Corporation
 
English turismo su misura
English turismo su misuraEnglish turismo su misura
English turismo su misuraClaudia Lanteri
 
Zahl des Tages: 64 Euro betrug die durchschnittliche Höhe des Warenkorbs
Zahl des Tages: 64 Euro betrug die durchschnittliche Höhe des WarenkorbsZahl des Tages: 64 Euro betrug die durchschnittliche Höhe des Warenkorbs
Zahl des Tages: 64 Euro betrug die durchschnittliche Höhe des WarenkorbsTWT
 
red.pdf
red.pdfred.pdf
red.pdfunn | UNITED NEWS NETWORK GmbH
 
Publicación
PublicaciónPublicación
Publicacióntamaraob
 
Benefits of Hiring Dedicated Staff from Nexsus
Benefits of Hiring Dedicated Staff from NexsusBenefits of Hiring Dedicated Staff from Nexsus
Benefits of Hiring Dedicated Staff from Nexsusnexsustechno
 
Presentazione_TGBS
Presentazione_TGBSPresentazione_TGBS
Presentazione_TGBSMichela Cimatoribus
 
Misión
MisiónMisión
Misiónhashamaru
 

Recomendados

Loyalty360 Engagement Expo: The Loyalty Divide
Loyalty360 Engagement Expo: The Loyalty Divide Loyalty360 Engagement Expo: The Loyalty Divide
Loyalty360 Engagement Expo: The Loyalty Divide Acxiom Corporation
 
English turismo su misura
English turismo su misuraEnglish turismo su misura
English turismo su misuraClaudia Lanteri
 
Zahl des Tages: 64 Euro betrug die durchschnittliche Höhe des Warenkorbs
Zahl des Tages: 64 Euro betrug die durchschnittliche Höhe des WarenkorbsZahl des Tages: 64 Euro betrug die durchschnittliche Höhe des Warenkorbs
Zahl des Tages: 64 Euro betrug die durchschnittliche Höhe des WarenkorbsTWT
 
red.pdf
red.pdfred.pdf
red.pdfunn | UNITED NEWS NETWORK GmbH
 
Publicación
PublicaciónPublicación
Publicacióntamaraob
 
Benefits of Hiring Dedicated Staff from Nexsus
Benefits of Hiring Dedicated Staff from NexsusBenefits of Hiring Dedicated Staff from Nexsus
Benefits of Hiring Dedicated Staff from Nexsusnexsustechno
 
Presentazione_TGBS
Presentazione_TGBSPresentazione_TGBS
Presentazione_TGBSMichela Cimatoribus
 
Misión
MisiónMisión
Misiónhashamaru
 
My Presentation.docx
My Presentation.docxMy Presentation.docx
My Presentation.docxJulia Koifman
 
Die S-Bahn
Die S-BahnDie S-Bahn
Die S-Bahnberlin berlin
 
Mit aktivierenden Inhalten Zielgruppe erreichen
Mit aktivierenden Inhalten Zielgruppe erreichenMit aktivierenden Inhalten Zielgruppe erreichen
Mit aktivierenden Inhalten Zielgruppe erreichenTWT
 
Starterskit voor staf en management | De Besturings- en verbetercyclus van de...
Starterskit voor staf en management | De Besturings- en verbetercyclus van de...Starterskit voor staf en management | De Besturings- en verbetercyclus van de...
Starterskit voor staf en management | De Besturings- en verbetercyclus van de...Evelien Verkade
 
Corso novembre 2015
Corso novembre 2015Corso novembre 2015
Corso novembre 2015Claudia Lanteri
 
Dyslexia and Bagrut Exams
Dyslexia and Bagrut ExamsDyslexia and Bagrut Exams
Dyslexia and Bagrut ExamsJulia Koifman
 
Tipps für die Mobile Optimierung
Tipps für die Mobile OptimierungTipps für die Mobile Optimierung
Tipps für die Mobile OptimierungTWT
 
Corso bolzano aprile 2016
Corso bolzano aprile 2016Corso bolzano aprile 2016
Corso bolzano aprile 2016Claudia Lanteri
 
