1. No category

Ninth Log Management Survey Report

Interested in learning
more about security?
SANS Institute
InfoSec Reading Room
This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission.
Ninth Log Management Survey Report
Using the results of the 2014 Log Management Survey, this paper identifies strengths and weaknesses in log
management systems and practices, and provides advice for improving visibility across systems with proper log
collection, normalization and analysis.
Copyright SANS Institute
Author Retains Full Rights
Ninth Log Management Survey Report
A SANS Survey
Written by Jerry Shenk
Advisor: Barbara Filkins
October 2014
Sponsored by
VMware
©2014 SANS™ Institute
Executive Summary
With more reports of complex, blended threats succeeding in breaches and data
exfiltration, logs are as important as ever to organizations. Most organizations today
are collecting logs, and many of them are sending those logs to a security information
and event management (SIEM) system for analysis, according to the 2014 SANS Log
Management Survey, which was recently taken by 522 respondents. Although we
Highlights of the
9th Log Management Survey
• Log collection is common practice: 97% of
respondents collect logs.
• Drivers for collecting logs: 85% to detect and
track suspicious behavior, 67% to support
routine operations, 62% for forensics analysis.
(Respondents were allowed to check all that apply.)
• Visibility is still a challenge: 35% cite correlation of
logs from multiple sources, and 27% cite inability to
distinguish between normal and suspicious traffic
as a top challenge.
• Time spent on logs: 22% spend 1–4 hours a week;
another 22% spend more than one day a week
examining logs.
• Categorization would help: 14% cite normalization
and categorization of logs and security information
as key challenges.
recognize that the SANS audience may be more prone to taking key
steps to enhance their security, it is noteworthy that 97% of respondents
indicated that they collected logs, and 42% are sending logs to a SIEM
system. An additional 29% collect and consolidate logs into one or more
log servers.
When SANS began these surveys in 2005, just collecting the logs was a
problem. And, with more people collecting logs and more logs being
processed from more systems, past SANS Log Management Surveys
indicated that organizations found it difficult to detect blended, advanced
threats. Organizations are still having trouble using logs for this purpose,
with 46% stating this was their most difficult outcome to achieve with
their current capabilities. The reason? Respondents complain of difficulties
related to correlation of logs from multiple sources and the inability to
distinguish between normal and malicious traffic.
The largest group of respondents (28%) reported that analysis of “big
data” was the most challenging, while 22% cited correlation of logs from
• Virtualization is no problem: 69% are logging
activities in their virtual apps.
disparate sources, and 14% pointed to normalization and categorization
• Cloud causes log management headaches: 22% are
using log management for cloud systems.
management. Organizations need to know their own networks to identify
• Automation and integration are helping: 86% of
organizations describe log management integration
as partial or full.
searches to both instruct on network normalcy and detect abnormalities.
of logs and security information as the most difficult aspects of log
suspicious behaviors. This requires careful construction of a variety of
New trends in computing are also affecting log management capabilities,
particularly the cloud. Survey responses indicate confusion over where
to turn for log management and reporting against cloud-based usage, with 28%
of respondents saying they rely on their cloud provider to be secure, another 19%
adjusting their internal controls to track cloud operations, and 25% using cloud-based
tools or services to monitor their logs.
SANS ANALYST PROGRAM
1
SANS Ninth Log Management Survey Report
Executive Summary
(CONTINUED)
Despite these challenges, organizations have made a great deal of progress in
automating log management and analysis over the nine years SANS has conducted this
survey. In the current survey, 46% say they have achieved partial automation of both the
log management and analysis process; 30% have achieved complete automation of log
management, but not analysis; and 11% have completed automation of both functions.
Using the results of the 2014 Log Management Survey, this paper identifies strengths
and weaknesses in log management systems and practices, and provides advice for
improving visibility across systems with proper log collection, normalization and analysis.
SANS ANALYST PROGRAM
2
SANS Ninth Log Management Survey Report
Survey Demographics
The survey was taken by representatives of a variety of organizational types and sizes,
as well as by many types of IT professionals, indicating that logs are important across
industries and no specific job role is set aside for managing and reviewing logs.
