Thursday, March 6, 2008

Log Management: Observations from the Log Management Thought Leadership roundtable webcast

I listened in on WhiteHatWorld's log management roundtable webcast that I mentioned on Monday. The panel provided a few noteworthy tidbits. If you're just starting to look at log management systems, or you are trying to sort out some of the decision points between SIM/SEM and log management devices, you should look for a panel like this. The review of concepts and issues can be useful, and I felt that the panel reflected many of the experiences that I've had. Here are a few of the highlights:

Appliance vs. software - the panel generally supported appliances due to:

  • Ease of deployment.
  • Ease of use.
  • Fixed price, fixed form factor - value is more easily determined.
  • Support and updates.
SIM/SEM versus log management
  • There is an increasing use of a blended approach - both ends of the market are growing toward the middle.
  • Most vendors started at one end, some did analysis, some did log management. They tend to do what they started as best.
  • Logging versus security - the emphasis is different, as security isn't the only use of logs
  • Compliance, forensics, and analysis as drivers for either type of implementation
Choosing a solution - a few of the top selection criteria and testing hints were:
  • Fit your collection infrastructure to your environment and your requirements. You have options including: agentless vs. agents, multi-level collector/analysis engines, and other design choices. Architecture can have a major influence on performance.
    • Remote sites may make agents particularly useful
  • The ability to collect different data types flow data, syslog via TCP and UDP
  • The ability to scale as your environment or deployment changes
  • Analysis capabilities and other automated handling. Decide what you need, and what would provide the greatest benefit.
  • Test and assess the speed of access to data and the ability to search the data. Pay particular attention to indexing capabilities and storage methods
  • Be careful of the dangers of looking at single performance specification - vendors often measure under ideal conditions. Real scenario and testing is useful - what happens when features are enabled, UI is in use, and other actual usage models.
  • If you're intending to use the system for incident response review your legal requirements such as verifiable chain of custody, validation, and audit.
  • The experts suggested reviewing NIST standards such as 800-92
  • Deploy a proof of concept:
    • See how your network actually works.
    • Check the items you're logging.
    • Remember that space is cheap
Finally, a few ways to fail:
  • Roll your own and don't carry through leading to failure
  • Choose a product based primarily on price or an informal relationship
  • Miss important functionality requirements
If this sounds useful, their next presentation is their Log Management TLR webcast on March 19, 2008, at 2 PM EST.

Edit, 03/07: you can listen to the recording here.


Anton Chuvakin said...

Thanks for highlighting the webcast!

David said...

I'm glad to - events like these are useful for their ability to get some distilled knowledge out into the community. I've been exploring and using SIM and log management tools, and what you and the other speakers covered matched what I've learned the hard way.