Presentation Lululemon Final
Presentation Lululemon FinalPresentation Lululemon Final
Presentation Lululemon FinalMartina Ondrasekova
 
MKT 575 Final Exam | MKT/575 Strategic marketing final examination | Transwe...
MKT 575 Final Exam | MKT/575 Strategic marketing final examination | Transwe...MKT 575 Final Exam | MKT/575 Strategic marketing final examination | Transwe...
MKT 575 Final Exam | MKT/575 Strategic marketing final examination | Transwe...Transweb E Tutors
 
Virtual Reality erzielt Milliarden Umsätze – Zahlen und Fakten
Virtual Reality erzielt Milliarden Umsätze – Zahlen und FaktenVirtual Reality erzielt Milliarden Umsätze – Zahlen und Fakten
Virtual Reality erzielt Milliarden Umsätze – Zahlen und FaktenTWT
 
Improvement Academy | Waar moeten zorgorganisaties aan voldoen?
Improvement Academy | Waar moeten zorgorganisaties aan voldoen?Improvement Academy | Waar moeten zorgorganisaties aan voldoen?
Improvement Academy | Waar moeten zorgorganisaties aan voldoen?Evelien Verkade
 
Illy Caffè - Digital Branding
Illy Caffè - Digital BrandingIlly Caffè - Digital Branding
Illy Caffè - Digital BrandingSara Scotti
 
Zaconey PPT 1
Zaconey PPT 1Zaconey PPT 1
Zaconey PPT 1Aoife Porter
 
Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsAnton Chuvakin
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?Anton Chuvakin
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinAnton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...Anton Chuvakin
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinAnton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothAnton Chuvakin
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022Anton Chuvakin
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
 

Mais conteúdo relacionado

Destaque

My Presentation.docx
My Presentation.docxMy Presentation.docx
My Presentation.docxJulia Koifman
 
Mit aktivierenden Inhalten Zielgruppe erreichen
Mit aktivierenden Inhalten Zielgruppe erreichenMit aktivierenden Inhalten Zielgruppe erreichen
Mit aktivierenden Inhalten Zielgruppe erreichenTWT
 
Starterskit voor staf en management | De Besturings- en verbetercyclus van de...
Starterskit voor staf en management | De Besturings- en verbetercyclus van de...Starterskit voor staf en management | De Besturings- en verbetercyclus van de...
Starterskit voor staf en management | De Besturings- en verbetercyclus van de...Evelien Verkade
 
Dyslexia and Bagrut Exams
Dyslexia and Bagrut ExamsDyslexia and Bagrut Exams
Dyslexia and Bagrut ExamsJulia Koifman
 
Tipps für die Mobile Optimierung
Tipps für die Mobile OptimierungTipps für die Mobile Optimierung
Tipps für die Mobile OptimierungTWT
 
Corso bolzano aprile 2016
Corso bolzano aprile 2016Corso bolzano aprile 2016
Corso bolzano aprile 2016Claudia Lanteri
 
MKT 575 Final Exam | MKT/575 Strategic marketing final examination | Transwe...
MKT 575 Final Exam | MKT/575 Strategic marketing final examination | Transwe...MKT 575 Final Exam | MKT/575 Strategic marketing final examination | Transwe...
MKT 575 Final Exam | MKT/575 Strategic marketing final examination | Transwe...Transweb E Tutors
 
Virtual Reality erzielt Milliarden Umsätze – Zahlen und Fakten
Virtual Reality erzielt Milliarden Umsätze – Zahlen und FaktenVirtual Reality erzielt Milliarden Umsätze – Zahlen und Fakten
Virtual Reality erzielt Milliarden Umsätze – Zahlen und FaktenTWT
 
Improvement Academy | Waar moeten zorgorganisaties aan voldoen?
Improvement Academy | Waar moeten zorgorganisaties aan voldoen?Improvement Academy | Waar moeten zorgorganisaties aan voldoen?
Improvement Academy | Waar moeten zorgorganisaties aan voldoen?Evelien Verkade
 