All Types
Government (which employs many people), was represented by 19% of the sample, with
16% of respondents from financial services and 15% from high tech/IT services. Health
care/pharmaceuticals and education were also strongly represented in this survey, as
shown in Figure 1.
Religous/Nonprofit
Legal
Engineering/Construction
Manufacturing
ISP/Hosting/Service provider
Telecommunications carrier/
Service provider
Retail
Insurance
Energy/Utilities
Education
Other
Health care/Pharmaceutical
High tech/IT services
Financial
Government
What is your company’s primary industry?
Figure 1. Industries Representation
This vertical breakdown is relatively standard for the overall SANS membership and
indicates how important logs are across industry types.
SANS ANALYST PROGRAM
3
SANS Ninth Log Management Survey Report
Survey Demographics
(CONTINUED)
All Sizes
Participants’ organizations are evenly distributed between very large (50,000 or more
employees), medium (2,000-4,999 employees) and small (100-499 employees) entities, as
shown in Figure 2.
Fewer than 100
employees
100 to 499
employees
500 to 999
employees
1,000 to 1,999
employees
2,000 to 4,999
employees
5,000 to 9,999
employees
10,000 to 24,999
employees
25,000 to 49,999
employees
50,000 or more
employees
How large is your organization?
Figure 2. Organizational Size
SANS ANALYST PROGRAM
4
SANS Ninth Log Management Survey Report
Survey Demographics
(CONTINUED)
Many Roles
The survey responses also show that many different roles are involved in log
management. By far, the largest role represented in the survey was security
administration/security analysts (41%). Security management roles—security manager/
security director/chief security officer (CSO)/chief information security officer (CISO)—
accounted for 18% of respondents (see Figure 3).
What is your primary role in the organization, whether as staff or consultant?
Developer
Compliance officer/
Auditor
Network or
system engineering
Other
Incident responder/
Forensics professional
Network operations/
System administration
IT manager/IT director/CIO
Security manager/
Security director/CSO/CISO
Percentage of
respondents filling a
security administration/
security analyst role
Security administration/
Security analyst
41%
Figure 3. Respondent Roles
Many of the “Other” titles fell under project management/architecture and engineering
roles. This indicates that logs—and the value they provide—are important to
administrators, managers and developers across all types of organizations.
SANS ANALYST PROGRAM
5
SANS Ninth Log Management Survey Report
Log Collection Practices and Challenges
In the current survey, 97% of respondent organizations collect logs, showing ongoing
gains in log management from our 2011 survey,1 in which 87% collected logs, and our
2012 survey,2 in which 89% collected logs. Top reasons for collecting logs have not
changed much since our past two surveys.
In this year’s survey (illustrated in Figure 4) and in the 2012 survey, the top reasons for
collecting logs, in order, are to:
• Detect/track suspicious behavior (85%)
• Support IT/network routine maintenance (65%)
• Support forensic analysis (62%)
• Troubleshoot (59%)
Other
Understand and derive information
about customer behavior
Support internal business processes
(e.g., reporting, chargeback)
Manage/Reduce costs
for IT and security
Monitor service levels/Lines of
business application performance
Monitor and track application and
system operational performance
Prevent incidents
Meet/Prove compliance with
regulatory requirements
Detect advanced persistent threat
(APT)-style malware
Troubleshooting
Support forensic analysis
Support IT/Network routine
maintenance and operations
Detect/Track suspicious behavior (e.g.,
unauthorized access, insider abuse)
Why does your organization collect logs? Select all that apply.
Figure 4. Reasons for Collecting Logs
In the 2012 survey, detecting and tracking suspicious behavior was selected by 82% of
respondents, supporting forensic analysis by 65%, and preventing incidents by 58% as
the most important uses for their logs. Although preventing incidents was 6 percentage
points away from making the top reasons for logging in 2014, 53% of respondents
still believe it is a key reason for collecting logs. In both surveys, meeting or providing
regulatory compliance fell in the middle, with 53% choosing the option in 2014 and 55%
choosing it in 2012.
