Tuesday, April 23, 2013

How Advanced Log Management Can Trump SIEM: Tales of Woe and Glory

Together with Don Becker and Vlad Grigorescu, I presented at this year's EDUCAUSE/Internet2 Security Professionals (ESP) Conference in St. Louis, Missouri. ESP is an annual conference bringing together about 400 security professionals who work in the higher education space. I have spoken several times before, and I really enjoy the interaction with the audience. The comments and questions are almost always 100% relevant to my daily practice.

In this talk, I explored the thought that log management sometimes will trump SIEM. Obviously, SIEM is stronger from a conceptual perspective, but integration issues, implementation problems and adoption by other technical units may often pose so much road blocks that a full SIEM deployment is not possible, or even desirable.

A point that I tried to make was that log management is actually a prerequisite for SIEM. I cheated a little bit, and decide to include log generation in the log management process. If your system does not generate logs that contain useful information, or if they are not readable by computers as well as by humans, you're at such a disadvantage that SIEM is simply impossible to do well.

Other than having a starting point in your logs, you'll also need to know what questions you want to ask. That is a ridiculously hard question. After all, if we knew what to look for ahead of time, being an information security defender would be a whole lot easier.

Unfortunately, the presentation was not recorded. However, the slides are available at the EDUCAUSE web site. Head over to the EDUCAUSE Conference Web Site and please let me know what you think.

No comments:

Post a Comment

Please share your view and opinions on what I wrote. In order to maintain quality, all comments will be moderated for merit. Contributions that call me out on statements that appear unfounded, wrong, or simply with which you disagree are highly appreciated and are even encouraged. Spam and 'me too' answers will be ignored.