Illy Caffè - Digital Branding
Illy Caffè - Digital BrandingIlly Caffè - Digital Branding
Illy Caffè - Digital BrandingSara Scotti
 

Destaque (14)

My Presentation.docx
My Presentation.docxMy Presentation.docx
My Presentation.docx
 
Die S-Bahn
Die S-BahnDie S-Bahn
Die S-Bahn
 
Mit aktivierenden Inhalten Zielgruppe erreichen
Mit aktivierenden Inhalten Zielgruppe erreichenMit aktivierenden Inhalten Zielgruppe erreichen
Mit aktivierenden Inhalten Zielgruppe erreichen
 
Starterskit voor staf en management | De Besturings- en verbetercyclus van de...
Starterskit voor staf en management | De Besturings- en verbetercyclus van de...Starterskit voor staf en management | De Besturings- en verbetercyclus van de...
Starterskit voor staf en management | De Besturings- en verbetercyclus van de...
 
Corso novembre 2015
Corso novembre 2015Corso novembre 2015
Corso novembre 2015
 
Dyslexia and Bagrut Exams
Dyslexia and Bagrut ExamsDyslexia and Bagrut Exams
Dyslexia and Bagrut Exams
 
Tipps für die Mobile Optimierung
Tipps für die Mobile OptimierungTipps für die Mobile Optimierung
Tipps für die Mobile Optimierung
 
Corso bolzano aprile 2016
Corso bolzano aprile 2016Corso bolzano aprile 2016
Corso bolzano aprile 2016
 
Presentation Lululemon Final
Presentation Lululemon FinalPresentation Lululemon Final
Presentation Lululemon Final
 
MKT 575 Final Exam | MKT/575 Strategic marketing final examination | Transwe...
MKT 575 Final Exam | MKT/575 Strategic marketing final examination | Transwe...MKT 575 Final Exam | MKT/575 Strategic marketing final examination | Transwe...
MKT 575 Final Exam | MKT/575 Strategic marketing final examination | Transwe...
 
Virtual Reality erzielt Milliarden Umsätze – Zahlen und Fakten
Virtual Reality erzielt Milliarden Umsätze – Zahlen und FaktenVirtual Reality erzielt Milliarden Umsätze – Zahlen und Fakten
Virtual Reality erzielt Milliarden Umsätze – Zahlen und Fakten
 
Improvement Academy | Waar moeten zorgorganisaties aan voldoen?
Improvement Academy | Waar moeten zorgorganisaties aan voldoen?Improvement Academy | Waar moeten zorgorganisaties aan voldoen?
Improvement Academy | Waar moeten zorgorganisaties aan voldoen?
 
Illy Caffè - Digital Branding
Illy Caffè - Digital BrandingIlly Caffè - Digital Branding
Illy Caffè - Digital Branding
 
Zaconey PPT 1
Zaconey PPT 1Zaconey PPT 1
Zaconey PPT 1
 

Mais de Anton Chuvakin

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsAnton Chuvakin
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?Anton Chuvakin
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinAnton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...Anton Chuvakin
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinAnton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothAnton Chuvakin
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022Anton Chuvakin
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsAnton Chuvakin
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC Anton Chuvakin
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020Anton Chuvakin
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton Chuvakin
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)Anton Chuvakin
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationAnton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinAnton Chuvakin
 

Mais de Anton Chuvakin (20)

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less Operations
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
 
Generic siem how_2017
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 

Último

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 

Último (20)

Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 

Buy vs. Build vs. Outsource: What’s Your Best Log Management Strategy?