SANS ANALYST PROGRAM
1
www.sans.org/reading-room/whitepapers/analyst/seventh-annual-log-management-survey-report-34995
2
www.sans.org/reading-room/whitepapers/analyst/eighth-annual-2012-log-event-management-survey-results-sorting-noise-35230
6
SANS Ninth Log Management Survey Report
Log Collection Practices and Challenges
(CONTINUED)
Although organizations are clearly seeing value in logs for security and compliance,
they don’t seem to be using logs for business purposes and efficiencies yet. As in our
2012 survey, this year’s respondents are underutilizing their logs for the purposes of
understanding and deriving information about customer behavior, supporting internal
business processes, and managing/reducing IT and security costs.
Log Management Challenges
This year we added a follow-up question about the difficulty of using logs: whether
organizations actually succeed in using logs for their desired purposes. In other words,
if an organization stated that detecting and tracking suspicious behavior was one of
its reasons for collecting logs, how easy was it for the organization to perform that
function?
Organizations are having the most difficulty using their logs for the top reasons they
collect logs, particularly in detecting APT-style malware, preventing incidents and
tracking suspicious behavior, which are the top three selections rated as “most difficult,”
as shown in Figure 5.
Easy
Moderate
Troubleshooting
Support internal business processes
(e.g., reporting, chargeback)
Understand and derive information
about customer behavior
Manage/Reduce costs
for IT and security
Meet/Prove compliance with
regulatory requirements
Support forensic analysis
Monitor and track application and
system operational performance
Prevent incidents
Detect APT-style malware
Detect/Track suspicious behavior
(e.g., unauthorized access,
insider abuse)
Monitor services levels/Line of
business application performance
Support IT/Network routine
maintenance and operations
How difficult is it for you to utilize the log data you collect for the following reasons?
Rate each reason that applies to your organization. Choose only those that apply.
Difficult
Figure 5. Level of Difficulty in Achieving Log Objectives
SANS ANALYST PROGRAM
7
SANS Ninth Log Management Survey Report
Log Collection Practices and Challenges
(CONTINUED)
Recall the top four reasons for collecting logs: to detect/track suspicious behavior,
support forensic analysis, support IT/network routine maintenance and operations, and
troubleshooting. These top four reasons for collecting logs fit into two larger categories:
forensic analysis, which includes detecting and tracking suspicious behavior and the closely
related reason, supporting forensic analysis; and maintenance and operations, which
includes supporting IT/network routine maintenance and operations and troubleshooting.
Difficulties in Forensic Analysis
So, how well did current log management procedures meet those needs? Out of the 85%
for whom detection and tracking of suspicious behavior was a stated need, 50% stated
that it was moderately difficult and 30% stated that it was difficult. Those who selected
support forensic analysis had similar levels of difficulty: 53% moderate and 21% difficult.
TOP CHALLENGES:
Analysis of big data,
correlation of data
from disparate sources,
and normalization and
Why are they having difficulty detecting and tracking suspicious behavior or supporting
forensic analysis? Overall, the most challenging issue, cited by 28% of respondents, is analysis
of big data, which we defined as large volumes and types of log and event information for
processing. The second and third challenges are related to their top challenge and include
correlation of data from disparate sources, which was ranked most challenging by 22% of
respondents; and normalization and categorization of log and security information, which
was ranked as most challenging by 14% of respondents (see Figure 6).
What do you consider overall both the most challenging
and the least challenging aspects of log and event management?
categorization of log and
Retention of logs and
secuirty data
Reporting
Analysis of “big data” (large
volumes and types of
log and event information
for for processing)
Least Challenging
Managing log and event
data, including maintaining
chain of custody
Most Challenging
Storing/Archiving
Searching
Normalizing and
categorizing log and
security information
Correlation of logs from
disparate sources
Completeness of logs
and security information
for forensics
Collecting logs
security information
Figure 6. Most and Least Challenging Aspects of Log and Event Management
SANS ANALYST PROGRAM
8
SANS Ninth Log Management Survey Report
Log Collection Practices and Challenges
(CONTINUED)
For anyone who has worked with logs for any length of time, these top problems come
as no surprise. The Achilles’ heel of any log analyzer is the fact that vendors log similar
events differently. Correlation and normalization have always been difficult.
