SlideShare uma empresa Scribd logo

CEE Logging Standard: Today and Tomorrow

Anton Chuvakin
Anton Chuvakin

CEE Logging Standard: Today and Tomorrow

TecnologiaNegócios
1 de 29
CEE Logging Standard: Today and Tomorrow Dr Anton Chuvakin Chief Logging Evangelist LogLogic, Inc
Outline ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Log Chaos I - Login? <122> Mar 4 09:23:15 localhost sshd[27577]: Accepted password for kyle from ::ffff:192.168.138.35 port 2895 ssh2 <13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0     Logon account :  POWERUSER    Source Workstation: ENTERPRISE    Error Code: 0xC000006A     4574 <57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user:yellowdog] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006 <18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-warning-00515: Admin User netscreen has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53)
Log Chaos II - Accept? messages:Dec 16 17:28:49 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-notification-00257(traffic): start_time=&quot;2002-12-16 17:33:36&quot; duration=5 policy_id=0 service=telnet proto=6 src zone=Trust dst zone=Untrust action=Permit sent=1170 rcvd=1500 src=10.14.94.221 dst=10.14.98.107 src_port=1384 dst_port=23 translated ip=10.14.93.7 port=1206 Mar 6 06:06:02 winonasu-pix %PIX-6-302013: Built outbound TCP connection 315210 596 for outside:172.196.9.206/1214 (172.196.9.206/1214) to inside:199.17.151.103/1438 (199.17.151.103/1438) Apr 6 06:06:02 Checkpoint NGX SRC=Any,DEST=ANY,Accept=nosubstitute,Do Not Log,Installspyware,lieonyourtaxes,orbetteryet,dontpaythem
Definitions ,[object Object],[object Object],[object Object],[object Object],[object Object]
Log Chaos ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Chaos2order: Why Logging Standards? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Various Logging Standards by Type ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Old, Dead and Vendor Log Standards ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
What Killed’em ALL?  ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
What Worked? NIST 800-92 Guide to LM ,[object Object]
What is a Common Event Expression – CEE? CEE = Syntax + Vocabulary + Transport + Log Recommendations ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
CEE Introduction ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
CEE Current Status ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Key Area of CEE ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
CEE in One Glance
CEE Components ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
1. CEE on Log Transport ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
2. CEE on Log Format/Syntax ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
3. CEE on Log Taxonomy ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
4. CEE on Logging Recommendations ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Adoption, ADOPTION, A-D-O-P-T-I-O-N! ,[object Object],[object Object],[object Object],[object Object],[object Object]
Why CEE WILL Succeed!! ,[object Object],[object Object],[object Object],[object Object]
Conclusions: Future of CEE ,[object Object],[object Object],[object Object],[object Object],[object Object]
CEE + XDAS Together (Suggested!) ,[object Object],[object Object],[object Object],[object Object],[object Object]
Thanks for Attending the Presentation ,[object Object],[object Object],[object Object],[object Object],[object Object]
Backup and Example Slides from MITRE
CEE Example ,[object Object],[object Object],[object Object],Example Log Messages Transport - successful log transmission Syslog (each log message is transmitted in a single UDP packet usually over port 514/UDP) Syntax - details specific to event being logged Format (3) CEF message CEF:Version|Device Vendor|DeviceProduct|DeviceVersion|Signature ID|Name|Severity|Extension Extension is a meta item – it imposes a sytax extension to specify addition details - a data dictionary can enumerate these details Syntax - details specific to event being logged Format (1 and 2) month day time host program[pid]: message In CEE, each of these would be a possible syntax element, whose value and definition would be well defined by a Data Dictionary Data Dictionary needed to enumerate details associated with the event It needs to provide flexible syntax options by defining the elements and formats Ex: dst in the CEF event – defined by a dotted quad IPv4 address
CEE Example (Cont.) ,[object Object],[object Object],[object Object],Taxonomy – a reduced language set for consistent log messages Right now they are semantically similar – ok for humans – but not for computers

Recomendados

Application Logging for large systems
Application Logging for large systemsApplication Logging for large systems
Application Logging for large systemsJane Prusakova
 
Remote Procedure Call over DDS - London Connext DDS Conference
Remote Procedure Call over DDS - London Connext DDS Conference Remote Procedure Call over DDS - London Connext DDS Conference
Remote Procedure Call over DDS - London Connext DDS Conference Gerardo Pardo-Castellote
 
Component Based DDS with C++11 and R2DDS
Component Based DDS with C++11 and R2DDSComponent Based DDS with C++11 and R2DDS
Component Based DDS with C++11 and R2DDSRemedy IT
 
DDS Security
DDS SecurityDDS Security
DDS SecurityReal-Time Innovations (RTI)
 
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml FirewallLayer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml FirewallCA API Management
 
