Most Read This Week
From the Blogosphere
Why Rule-Based Log Correlation Is Almost a Good Idea...
Part 1 - Introduction
By: Gorka Sadowski
Dec. 9, 2011 10:15 AM
Rule-based log correlation is almost a good idea.
It sounds like a good idea, it appears to be a good idea and many people will tell you it's a good idea, but in fact it is not.
Rule-based log correlation is very complex, limited in use and applicability, and boasts a terrible ROI.
It will give you a false sense of security, which is a bad thing.
We'll look at the reasons why this is not a good idea, and some ways to augment the use of logs to improve your security through pragmatic Risk Management.
History of Logs
Rule-based log correlation is based on the premise that by managing all the logs in your IT infrastructure, you will gain insight into everything that is happening in your environment.
That's a true statement.
What you do with this visibility depends on your ability to use this data and information.
Historically, logs were used for troubleshooting "complex" applications that would often break. Logs started as a troubleshooting mechanism for sendmail. When sendmail was conceived, we didn't master software engineering techniques like we do today, so its code was terribly complex, involved many subsystems working together, the application was difficult to parameter and would misbehave silently.
Logs saved the day. Thanks to logs we knew exactly what was happening under the covers of the application, what worked, what broke where, and we could infer ways to make it work.
Managing Syslog Logs Means Several Things
Managing logs means generating, collecting, centralizing, storing and using logs.
Syslog was a set of standards used to:
The full "syslog" set was complex and confusing, and logs were only used by highly specialized IT people, and only used for some specific troubleshooting tasks, and only when all else failed.
A rather narrow use case with limited scope - in fact non-IT people never heard of logs.
Fast forward a few years, about a decade ago.
Some people started to realize that the visibility obtained through logs could be leveraged for other use cases, for example security.
Lots of work was put into "real-time incident management", and logs were finally given the status that they deserved, a critical aspect of IT metadata - data about data.
Next we'll see why rule-based log correlation - based on modeling attack scenarios - is an outdated approach.
Subscribe to the World's Most Powerful Newsletters
Today's Top Reads