The term correlation refers
Often, even different versions of devices or software from the same company report the
to linking separate events
same event differently. This makes it difficult for an operator to compare the event log
together to identify an
from one device (or piece of software) with the event log from another device. Without
incident. Normalization refers
correlation and normalization, an operator must manually recognize that a login failure
to the way different devices
report the same event in
different ways. Normalization
on one Windows domain is similar to a login failure on a wireless access point. Once
normalization has been done, events can be correlated to identify suspicious behavior.
For example, if many failed login attempts occur on many endpoints (workstations,
servers or websites) for a single domain account in a short period of time, correlation can
generally refers to a process
tie together these seemingly disparate events based on policies used to detect them.
that is done by log analysis
When we combine this answer set with respondents’ answers for why they collect data,
software or a SIEM.
we get more detail. For those who need to detect/track suspicious behavior, 52% stated
that correlation of logs and event data coming from multiple types of devices was their
top problem. Similarly, of those who chose supporting forensic analysis as their top
need, 54% cited correlation of results from multiple types of devices.
Difficulties in Maintenance and Operations
The second most common reason for collecting logs is to support IT/network routine
maintenance and operations, selected by 65% of respondents, and the fourth most
common reason was for troubleshooting (59%). Of the respondents who chose support
TOP CHALLENGES:
IT/network routine maintenance and operations as a reason for collecting logs, 39%
ranked that as easy, 48% as moderately difficult and 13% as difficult. Using the same
Inability to sort and
criteria, troubleshooting was rated as being easy by 37%, moderately difficult by 55%
distinguish key events
and difficult by 8%. In this group the top two challenges were the inability to sort and
from normal activity, and
identify key events from normal background activity and correlation of log and event
correlation of log and event
data from disparate sources
data coming from multiple types of devices.
This points to lack of visibility that log and event management, particularly if run
through a management system such as a SIEM, are supposed to help solve. Once again,
the different ways that devices’ log events are expressed (need for normalization) and
processed together (need for correlation) are key stumbling blocks for organizations
in using their log management and SIEM systems as more data is collected across the
enterprise.
SANS ANALYST PROGRAM
9
SANS Ninth Log Management Survey Report
Log Collection Practices and Challenges
(CONTINUED)
Areas of Concern
TAKEAWAY:
Focus on ways to distinguish
normal and malicious
activities, as well as on
There are two primary reasons for problems with detection and tracking of suspicious
behavior as well as tracking and dealing with nonsecurity IT-related issues. One issue is
that the log management software or a SIEM doesn’t process the events correctly. That
could be due either to a fault in the software or complications introduced by changes
in the way logs are created by the varied devices supported by an organization. The
improving the integration of
second problem could be that the organization expects the software to automatically
all log-gathering devices.
do everything for it. All log management software and SIEM systems need some kind of
setup, and they need to be maintained as systems, software and the attacks launched
against them change.
SANS ANALYST PROGRAM
10
SANS Ninth Log Management Survey Report
Managing Log Data
Additional issues surrounding log data include the sources from which the data is
gathered, the amount of data logged each day, how much time organizations spend
managing their logs and how long organizations should retain log data.
Log Sources Are Everywhere
In the past, log data was primarily collected from firewalls and servers. More recently,
the list of devices from which organizations are collecting logs includes just about
everything, including security devices (85%), network devices (85%) and servers
(Windows at 84% and UNIX-type servers at 66%). Virtual environments (virtual servers,
networks, hypervisors, platforms) are being logged by 69% of organizations, as shown in
Figure 7.
How difficult is it for you to utilize the log data you collect for the following reasons?
Rate each reason that applies to your organization. Choose only those that apply.
Other
Physical plant systems (e.g., HVAC, SCADA systems)
Outsourced services and/or applications
Mobile devices (smartphones, tablets)
Cloud-based services and/or applications
Mainframes
Building access systems
Desktops/Laptops
Line of business applications (homegrown, custom,
database systems, commercial off-the-shelf )
Web applications
UNIX-type servers (Linux, SCO, Sun, etc.)
Virtual environments (virtual servers, networks,
hypervisors, platforms)
Windows servers
Network devices (switches, routers)
Security devices (firewalls/IDS/IPS/antivirus
Figure 7. Sources of Log Data
In our 2012 survey, physical plant systems, which include HVAC and SCADA systems,
were monitored by 9% of respondents; in 2014, 12% gathered logs from such systems.