DDS: The IoT Data Sharing Standard
DDS: The IoT Data Sharing StandardDDS: The IoT Data Sharing Standard
DDS: The IoT Data Sharing StandardAngelo Corsaro
 
OpenSplice Security Module
OpenSplice Security ModuleOpenSplice Security Module
OpenSplice Security ModuleAngelo Corsaro
 
Deep Dive into the OPC UA / DDS Gateway Specification
Deep Dive into the OPC UA / DDS Gateway SpecificationDeep Dive into the OPC UA / DDS Gateway Specification
Deep Dive into the OPC UA / DDS Gateway SpecificationGerardo Pardo-Castellote
 

Recomendados

Application Logging for large systems
Application Logging for large systemsApplication Logging for large systems
Application Logging for large systemsJane Prusakova
 
Remote Procedure Call over DDS - London Connext DDS Conference
Remote Procedure Call over DDS - London Connext DDS Conference Remote Procedure Call over DDS - London Connext DDS Conference
Remote Procedure Call over DDS - London Connext DDS Conference Gerardo Pardo-Castellote
 
Component Based DDS with C++11 and R2DDS
Component Based DDS with C++11 and R2DDSComponent Based DDS with C++11 and R2DDS
Component Based DDS with C++11 and R2DDSRemedy IT
 
DDS Security
DDS SecurityDDS Security
DDS SecurityReal-Time Innovations (RTI)
 
Layer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml FirewallLayer 7 Technologies: What Is An Xml Firewall
Layer 7 Technologies: What Is An Xml FirewallCA API Management
 
DDS: The IoT Data Sharing Standard
DDS: The IoT Data Sharing StandardDDS: The IoT Data Sharing Standard
DDS: The IoT Data Sharing StandardAngelo Corsaro
 
OpenSplice Security Module
OpenSplice Security ModuleOpenSplice Security Module
OpenSplice Security ModuleAngelo Corsaro
 
Deep Dive into the OPC UA / DDS Gateway Specification
Deep Dive into the OPC UA / DDS Gateway SpecificationDeep Dive into the OPC UA / DDS Gateway Specification
Deep Dive into the OPC UA / DDS Gateway SpecificationGerardo Pardo-Castellote
 
LogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log StandardizationLogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log StandardizationAnton Chuvakin
 
Log Standards & Future Trends by Dr. Anton Chuvakin
Log Standards & Future Trends by Dr. Anton ChuvakinLog Standards & Future Trends by Dr. Anton Chuvakin
Log Standards & Future Trends by Dr. Anton ChuvakinAnton Chuvakin
 
Single sign on with TYPO3
Single sign on with TYPO3Single sign on with TYPO3
Single sign on with TYPO3tschikarski
 
Eniac – Lotus Consolidation 2009
Eniac – Lotus Consolidation 2009Eniac – Lotus Consolidation 2009
Eniac – Lotus Consolidation 2009Edwin Kanis
 
Practical, team-focused operability techniques for distributed systems - DevO...
Practical, team-focused operability techniques for distributed systems - DevO...Practical, team-focused operability techniques for distributed systems - DevO...
Practical, team-focused operability techniques for distributed systems - DevO...Matthew Skelton
 
Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Anton Chuvakin
 
Three SOA Case Studies
Three SOA Case StudiesThree SOA Case Studies
Three SOA Case StudiesPaul Fremantle
 
Innovate2011 Keys to Building OSLC Integrations
Innovate2011 Keys to Building OSLC IntegrationsInnovate2011 Keys to Building OSLC Integrations
Innovate2011 Keys to Building OSLC IntegrationsSteve Speicher
 
Open-Do - Initial concepts and idea
Open-Do - Initial concepts and ideaOpen-Do - Initial concepts and idea
Open-Do - Initial concepts and ideaAdaCore
 
C Cure Users Group Presentation Final 4
C Cure Users Group Presentation Final 4C Cure Users Group Presentation Final 4
C Cure Users Group Presentation Final 4halgig
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security LoggingMilton Smith
 
Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)siouxhotornot
 
Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonnettitude_labs
 
Open Cloud Computing Interface Presentation
Open Cloud Computing Interface PresentationOpen Cloud Computing Interface Presentation
Open Cloud Computing Interface PresentationIntel Corporation
 
Practical operability techniques for teams - webinar - Skelton Thatcher & Unicom
Practical operability techniques for teams - webinar - Skelton Thatcher & UnicomPractical operability techniques for teams - webinar - Skelton Thatcher & Unicom
Practical operability techniques for teams - webinar - Skelton Thatcher & UnicomSkelton Thatcher Consulting Ltd
 
Mainframe Architecture & Product Overview
Mainframe Architecture & Product OverviewMainframe Architecture & Product Overview
Mainframe Architecture & Product Overviewabhi1112
 
