sans log management 1

SANS Sixth Annual Log Management Survey

Part I More Log Data, More Uses

Jerry Shenk, Senior SANS Analyst

© 2010 The SANS™ Institute - www.sans.org

6th Annual Log Management Survey

– Goals of Survey •  Track progress of log management

industry •  Identify problems users are having

– More Log Data •  Log server increases •  Log source increases

– More Uses • More people are finding logs useful

© 2010 The SANS™ Institute - www.sans.org 2

What Logs are Being Collected

•  Firewalls, routers, switches, IDS/IPS, etc.

•  Servers •  Applications •  Databases •  Identity Sources (directories,

etc.) •  Desktops •  Physical devices – HVAC, badge

access, plant control


Log Management Challenges

•  Searching and reporting •  Analysis •  Automation of important event

alerting •  What vendors need to do •  What users need to do


Trustwave SIEM: Solutions for any Organization

Sunil Bhargava, VP Product Management, Trustwave (Formerly Intellitactics)


Trustwave: The leader in compliance and data security


Performed more than 4,000 network and application penetration tests and 740 forensic investigations

Found in 1995; 500+ employees; 23 locations on 6 continents

Top 10 global Certificate Authority with more than 60,000 SSL certificates issued

Benchmark work for HIPAA, GLBA, SOX, ISO 27000 series

PCI DSS leader – Trustwave has certified 42 percent of PsPs; 40% of Payment Applications

Fully qualified for all PCI-related work: QSA (2002); ASV (2003); PA-QSA (2005); QIRA (2005)

Market leading solutions for NAC, DLP, SIEM, IDS, IPS, UTM, Encryption and Vulnerability scanning

2009 SC Magazine “Recommended”

Managed Security Services

Forrester 9 out of 10 rating NAC solution 2010

SC Magazine “Finalist” Encryption

2009 Frost & Sullivan

NAC Best Practices

What’s New in Log Collection

•  Some great news on collection –  10% biggest problem

–  27% least challenging

•  Implications

–  Today’s challenges…

•  Making sense of logs we already receive

•  Getting logs from non-traditional sources

•  Finding more value in them all


Making Sense of the Logs We Have

Moving on up: Collection to Analysis •  Extracting value

–  Automated analysis –  Actionable reporting –  Auto-detect

•  Control violations •  Deviation from normal activity

•  Consolidating –  Logs –  Use cases –  Budgets

•  Are all disparate solutions required?


Getting Logs from New Sources

The Insider Threat and Risk

•  The NEW questions in the survey

–  49% from desktops

–  48% from physical devices

•  New challenges for finding values

–  Cross-correlation across disparate types

–  If MS-Windows server analysis is already found challenging; how will desktops fare?

•  Application logs: question of value re-surfaces

–  Are applications auditing requisite details?

–  Can your solution analyze those logs?


Extracting more Value

Doing more with logs

•  Evolving SIEM technologies are making it happen

•  Blended threats require blended solutions

•  Making advanced SIEM capabilities available to everyone


Technology Advancements

•  SIEM advancements –  Continuous processing

•  From parsing to detecting control violations –  Embedded data store

•  Compressed and indexed

•  Embedded knowledge and analytics –  Directly addressing secondary users

•  HR, Legal, and Asset owners •  For user activity and asset exposure status

–  Analytical Modules: searches, correlations, actionable reports and alerting

•  Includes Data Modules: acquisition, parsing, normalization and event taxonomy assignment


Blended Solutions

•  Unified Approach –  Preventive monitoring

•  Control violations indicating surveillance –  Reactive monitoring

•  Enrich alerts with context and history –  Forensic research

•  Efficient searching

•  Integrated Approach –  Protection technologies

•  DLP, Asset Discovery and Encryption –  Access control technologies

•  IDM, NAC, VPN and Physical access


Solutions for any Organization

•  Complete SIEM on premise –  Automate a SOC –  Outsource monitoring and administration

•  Only collect and store on premise –  Send events to MSS for continuous, daily or

weekly review

•  Completely outsource –  Forward all logs to MSS –  Get reports and alerts as outcomes



Call us: 888.878.7817 Learn more at: www.trustwave.com Contact us at: [email protected]

Trustwave: Building the Right Formula

2010 Annual Log Management Survey

Varun Kohli Sr. Product Manager ArcSight


ArcSight Highlights

Analyst Recognition Company Background

• ONLY Pure play SIEM public company (NASD:ARST)

• 2000+ Customers in 70+ Countries • 30% Fortune 100 companies; 37% of DJ

Index companies; 6 out of Top 10 World Banks

#1 in Market Share – Last three reports

SIEM Leader’s Quadrant - SIX years running

Industry Recognition

#1 In-use for both SIEM and Log Management

Gartner MQ: Six Years of Leadership

www.arcsight.com

Top Use Cases

# 2008 2009 2010

1 Security / system event detection

User activity monitoring

Detect/prevent unauthorized access

2 Monitoring IT controls / forensics IT Operations Forensics analysis /

correlation

3 Regulatory compliance

Forensics analysis / correlation

Regulatory compliance

4 IT operations Regulatory compliance IT Operations

From reactive to proactive Advanced user/asset management

Top Logs Being Collected

# 2008 2009 2010

1 OS OS Switch/Router/ Firewall

2 Switch/Router/ Firewall

Switch/Router/ Firewall

Servers

3 Databases Databases Applications and Identity data

Diverse and advanced use cases

Evolving use cases bring new challenges

# 2008 2009 2010

1 Collection IT Operations Searching

2 Search Normalization Analysis and Reporting

3 Reporting Search Multiple vendors/formats

4 Entire Lifecycle Reporting Normalization

Analysis across all data – Structured and Unstructured Enrichment of data for smarter analysis

Why existing solutions cannot meet these challenges?

– Designed for different purpose

– SIEM and LM are not different – Missing context on assets/users

Solution 1 Solution 2 Ideal Solution

Security and Compliance

IT Operations One solution does all

Long-term retention

Short-term retention

Automatic enforcement

Structured data Unstructured data Capture Everything Search Anything

How to select the ideal solution?

Log Management Solution is NOT IDEAL if it:

•  CANNOT simultaneously handle Security, Compliance, and IT Ops

•  CANNOT collect from everything

•  CANNOT analyze across structured and unstructured data

•  HAS tradeoff between fast collection, fast analysis and efficient storage

•  DOES NOT normalize events to make them easy to understand

•  DOES NOT offer audit-quality log collection

•  DOES NOT have pre-packaged content

•  DOES NOT offer flexible, economic and long term storage

•  DOES NOT have real-time correlation (user model, asset model, etc.)

Infrastructure

Databases

Transactions

Users

www.arcsight.com 9

ArcSight ESM

ArcSight Express

Sensitive Data

Security

User Activity

Monitoring

Fraud Detection

Application

Transaction Security

ArcSight Logger

ArcSight Connector

Integrated Growth Path

Summary

•  Validation

–  Growing space, increasing adoption

•  Use Case Expansion

–  Beyond security and compliance to identity management and IT operations

•  Searching and Reporting

–  Normalization and device coverage

Thank You!

Next Steps

•  Website: www.arcsight.com/logger

•  Questions: [email protected]

•  Telephone: +1 (888) 415-ARST

•  Future webinars:

http://www.arcsight.com/webinars/

[email protected]

www.SANS.org/reading_room/analysts_program

sans log management 1

Documents

sans institute

senior sans analyst

log data log server

log collection

trustwave siem

application logs

sense of logs

log management challenges