In 2012, 8% collected logs from cloud-based and outsourced services. In 2014, 12%
collected logs on outsourced services and 22% collected logs from cloud-based systems.
Open-ended responses in the 2014 survey answers under the “Other” option include UPS
and phone systems, indicating the addition of even more sources of log data that need
to be normalized and correlated for visibility and response.
SANS ANALYST PROGRAM
11
SANS Ninth Log Management Survey Report
Managing Log Data
(CONTINUED)
Together, these sources of log data generate large amounts of data to be analyzed. As
illustrated in Figure 8, the largest portion of respondents (30%) collect less than 50GB of
data per day, while 8% gather 1TB or more of data.
How much data do you log per day?
TAKEAWAY:
Organizations must be able to
Unknown
Over 5TB
1 to 5TB
501GB to 1TB
101 to 500GB
and future needs.
51 to 100GB
technologies to their current
Less than 50GB
scale their log management
Figure 8. Log Data Generated
As the collection sources and data types continue to grow, so too must the ability to
manage and analyze larger amounts of log data. Organizations must consider the ability
to scale their log management methodologies to the future growth of traditional and
nontraditional devices.
SANS ANALYST PROGRAM
12
SANS Ninth Log Management Survey Report
Managing Log Data
(CONTINUED)
Time Spent on Logs
With growing numbers of data sources and a larger body of log data being generated,
the amount of time organizations devote to analyzing logs becomes more important.
The answer to the question of how long log management takes is, of course: “It
depends.” Overall, the most selected time frame was one to four hours per week (22%),
with more than a day per week coming in a few tenths of a percentage point lower, but
statistically tied at 22% (see Figure 9).
Other
We outsource analysis
and just review the
sumary of those results
More than a day per week
One day per week
4–8 hours per week
1–4 hours per week
Less than 1 hour per week
Unknown
How much time does your organization normally commit
to analyzing logs each month?
Figure 9. Time Devoted to Analyzing Logs
The size of the organization does matter slightly. For large organizations, that is, those
with more than 50,000 employees, the largest group of respondents (35%) stated that
they spent more than one day per week on log analysis. The largest group of moderatesized companies (2,000 to 4,999 employees) also spend more than a day a week (25%). In
small organizations, 33% reported that they spent between one and four hours a week
on log analysis.
SANS ANALYST PROGRAM
13
SANS Ninth Log Management Survey Report
Managing Log Data
(CONTINUED)
Log Data Retention
The reasons for storing logs and the length of time for which logs are stored vary based
on the type of organization and its regulatory requirements. The largest portion of
respondents (40%) maintain logs for 90 days to one year, 34% maintain logs for one to
seven years, 29% maintain data for 30 to 90 days, 11% maintain log data for less than
30 days, and another 11% let it default to the standards for the application, operating
system or utility that is doing the logging.
In 2012, results were somewhat different. The largest percentage of respondents (39%)
kept logs for one to seven years, while 35% kept logs for 90 days to one year, 19% for 30
to 90 days, 9% kept for less than 30 days, and 9% retained logs to defaults.
Reasons for log retention periods, illustrated in Figure 10, include investigations/
forensics (selected by a total of 68% of respondents), regulatory compliance (64%) and
legal/company policies (60%).
What are the top three reasons that influence
the retention period for your logs?
Regulatory compliance
Legal (company policy)
Investigations/Forensics
Historical/Trending analysis
General company practice
First
Second
Third
Figure 10. Reasons for Log Retention Time Frames
Since we first started asking about log retention in these surveys, regulatory compliance
has been one of the main drivers for determining log data retention policy. This year,
we provided an open-ended comment option on this question. One thing we hadn’t
anticipated was the number of comments about cost and availability of storage space
being the driving factor for log retention for a few respondents. The “logging price” of
storing the large amounts of data is, indeed, an important consideration.