Sword Or2008 Julieallinson
Sword Or2008 JulieallinsonSword Or2008 Julieallinson
Sword Or2008 JulieallinsonJulie Allinson
 
Otrs help desk-solutions-linux-2012
Otrs help desk-solutions-linux-2012Otrs help desk-solutions-linux-2012
Otrs help desk-solutions-linux-2012Gonéri Le Bouder
 
Wiring the Web
Wiring the WebWiring the Web
Wiring the Webgoodfriday
 
Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsAnton Chuvakin
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?Anton Chuvakin
 

Mais conteúdo relacionado

Semelhante a CEE Logging Standard: Today and Tomorrow

LogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log StandardizationLogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log StandardizationAnton Chuvakin
 
Log Standards & Future Trends by Dr. Anton Chuvakin
Log Standards & Future Trends by Dr. Anton ChuvakinLog Standards & Future Trends by Dr. Anton Chuvakin
Log Standards & Future Trends by Dr. Anton ChuvakinAnton Chuvakin
 
Single sign on with TYPO3
Single sign on with TYPO3Single sign on with TYPO3
Single sign on with TYPO3tschikarski
 
Eniac – Lotus Consolidation 2009
Eniac – Lotus Consolidation 2009Eniac – Lotus Consolidation 2009
Eniac – Lotus Consolidation 2009Edwin Kanis
 
Practical, team-focused operability techniques for distributed systems - DevO...
Practical, team-focused operability techniques for distributed systems - DevO...Practical, team-focused operability techniques for distributed systems - DevO...
Practical, team-focused operability techniques for distributed systems - DevO...Matthew Skelton
 
Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Anton Chuvakin
 
Three SOA Case Studies
Three SOA Case StudiesThree SOA Case Studies
Three SOA Case StudiesPaul Fremantle
 
Innovate2011 Keys to Building OSLC Integrations
Innovate2011 Keys to Building OSLC IntegrationsInnovate2011 Keys to Building OSLC Integrations
Innovate2011 Keys to Building OSLC IntegrationsSteve Speicher
 
Open-Do - Initial concepts and idea
Open-Do - Initial concepts and ideaOpen-Do - Initial concepts and idea
Open-Do - Initial concepts and ideaAdaCore
 
C Cure Users Group Presentation Final 4
C Cure Users Group Presentation Final 4C Cure Users Group Presentation Final 4
C Cure Users Group Presentation Final 4halgig
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security LoggingMilton Smith
 
Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)siouxhotornot
 
Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonnettitude_labs
 
Open Cloud Computing Interface Presentation
Open Cloud Computing Interface PresentationOpen Cloud Computing Interface Presentation
Open Cloud Computing Interface PresentationIntel Corporation
 
Practical operability techniques for teams - webinar - Skelton Thatcher & Unicom
Practical operability techniques for teams - webinar - Skelton Thatcher & UnicomPractical operability techniques for teams - webinar - Skelton Thatcher & Unicom
Practical operability techniques for teams - webinar - Skelton Thatcher & UnicomSkelton Thatcher Consulting Ltd
 
Mainframe Architecture & Product Overview
Mainframe Architecture & Product OverviewMainframe Architecture & Product Overview
Mainframe Architecture & Product Overviewabhi1112
 
Sword Or2008 Julieallinson
Sword Or2008 JulieallinsonSword Or2008 Julieallinson
Sword Or2008 JulieallinsonJulie Allinson
 
Otrs help desk-solutions-linux-2012
Otrs help desk-solutions-linux-2012Otrs help desk-solutions-linux-2012
Otrs help desk-solutions-linux-2012Gonéri Le Bouder
 
Wiring the Web
Wiring the WebWiring the Web
Wiring the Webgoodfriday
 

Semelhante a CEE Logging Standard: Today and Tomorrow (20)

LogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log StandardizationLogChaos: Challenges and Opportunities of Security Log Standardization
LogChaos: Challenges and Opportunities of Security Log Standardization
 
Log Standards & Future Trends by Dr. Anton Chuvakin
Log Standards & Future Trends by Dr. Anton ChuvakinLog Standards & Future Trends by Dr. Anton Chuvakin
Log Standards & Future Trends by Dr. Anton Chuvakin
 
Single sign on with TYPO3
Single sign on with TYPO3Single sign on with TYPO3
Single sign on with TYPO3
 
Eniac – Lotus Consolidation 2009
Eniac – Lotus Consolidation 2009Eniac – Lotus Consolidation 2009
Eniac – Lotus Consolidation 2009
 
Practical, team-focused operability techniques for distributed systems - DevO...
Practical, team-focused operability techniques for distributed systems - DevO...Practical, team-focused operability techniques for distributed systems - DevO...
Practical, team-focused operability techniques for distributed systems - DevO...
 
Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?
 