  • 1. Buy vs. Build vs. Outsource: What’s the Best Log Management Strategy? Dr. Anton Chuvakin WRITTEN: 2007 DISCLAIMER: Security is a rapidly changing field of human endeavor. Threats we face literally change every day; moreover, many security professionals consider the rate of change to be accelerating. On top of that, to be able to stay in touch with such ever-changing reality, one has to evolve with the space as well. Thus, even though I hope that this document will be useful for to my readers, please keep in mind that is was possibly written years ago. Also, keep in mind that some of the URL might have gone 404, please Google around. Logs—you don’t have to love them, but you have to have them. Logs are essential for adequate threat protection and intrusion discovery, incident response, forensics and even litigation support. They are used to check and enforce internal policies and procedures, as well as to measure IT performance. And they’re invaluable to IT staff when troubleshooting network, system and application issues. But what’s the best way to collect, store, manage, analyze and report on your log data? In other words, what is the best way to handle the “logging monster”? When deciding on a log management solution, you have many choices. You can build a solution of your own in-house, possibly utilizing the open source components. You can outsource log collection and management to a log management service provider, such as MSSP or, in the near future, to a SaaS provider. Or, you can buy an appliance or software solution from a software or appliance vendor. In addition, a preferable option may be to combine two of these options, so that you can take advantage of the benefits of both and mitigate their risks. Still, all of these strategies have both advantages and risks. This paper will examine the following considerations for choosing a log management solution for your organization: • Why do you need log management in the first place? • Should you build, buy or outsource your log management solution? • What are the considerations for deciding on the appropriate log management strategy for your business? • Is it better to use a combined log management strategy? Why collect logs in the first place? Let’s briefly review the nature, sources and importance of logs.
  • 2. Logs come from everywhere within the IT infrastructure of an organization, whether large or small. Logs of relevance come from a wide variety of applications, network elements and endpoints and include audit logs, transactions, intrusions, connections and dropped connections, system performance records, user activities, and various alerts and other messages. More than 50 GB of logs can be generated daily by a large enterprise, resulting in nearly 20 terabytes of stored data in just a year. Why do you need to collect them? Logs are critical to ensuring and attesting to compliance and other business policies and regulatory mandates. With log data, you gain insight to records of user access — systems used, connection established, files viewed, emails sent — and you can identify successful and failed transactions, as well as system configuration changes in near real-time. Just as 20 years ago, logs are useful to system administrators, security analysts and IT managers. Logs can also help with troubleshooting network problems, and good log management can drastically simplify forensics activities and reduce e-discovery costs. A large percentage of log data is relevant to security; such logs include various audit records generated by the many devices and applications common in business environments. Even business applications generate security data – data that records access decisions or even indicates abuse or exploitation attempts. Collecting and analyzing all of this activity data across the IT environment (and even beyond IT, in the case of physical access monitoring) can illuminate malicious activity or unintentional security threats originating from within or outside the IT environment, so you can stop them faster. The Compliance Conundrum The importance of logs to compliance is increasingly clear to organizations of all sizes. Universally, industry regulations and governmental mandates require companies to collect, store and analyze logs— PCI DSS, SOX, FISMA, GLBA, HIPAA all include these requirements. There are really no exceptions. For example, NIST 800-53 (and NIST 800-92 to a larger extent) requires companies to capture audit records, regularly review them, automatically process them, protect audit info and retain logs. PCI requires companies to log and track user activities, automate and secure audit trail creation, review logs daily and retain an audit trail for at least a year. Furthermore, IT control frameworks like COBIT, ITIL and ISO 27002 also necessitate log collection, retention and analysis. COBIT, for example, recommends using logging to detect unusual or abnormal activities and determine root-cause analysis of mishaps. ISO guidance documents ask companies to maintain logs for information on changes, faults, corrections and capacity demands. Failure to comply with these requirements results in heavy consequences, ranging from monetary fines to essentially losing an ability to run your business to jail time. At the very least, companies can lose customers, reputation and revenue from the negative press associated with security breeches. Logs are no laughing matter; log management is no longer an option.