SANS ANALYST PROGRAM
14
SANS Ninth Log Management Survey Report
Real-World Search Criteria
This year’s survey threw in a wild-card question about respondents’ most common
search strings when they go through logs. The most common responses were:
• Searching for login/logout data, failed logins, password failures and related queries
• Searching for traffic to and from computers that had been involved in malware,
botnets and other suspicious activity to determine when a compromise started,
what IP addresses (internal and external) were related and how much data was
transferred
• Tracking VPN users and the times, locations and frequency of connections
• DNS requests
Some respondents gave examples of specific ways they use log data to look for
advanced persistent threat (APT)-type attacks. One looks for “unusual traffic in a very
large amount of data (APT).” This matches a recommendation we made in our 2010
Being able to detect
unusual traffic is a
good reason why log
managers need to
survey,3 and one that others have recommended as well.
Being able to detect unusual traffic is a good reason why log managers need to know
their data and what is normal in their network. A methodical approach to knowing
your data could be called baselining known behaviors and uses of technology to detect
abnormalities, which has been promoted by Anton Chuvakin4 for years. To look for
know their data and
unusual traffic, the respondent has to take the time to know what normal data transfers
what is normal in
are for his or her organization, which allows the organization to recognize transfers that
their network.
are outside of what is normal for it.
Another instructive example of log searches is a respondent who tracks VPN connections
and the associated user accounts and IP addresses and then alerts if a user connects from
different locations. This type of information can give visibility into an account that has
been compromised. This same type of monitoring could also apply to webmail access and
any other type of external connections to Internet-accessible company resources.
There were many more interesting suggestions that highlighted the need to understand
your own network and then to build automated alerting into log management and
SIEM tools.
SANS ANALYST PROGRAM
3
www.sans.org/reading-room/whitepapers/analyst/sixth-annual-log-management-survey-report-34880
4
www.slideshare.net/anton_chuvakin/baselining-logs
15
SANS Ninth Log Management Survey Report
Applications Hosted in the Cloud
In this year’s survey, 40% of respondents say they have no need to monitor apps in the
cloud. Either those respondents don’t have any applications hosted in the cloud or they
don’t see a need to monitor the logs in those applications. Another 19% responded
that 1 to 3% of their applications needing monitoring were hosted in the cloud, 11%
estimated 3 to 5%, and 14% said 6 to 10% (see Figure 11).
What percent of your applications that need monitoring
are hosted in third-party cloud providers?
0%
1–3%
3–5%
6–10%
11–25%
26–50%
More than 50%
Figure 11. Monitoring of Cloud-Based Applications
The other reason they may not be monitoring their cloud apps is because respondents
believe their hosting provider is doing it for them. In this year’s survey, 28% said they rely
on their cloud operator for security of their apps and data in the cloud, as illustrated in
Figure 12.
What are you doing to monitor logs for
cloud-based computing applications?
R elying on our cloud
operator to be secure
for us
Other
A djusting internal
log management
controls to track cloud
operations
U sing cloud-provided
monitoring tools
U sing cloud-provided
monitoring services
Figure 12. Methods of Monitoring Logs for Cloud-Based Applications
SANS ANALYST PROGRAM
16
SANS Ninth Log Management Survey Report
Applications Hosted in the Cloud
(CONTINUED)
SANS feels strongly that relying on the service provider for security of cloud apps is the
wrong answer. With some of the recent breaches of cloud providers and other “trusted”
companies, it’s good to remember that, as Graham Cluley says in the title of his Dec. 3,
2013, blog post,5 “Don’t call it ‘the cloud.’ Call it ‘someone else’s computer.’” Perhaps
“someone else’s computer” is more secure than yours, but don’t just assume it is being
TAKEAWAY:
Discover what your cloud
provider will do to assist in log
management and analysis.
Then, plan for how you can
protected correctly.
Those who are attempting to monitor their cloud apps are doing so primarily
through their own log management systems, followed by using cloud-provider
tools and services. The “Other” response was chosen by the 27% of respondents.
Closer examination of those responses indicates that many do not have cloud-based
applications, while others are struggling with what to do and how to do it. Some of the
monitor the logs effectively.
comments indicate that some cloud services don’t give much in the way of logs. One
Don’t ignore the cloud!
comment in particular reflects this: “Our largest cloud operator does not permit access
to logs.” Another respondent explains: “I have two [cloud providers]; one sends [its] logs,
the other I have to trust.” Many organizations are still in a similar stage of maturity—and
have been during the years SANS has been doing this survey.