Three SOA Case Studies
Three SOA Case StudiesThree SOA Case Studies
Three SOA Case Studies
 
Innovate2011 Keys to Building OSLC Integrations
Innovate2011 Keys to Building OSLC IntegrationsInnovate2011 Keys to Building OSLC Integrations
Innovate2011 Keys to Building OSLC Integrations
 
Open-Do - Initial concepts and idea
Open-Do - Initial concepts and ideaOpen-Do - Initial concepts and idea
Open-Do - Initial concepts and idea
 
C Cure Users Group Presentation Final 4
C Cure Users Group Presentation Final 4C Cure Users Group Presentation Final 4
C Cure Users Group Presentation Final 4
 
How to Use OWASP Security Logging
How to Use OWASP Security LoggingHow to Use OWASP Security Logging
How to Use OWASP Security Logging
 
Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)Sioux Hot-or-Not: The future of Linux (Alan Cox)
Sioux Hot-or-Not: The future of Linux (Alan Cox)
 
Project ACRN CSE Virtualization
Project ACRN CSE VirtualizationProject ACRN CSE Virtualization
Project ACRN CSE Virtualization
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-london
 
Open Cloud Computing Interface Presentation
Open Cloud Computing Interface PresentationOpen Cloud Computing Interface Presentation
Open Cloud Computing Interface Presentation
 
Practical operability techniques for teams - webinar - Skelton Thatcher & Unicom
Practical operability techniques for teams - webinar - Skelton Thatcher & UnicomPractical operability techniques for teams - webinar - Skelton Thatcher & Unicom
Practical operability techniques for teams - webinar - Skelton Thatcher & Unicom
 
Mainframe Architecture & Product Overview
Mainframe Architecture & Product OverviewMainframe Architecture & Product Overview
Mainframe Architecture & Product Overview
 
Sword Or2008 Julieallinson
Sword Or2008 JulieallinsonSword Or2008 Julieallinson
Sword Or2008 Julieallinson
 
Otrs help desk-solutions-linux-2012
Otrs help desk-solutions-linux-2012Otrs help desk-solutions-linux-2012
Otrs help desk-solutions-linux-2012
 
Wiring the Web
Wiring the WebWiring the Web
Wiring the Web
 

Mais de Anton Chuvakin

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsAnton Chuvakin
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?Anton Chuvakin
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinAnton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...Anton Chuvakin
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinAnton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothAnton Chuvakin
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022Anton Chuvakin
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsAnton Chuvakin
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC Anton Chuvakin
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020Anton Chuvakin
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton Chuvakin
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)Anton Chuvakin
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationAnton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinAnton Chuvakin
 

Mais de Anton Chuvakin (20)

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less Operations
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
 
Generic siem how_2017
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 

CEE Logging Standard: Today and Tomorrow

  • 1. CEE Logging Standard: Today and Tomorrow Dr Anton Chuvakin Chief Logging Evangelist LogLogic, Inc
  • 2.
  • 3. Log Chaos I - Login? <122> Mar 4 09:23:15 localhost sshd[27577]: Accepted password for kyle from ::ffff:192.168.138.35 port 2895 ssh2 <13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0     Logon account :  POWERUSER    Source Workstation: ENTERPRISE    Error Code: 0xC000006A     4574 <57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user:yellowdog] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006 <18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-warning-00515: Admin User netscreen has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53)
  • 4. Log Chaos II - Accept? messages:Dec 16 17:28:49 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-notification-00257(traffic): start_time=&quot;2002-12-16 17:33:36&quot; duration=5 policy_id=0 service=telnet proto=6 src zone=Trust dst zone=Untrust action=Permit sent=1170 rcvd=1500 src=10.14.94.221 dst=10.14.98.107 src_port=1384 dst_port=23 translated ip=10.14.93.7 port=1206 Mar 6 06:06:02 winonasu-pix %PIX-6-302013: Built outbound TCP connection 315210 596 for outside:172.196.9.206/1214 (172.196.9.206/1214) to inside:199.17.151.103/1438 (199.17.151.103/1438) Apr 6 06:06:02 Checkpoint NGX SRC=Any,DEST=ANY,Accept=nosubstitute,Do Not Log,Installspyware,lieonyourtaxes,orbetteryet,dontpaythem
  • 5.
  • 6.
  • 7.
  • 8.
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16. CEE in One Glance
  • 17.
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23.
  • 24.
  • 25.
  • 26.
  • 27. Backup and Example Slides from MITRE
  • 28.
  • 29.

Notas do Editor

  1. Emerging Log Standards: Challenges and Opportunities The presentation will discuss how to bring order (in the form of standards!) to the chaotic world of logging. It will offer a walkthrough that highlights the critical areas of log standardization. Past failed standards will be looked at and their lessons learned. Finally, CEE logging standard effort will be presented and described. Key takeaways: Why log standards are sorely needed Why none succeeded so far? Why CEE will succeed?