  • 3. The Log Management Process A solid log management and intelligence solution is the only efficient way to create audit trails of network and system activity for all of the various uses of that data. Let’s take a look at what’s involved in the process. Log management tools solutions begin with log collection—gathering logs from critical systems, such as network devices, applications, databases and servers—and then storing them securely and unaltered in a centralized location for easy reporting and searching. By regularly reviewing logs, you can see failed logins, denied access attempts, unusual usage patterns – and get an overall feel of ongoing activity. Further, ongoing monitoring also calls for near real-time analysis and response in case action is needed. The ability to send alerts to key personnel when an event occurs is critical. Alerting allows us to monitor the logs and notify an operator if immediate action is needed. LMI allows you to create reports on collected log data, which is essential for compliance efforts. Both near real-time dashboard views and longer-term historical reports are needed. An efficient log management solution must allow organizations to store logs in their raw, unaltered form to ensure data integrity and forensic utility, and in a central repository for fast access. The ability to quickly search thorough large amounts of log data for investigative purposes is invaluable for incident response. Finally, LMI must allow for simplified yet secure log sharing. Typically, compliance and incident response are multi-team efforts that involve personnel from security to IT staff to management staff. Once the logs are collected and stored, fine-grained access control is needed to ensure that data is shared only with authorized stakeholders. Figure 1 illustrates key log management activities. Build, Buy or Outsource—Which Strategy Suits Your Business? Now that the drivers for log management as well as stages of a log management process are clear, let’s review how to actually do it! Deciding you need log management isn’t the hard part; deciding on how to implement it is. What’s the best strategy? Should you build your own solution, buy one off-the-shelf, or outsource log management as a service? Or, is there a combination of the three that would be the best bet? Let’s take a look at the pros and cons of each approach. Build it Many companies, especially smaller ones, choose to build their own LMI solutions. Indeed, you can try to build exactly the solution you need, with the platform, tools and methods you prefer, and aside from labor, there’s no up-front monetary cost. IT
  • 4. professionals may even relish the challenges of creating a solution for the company and enjoy the challenges that are involved in “tackling the log beast.” But after a while, maintenance costs (due to an ever changing sea of log formats), log types, and log sources grow to overwhelming proportions - and the project often ends up killed. Since the solution is highly specialized, you will need highly specialized staff to add, change or repair the solution whenever necessary. Furthermore, these homegrown solutions are usually not scalable, so as the company grows and more data floods the network, changes, updates and ever-more-frequent overhauls are necessary—leading to even more labor and maintenance costs. During updates and ever-frequent overhauls, downtime can occur, costing you even more time and money. If you do decide to embark on a journey to “home-made log management,” there are a number of open-source tools that can perform some of the essential functions necessary for effective log management. Here are a few… • Log collection: Syslog-ng, kiwi, Snare, Project LASSO, and many others • Secure log centralization: stunnel/SSL, ssh or other encryption tools • Storage: MySQL or you can design your own – possibly indexed! - file-based storage • Analysis: SEC, OSSEC and OSSIM, Swatch, logwatch, logsentry and many other small scripts to solve one specific log-related problem Open source projects such as OSSEC and OSSIM also provide larger building blocks for your system by offering combined functionality. Over time, however, homegrown solutions are not practical, because the need to constantly update the support for changing log formats “gets them” in the end. According to Gartner researchers, “Although [home-grown log management] may prove effective for a limited set of data sources with clearly defined "strings" that the organization is searching for, most organizations quickly run into scalability issues, as well as issues using the data for situational awareness in support of incident response… In most cases, internally developed centralized application log solutions will fall short of meeting organizational requirements.” Outsource it Outsourcing log management is a low-cost way to get started with implementing LMI. Most likely, you won’t have to manage any equipment in-house and you won’t have to hire additional staff to run and maintain it. You’re basically paying someone else to worry about your problems. That sounds ideal, but there are some drawbacks, too. They’re still YOUR problems, and no one else is going to worry about them as much as you do, especially when regulatory compliance is at issue. You might find that a third party isn’t as careful about meeting your requirements in terms of IT policies and industry regulations. There is also a risk of SLAs slipping and potentially even losing control of your data. Plus, volume and log access challenges can arise when data collection and storage is outsourced to a service that may not be tuned into your
