sans log management 1
DESCRIPTION
SANS Sixth Annual Log Management Survey Part I More Log Data, More UsesTRANSCRIPT
SANS Sixth Annual Log Management Survey
Part I More Log Data, More Uses
Jerry Shenk, Senior SANS Analyst
© 2010 The SANS™ Institute - www.sans.org
6th Annual Log Management Survey
– Goals of Survey • Track progress of log management
industry • Identify problems users are having
– More Log Data • Log server increases • Log source increases
– More Uses • More people are finding logs useful
© 2010 The SANS™ Institute - www.sans.org 2
© 2010 The SANS™ Institute - www.sans.org 3
© 2010 The SANS™ Institute - www.sans.org 4
© 2010 The SANS™ Institute - www.sans.org 5
© 2010 The SANS™ Institute - www.sans.org 6
© 2010 The SANS™ Institute - www.sans.org 7
© 2010 The SANS™ Institute - www.sans.org 8
What Logs are Being Collected
• Firewalls, routers, switches, IDS/IPS, etc.
• Servers • Applications • Databases • Identity Sources (directories,
etc.) • Desktops • Physical devices – HVAC, badge
access, plant control
© 2010 The SANS™ Institute - www.sans.org 9
Log Management Challenges
• Searching and reporting • Analysis • Automation of important event
alerting • What vendors need to do • What users need to do
© 2010 The SANS™ Institute - www.sans.org 10
Trustwave SIEM: Solutions for any Organization
Sunil Bhargava, VP Product Management, Trustwave (Formerly Intellitactics)
© 2010 The SANS™ Institute - www.sans.org
Trustwave: The leader in compliance and data security
© 2009 The SANS™ Institute - www.sans.org 2
Performed more than 4,000 network and application penetration tests and 740 forensic investigations
Found in 1995; 500+ employees; 23 locations on 6 continents
Top 10 global Certificate Authority with more than 60,000 SSL certificates issued
Benchmark work for HIPAA, GLBA, SOX, ISO 27000 series
PCI DSS leader – Trustwave has certified 42 percent of PsPs; 40% of Payment Applications
Fully qualified for all PCI-related work: QSA (2002); ASV (2003); PA-QSA (2005); QIRA (2005)
Market leading solutions for NAC, DLP, SIEM, IDS, IPS, UTM, Encryption and Vulnerability scanning
2009 SC Magazine “Recommended”
Managed Security Services
Forrester 9 out of 10 rating NAC solution 2010
SC Magazine “Finalist” Encryption
2009 Frost & Sullivan
NAC Best Practices
What’s New in Log Collection
• Some great news on collection – 10% biggest problem
– 27% least challenging
• Implications
– Today’s challenges…
• Making sense of logs we already receive
• Getting logs from non-traditional sources
• Finding more value in them all
© 2010 The SANS™ Institute - www.sans.org 3
Making Sense of the Logs We Have
Moving on up: Collection to Analysis • Extracting value
– Automated analysis – Actionable reporting – Auto-detect
• Control violations • Deviation from normal activity
• Consolidating – Logs – Use cases – Budgets
• Are all disparate solutions required?
© 2010 The SANS™ Institute - www.sans.org 4
Getting Logs from New Sources
The Insider Threat and Risk
• The NEW questions in the survey
– 49% from desktops
– 48% from physical devices
• New challenges for finding values
– Cross-correlation across disparate types
– If MS-Windows server analysis is already found challenging; how will desktops fare?
• Application logs: question of value re-surfaces
– Are applications auditing requisite details?
– Can your solution analyze those logs?
