Digital Edition

SYS-CON.TV
Why Rule-Based Log Correlation Is Almost a Good Idea...
Part 1 - Introduction

Rule-based log correlation is almost a good idea.

It sounds like a good idea, it appears to be a good idea and many people will tell you it's a good idea, but in fact it is not.

Rule-based log correlation is very complex, limited in use and applicability, and boasts a terrible ROI.

It will give you a false sense of security, which is a bad thing.

We'll look at the reasons why this is not a good idea, and some ways to augment the use of logs to improve your security through pragmatic Risk Management.

History of Logs
What is rule-based log correlation and how did it come about?

Rule-based log correlation is based on the premise that by managing all the logs in your IT infrastructure, you will gain insight into everything that is happening in your environment.

That's a true statement.

What you do with this visibility depends on your ability to use this data and information.

Historically, logs were used for troubleshooting "complex" applications that would often break. Logs started as a troubleshooting mechanism for sendmail. When sendmail was conceived, we didn't master software engineering techniques like we do today, so its code was terribly complex, involved many subsystems working together, the application was difficult to parameter and would misbehave silently.

Logs saved the day. Thanks to logs we knew exactly what was happening under the covers of the application, what worked, what broke where, and we could infer ways to make it work.

Managing Syslog Logs Means Several Things
Although syslog started to emerge as a log "standard," the use of logs was reserved for the brave few, and managing logs was a true endeavor.

Managing logs means generating, collecting, centralizing, storing and using logs.

Syslog was a set of standards used to:

  1. Define the daemon invoked by operating systems to generate logs
  2. Describe the standard format for these little pieces of information
  3. Specify the protocol used to send these logs across an IT infrastructure

The full "syslog" set was complex and confusing, and logs were only used by highly specialized IT people, and only used for some specific troubleshooting tasks, and only when all else failed.

A rather narrow use case with limited scope - in fact non-IT people never heard of logs.

Fast forward a few years, about a decade ago.

Some people started to realize that the visibility obtained through logs could be leveraged for other use cases, for example security.

Lots of work was put into "real-time incident management", and logs were finally given the status that they deserved, a critical aspect of IT metadata - data about data.

Next we'll see why rule-based log correlation - based on modeling attack scenarios - is an outdated approach.

About Gorka Sadowski
Gorka is a natural born entrepreneur with a deep understanding of Technology, IT Security and how these create value in the Marketplace. He is today offering innovative European startups the opportunity to benefit from the Silicon Valley ecosystem accelerators. Gorka spent the last 20 years initiating, building and growing businesses that provide technology solutions to the Industry. From General Manager Spain, Italy and Portugal for LogLogic, defining Next Generation Log Management and Security Forensics, to Director Unisys France, bringing Cloud Security service offerings to the market, from Director of Emerging Technologies at NetScreen, defining Next Generation Firewall, to Director of Performance Engineering at INS, removing WAN and Internet bottlenecks, Gorka has always been involved in innovative Technology and IT Security solutions, creating successful Business Units within established Groups and helping launch breakthrough startups such as KOLA Kids OnLine America, a social network for safe computing for children, SourceFire, a leading network security solution provider, or Ibixis, a boutique European business accelerator.



ADS BY GOOGLE
Subscribe to the World's Most Powerful Newsletters

ADS BY GOOGLE

ChatOps is an emerging topic that has led to the wide availability of integrations between group cha...
You know you need the cloud, but you’re hesitant to simply dump everything at Amazon since you know ...
Is advanced scheduling in Kubernetes achievable?Yes, however, how do you properly accommodate every ...
As Marc Andreessen says software is eating the world. Everything is rapidly moving toward being soft...
The cloud era has reached the stage where it is no longer a question of whether a company should mig...
The need for greater agility and scalability necessitated the digital transformation in the form of ...
In his keynote at 18th Cloud Expo, Andrew Keys, Co-Founder of ConsenSys Enterprise, provided an over...
As DevOps methodologies expand their reach across the enterprise, organizations face the daunting ch...
Coca-Cola’s Google powered digital signage system lays the groundwork for a more valuable connection...
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, provided a fun and ...
While some developers care passionately about how data centers and clouds are architected, for most,...
"Since we launched LinuxONE we learned a lot from our customers. More than anything what they respon...
DevOps is under attack because developers don’t want to mess with infrastructure. They will happily ...
"As we've gone out into the public cloud we've seen that over time we may have lost a few things - w...
In his session at 21st Cloud Expo, Michael Burley, a Senior Business Development Executive in IT Ser...
Sanjeev Sharma Joins June 5-7, 2018 @DevOpsSummit at @Cloud Expo New York Faculty. Sanjeev Sharma is...
We are given a desktop platform with Java 8 or Java 9 installed and seek to find a way to deploy hig...
"I focus on what we are calling CAST Highlight, which is our SaaS application portfolio analysis too...
"Cloud4U builds software services that help people build DevOps platforms for cloud-based software a...
The question before companies today is not whether to become intelligent, it’s a question of how and...