  • 5. fluctuating business needs. To top it off, possible compliance violations will likely still fall on you and not on the service provider. Before choosing an outsourced solution, determine what portion of your logs will be managed by the service—is it all or just some? Know how you will gain access to your logs, so you can show them to auditors. Overall, for many organizations, especially the ones that are challenged to hire and retain IT staff and IT security professionals, the advantages of outsourcing are indeed compelling, and this option will continue to be viable and popular. Buy it As of today, procuring a log management tool from a vendor is fast becoming the most popular option. Fewer organizations are choosing to “build their own.” Vendor tools, such as LogLogic, have matured in recent years in both product capabilities and ease of deployment and operation. The option to buy a log management solution from the vendor is compelling: a commercial log management vendor will typically guarantee support for the log sources that you need, thereby mitigating the biggest risk and challenge of “home- grown” solutions’ constant updates, and will also expand support for new and changed logs and add new cutting-edge log analysis methods These tools can be very effective—you pay a set price and get a turn-key solution for log aggregation and analysis. All vendors offer support for wide ranges of diverse log sources, ongoing product improvements and innovations. Plus, if anything goes wrong, you have a scapegoat – a support person to scream at! But, as with other approaches, there are also risks. Sometimes skilled staff is needed to get value out of a purchased product, which still needs to be installed, run and maintained. Vendor longevity is also a problem—who do you turn to if the company who made the solution goes out of business? Choosing a company with experience will assure both vendor longevity as well as a stream of ongoing improvements. Combining approaches Because each strategy has its benefits and drawbacks, a combined strategy is often the best option. For example, you can purchase a solution and then enhance it with internal custom development on top of it. Or you can combine commercial vendor tools with open-source tools. You can also buy a tool and then outsource some of its management to an external provider. This allows you to maintain more control, but still lessen the workload on your IT staff. Combining solutions helps to mitigate some of the risks of individual solutions, however, it comes at a cost. Sometimes, you might even need to pay twice. Still, a larger upfront investment may prove cost-effective in the long run.
  • 6. A “buy, then build on top” approach is often the most effective strategy to implementing a robust LMI solution that meets your specific – and evolving – business requirements. By combining the two, you can capture the advantages of both approaches, which include: • You get on-going support, upgrades and patches from the solution provider. • You’re assured reliable performance. • You can build the analysis tools you want. • You can present the data you want to the people who need it. • You can outsource the routine log management tasks to the vendor and only take on those you want to take on. In short, pick a vendor with a rich set of APIs that allows you to build on top of a commercial platform. Turn on the Logs! To conclude, if you do nothing else, turn logging on. Assess the role of log data in meeting compliance requirements, mitigating security risks, enabling audit and improving availability. Then implement the log management strategy that suits your business. Finally, avoid a build-only approach because it limits scalability and ends up costing more than it’s worth. If you have to build, build on top of a robust log management platform from a vendor. Considerations for Choosing an LMI Solution Before you decide on a log management approach and implement your new solution, you have a lot to consider. Trillions of log messages and hundreds of terabytes of data must be handled. Here are some questions you can ask yourself as you begin your quest for the best possible solution: 1. Are you collecting and aggregating 100% of all log data from all data sources on the network? 2. Are your logs transported and stored securely? 3. Are there packaged reports that suit your needs? Can you create the needed reports to organize collected log data quickly? 4. Can you set alerts on anything in the logs? 5. Are you looking at log data on a daily basis? Can you prove that you are? 6. Can you perform fast, targeted searches for specific data? 7. Can you contextualize log data (comparing application, network and database logs) when undertaking forensics and other operational tasks? 8. Can you readily prove that security, change management, and access control policies are in use and up to date?
  • 7. 9. Can you securely share log data with other applications and users? ABOUT THE AUTHOR: This is an updated author bio, added to the paper at the time of reposting in 2009. Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of books "Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and others. Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management (see list www.info-secure.org) . His blog http://www.securitywarrior.org is one of the most popular in the industry. In addition, Anton teaches classes and presents at many security conferences across the world; he recently addressed audiences in United States, UK, Singapore, Spain, Russia and other countries. He works on emerging security standards and serves on the advisory boards of several security start-ups. Currently, Anton is developing his security consulting practice, focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.