Cloud computing—and the means to log activities within the cloud—will be interesting
to watch over the next few years.
5
SANS ANALYST PROGRAM
http://grahamcluley.com/2013/12/cloud-privacy-computer
17
SANS Ninth Log Management Survey Report
Automation: The Key to Success
It seems that every year, automation of log analysis becomes more important. Over time,
the term SIEM has become widely used to claim some form of automated processing
and/or alerting about suspicious events. In this year’s survey, 42% of respondents stated
that they use a SIEM, and 52% do some type of automated analysis of log data. Another
29% consolidate logs into one or more log servers; undoubtedly some of these log
servers also do some automated reporting and log analytics.
Move Beyond SIEM Searches
Given the current amount of log data, automation is the key to managing it. One of the key
tenets of the Critical Security Controls is automation.6 Log management has come a long
way toward automation, according to this year’s survey. In it, 46% have partially automated
log management and analysis; 30% have completely automated log management, but not
analysis (up from 11% in 2012); 11% have completely automated both log management
and analysis; and just 12% remain completely manual (see Figure 13).
What is the level of automation you currently use
to collect, analyze and manage your log data?
Select the most applicable.
P artially automated
log management and
analysis processes
A utomated only log
management but not
analysis
Completely manual
C ompletely automated
log management and
anlysis processes
Other
Figure 13. Current State of Automation
In 2012, 7% of respondents indicated they weren’t automated at all and didn’t plan
any change, 15% were partially automated and didn’t plan any changes, and 11% were
already fully automated for log management but not analysis. Now, two years later,
organizations have made a great deal of progress.
6
SANS ANALYST PROGRAM
www.counciloncybersecurity.org/critical-controls
18
SANS Ninth Log Management Survey Report
Automation: The Key to Success
(CONTINUED)
Over the next two years, respondents expect to make even more progress with
automating their log management and analysis, when many more plan on being
completely or partially automated, as shown in Figure 14.
What is the level of automation you are planning to use for the collection,
analysis and management of your log data over the next two years?
Select the most applicable.
P artially automated
log management and
analysis processes
TAKEAWAY:
Automation is the key to
managing and analyzing
A utomated only log
management but not
analysis
the large amounts of
Completely manual
data associated with log
C ompletely automated
log management and
anlysis processes
management and SIEM
Other
systems.
Figure 14. Expected Automation Progress
It is nice to see that, in the future, fewer organizations will rely on completely manual
management and analysis (as represented by the green sections of Figures 13 and 14).
The number of organizations partially automating both log management and analysis
or completely automating both functions (represented by the blue and purple sections,
respectively) should get larger as organizations more fully embrace the concept of
automation.
SANS ANALYST PROGRAM
19
SANS Ninth Log Management Survey Report
Summary: A Long Way, Baby
The past decade’s log management practices simply won’t do in today’s fast-paced
threat environment, in which new technologies, such as cloud and mobile computing,
make detection and visibility more difficult. When SANS first started publishing the log
management survey, respondents collected event logs, computer logs, firewall logs, web
logs and recorded other activities—and most people tried to review them manually or
wrote their own scripts to pull out the most interesting bits they could analyze, such as
failed logins and blocked ports. These were the early days of log analytics, even though
that wasn’t a term yet.
Log management has come a long way since then. Current log management software
can store vast amounts of data and do analysis on events, producing reports and
analysis. Better normalization, analysis and automation are occurring, and organizations
plan to automate more of these functions. However, automation is spotty, and
collecting logs from the cloud is still difficult and confusing for those who took this
survey. This represents a continued area of improvement for both organizations and
log management/SIEM vendors. In particular, they need to continue their efforts to
normalize data for better correlation, analysis and visibility—all of which are needed to
detect and manage risk across diverse IT environments.