© 2010 The SANS™ Institute - www.sans.org 5
Extracting more Value
Doing more with logs
• Evolving SIEM technologies are making it happen
• Blended threats require blended solutions
• Making advanced SIEM capabilities available to everyone
© 2010 The SANS™ Institute - www.sans.org 6
Technology Advancements
• SIEM advancements – Continuous processing
• From parsing to detecting control violations – Embedded data store
• Compressed and indexed
• Embedded knowledge and analytics – Directly addressing secondary users
• HR, Legal, and Asset owners • For user activity and asset exposure status
– Analytical Modules: searches, correlations, actionable reports and alerting
• Includes Data Modules: acquisition, parsing, normalization and event taxonomy assignment
© 2010 The SANS™ Institute - www.sans.org 7
Blended Solutions
• Unified Approach – Preventive monitoring
• Control violations indicating surveillance – Reactive monitoring
• Enrich alerts with context and history – Forensic research
• Efficient searching
• Integrated Approach – Protection technologies
• DLP, Asset Discovery and Encryption – Access control technologies
• IDM, NAC, VPN and Physical access
© 2010 The SANS™ Institute - www.sans.org 8
Solutions for any Organization
• Complete SIEM on premise – Automate a SOC – Outsource monitoring and administration
• Only collect and store on premise – Send events to MSS for continuous, daily or
weekly review
• Completely outsource – Forward all logs to MSS – Get reports and alerts as outcomes
© 2010 The SANS™ Institute - www.sans.org 9
© 2009 The SANS™ Institute - www.sans.org 10
Call us: 888.878.7817 Learn more at: www.trustwave.com Contact us at: [email protected]
Trustwave: Building the Right Formula
2010 Annual Log Management Survey
Varun Kohli Sr. Product Manager ArcSight
© 2010 The SANS™ Institute - www.sans.org
ArcSight Highlights
Analyst Recognition Company Background
• ONLY Pure play SIEM public company (NASD:ARST)
• 2000+ Customers in 70+ Countries • 30% Fortune 100 companies; 37% of DJ
Index companies; 6 out of Top 10 World Banks
#1 in Market Share – Last three reports
SIEM Leader’s Quadrant - SIX years running
Industry Recognition
#1 In-use for both SIEM and Log Management
Gartner MQ: Six Years of Leadership
www.arcsight.com
Top Use Cases
# 2008 2009 2010
1 Security / system event detection
User activity monitoring
Detect/prevent unauthorized access
2 Monitoring IT controls / forensics IT Operations Forensics analysis /
correlation
3 Regulatory compliance
Forensics analysis / correlation
Regulatory compliance
4 IT operations Regulatory compliance IT Operations
From reactive to proactive Advanced user/asset management
Top Logs Being Collected
# 2008 2009 2010
1 OS OS Switch/Router/ Firewall
2 Switch/Router/ Firewall
Switch/Router/ Firewall
Servers
3 Databases Databases Applications and Identity data
Diverse and advanced use cases
Evolving use cases bring new challenges
# 2008 2009 2010
1 Collection IT Operations Searching
2 Search Normalization Analysis and Reporting
3 Reporting Search Multiple vendors/formats
4 Entire Lifecycle Reporting Normalization
Analysis across all data – Structured and Unstructured Enrichment of data for smarter analysis
Why existing solutions cannot meet these challenges?
– Designed for different purpose
– SIEM and LM are not different – Missing context on assets/users
Solution 1 Solution 2 Ideal Solution
Security and Compliance
IT Operations One solution does all
Long-term retention
Short-term retention
Automatic enforcement
Structured data Unstructured data Capture Everything Search Anything
How to select the ideal solution?
Log Management Solution is NOT IDEAL if it:
• CANNOT simultaneously handle Security, Compliance, and IT Ops
• CANNOT collect from everything
• CANNOT analyze across structured and unstructured data
• HAS tradeoff between fast collection, fast analysis and efficient storage
• DOES NOT normalize events to make them easy to understand
• DOES NOT offer audit-quality log collection
• DOES NOT have pre-packaged content
• DOES NOT offer flexible, economic and long term storage
• DOES NOT have real-time correlation (user model, asset model, etc.)
Infrastructure
Databases
Transactions
Users
www.arcsight.com 9
ArcSight ESM
ArcSight Express
Sensitive Data
Security
User Activity
Monitoring
Fraud Detection
Application
Transaction Security
ArcSight Logger
ArcSight Connector
Integrated Growth Path
Summary
• Validation
– Growing space, increasing adoption
• Use Case Expansion
– Beyond security and compliance to identity management and IT operations
• Searching and Reporting
– Normalization and device coverage
Thank You!
Next Steps
• Website: www.arcsight.com/logger
• Questions: [email protected]
• Telephone: +1 (888) 415-ARST
• Future webinars:
http://www.arcsight.com/webinars/
www.SANS.org/reading_room/analysts_program