SANS ANALYST PROGRAM
20
SANS Ninth Log Management Survey Report
About the Author
Jerry Shenk currently serves as a senior analyst for the SANS Institute and is senior security analyst
for Windstream Communications, working out of the company’s Ephrata, Pennsylvania location. Since
1984, he has consulted with companies and financial and educational institutions on issues of network
design, security, forensic analysis and penetration testing. His experience spans networks of all sizes,
from small home-office systems to global networks. Along with some vendor-specific certifications,
Jerry holds six Global Information Assurance Certifications (GIACs), all completed with honors: GIACCertified Intrusion Analyst (GCIA), GIAC-Certified Incident Handler (GCIH), GIAC-Certified Firewall
Analyst (GCFW), GIAC Systems and Network Auditor (GSNA), GIAC Penetration Tester (GPEN) and GIACCertified Forensic Analyst (GCFA). Five of his certifications are Gold certifications. He also holds the
CISSP certification.
Sponsor
SANS would like to thank this survey’s sponsor:
SANS ANALYST PROGRAM
21
SANS Ninth Log Management Survey Report
Last Updated: June 14th, 2017
Upcoming SANS Training
Click Here for a full list of all Upcoming SANS Events by Location
DFIR Summit & Training 2017
Austin, TXUS
Jun 22, 2017 - Jun 29, 2017
Live Event
SANS Paris 2017
Paris, FR
Jun 26, 2017 - Jul 01, 2017
Live Event
SANS Cyber Defence Canberra 2017
Canberra, AU
Jun 26, 2017 - Jul 08, 2017
Live Event
SANS Columbia, MD 2017
Columbia, MDUS
Jun 26, 2017 - Jul 01, 2017
Live Event
SEC564:Red Team Ops
San Diego, CAUS
Jun 29, 2017 - Jun 30, 2017
Live Event
SANS London July 2017
London, GB
Jul 03, 2017 - Jul 08, 2017
Live Event
Cyber Defence Japan 2017
Tokyo, JP
Jul 05, 2017 - Jul 15, 2017
Live Event
SANS Los Angeles - Long Beach 2017
Long Beach, CAUS
Jul 10, 2017 - Jul 15, 2017
Live Event
SANS Cyber Defence Singapore 2017
Singapore, SG
Jul 10, 2017 - Jul 15, 2017
Live Event
SANS ICS & Energy-Houston 2017
Houston, TXUS
Jul 10, 2017 - Jul 15, 2017
Live Event
SANS Munich Summer 2017
Munich, DE
Jul 10, 2017 - Jul 15, 2017
Live Event
SANSFIRE 2017
Washington, DCUS
Jul 22, 2017 - Jul 29, 2017
Live Event
Security Awareness Summit & Training 2017
Nashville, TNUS
Jul 31, 2017 - Aug 09, 2017
Live Event
SANS San Antonio 2017
San Antonio, TXUS
Aug 06, 2017 - Aug 11, 2017
Live Event
SANS Hyderabad 2017
Hyderabad, IN
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS Prague 2017
Prague, CZ
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS Boston 2017
Boston, MAUS
Aug 07, 2017 - Aug 12, 2017
Live Event
SANS New York City 2017
New York City, NYUS
Aug 14, 2017 - Aug 19, 2017
Live Event
SANS Salt Lake City 2017
Salt Lake City, UTUS
Aug 14, 2017 - Aug 19, 2017
Live Event
SANS Adelaide 2017
Adelaide, AU
Aug 21, 2017 - Aug 26, 2017
Live Event
SANS Virginia Beach 2017
Virginia Beach, VAUS
Aug 21, 2017 - Sep 01, 2017
Live Event
SANS Chicago 2017
Chicago, ILUS
Aug 21, 2017 - Aug 26, 2017
Live Event
SANS Tampa - Clearwater 2017
Clearwater, FLUS
Sep 05, 2017 - Sep 10, 2017
Live Event
SANS San Francisco Fall 2017
San Francisco, CAUS
Sep 05, 2017 - Sep 10, 2017
Live Event
SANS Network Security 2017
Las Vegas, NVUS
Sep 10, 2017 - Sep 17, 2017
Live Event
SANS Dublin 2017
Dublin, IE
Sep 11, 2017 - Sep 16, 2017
Live Event
SANS Minneapolis 2017
OnlineMNUS
Jun 19, 2017 - Jun 24, 2017
Live Event
SANS OnDemand
Books & MP3s OnlyUS
Anytime
Self Paced

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz