SlideShare a Scribd company logo

SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the End Nigh?

Download as PPTX, PDF
Anton Chuvakin
Anton Chuvakin

SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the End Nigh? by Anton Chuvakin 2023

Technology
1 of 22
The Future of Log Centralization fo SIEMs and DFIR Is the End Nigh? Dr. Anton Chuvakin https://medium.com/anton-on-security https://cloud.withgoogle.com/cloudsecurity/podcast Office of the CISO, Google Cloud August 2023
Outline ● Logs … still centralized? ○ What worked well? ○ What was always a challenge? ● What changed? ○ So, should we still centralize? ● What does the possible future look like?
How It Started….
The Past
Time Machine to 2003! ● Log centralization ● Syslog dominates ● Syslog UDP is still cool (in a late 1980s kinda way) ● SIEM does not exist, yet SIM and SEM do ● Log management is a generic term, not a market name…
Wise Advice … from 2003?
The, ahem, Recent Past ● Log centralization … can be distributed. ● Distributed? Centralization? Huh?
The Present
Scenario 1 Multi-cloud at Scale ● Big presence in Google Cloud ● Also, big presence in another cloud ● AND finally, still sizable present on premise ● Where do the logs go?
Scenario 2 Useful Logs, “Useless” Logs ● Megabytes of alerts ● Gigabytes of priority logs ● AND petabytes of information logs ● Now, add observability traces ● Do we centralize … at per GB price?
Scenario 3 Very SaaSy (But not SASE!) ● Lots of SaaS use - CRM, HR, marketing, etc ● CASB in use ● No data centers ● Do we centralize log at … eh…well…eh… WHERE?
The Future?
“Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is today.” -- Marcus Ranum (in ~early 2000)
So You Want to Decentralize? ● How to assure retention? ○ … and impress our “friends”, the auditors!? ○ … and assure evidence availability for IR ● How to normalize? ● How to correlate? ● How to ML?
Decisions, Decisions, etc “Damn the torpedoes, we are centralizing anyway” ● Compliance mandates (PCI DSS, etc) ● Need guaranteed data retention ● Have a scope of data to normalize “Hold your horses, we need to think about it” ● Still need to centralize … ● … but not everything ● Centralized/distributed for low stakes data “Decentralized all the way!” ● Heavy cloud, and especially SaaS use ● No center to centralize into ● Focus on best-effort search ● “Magical” normalization (OCSF)
Why Bite the Bullet and CENTRALIZE ANYWAY!?! ● Specific mandate that says “centralize logs” ○ Centralize does not mean ONE place. ● Contractual pressure to have logs available in 100% cases ○ “If you need it done, you do it yourself!” ● Cost effective (=cloud-native) tool is available to store logs … and not pay “per GB”... ● Don’t pay for 4 copies of the same data…
Example from Query.AI Multi-vendor, “open” federated search across many vendor technologies
What to Do?
Recommendations ● Stick to centralized approach to logs/data that you alert on or analyze directly ○ Use cloud-native, SaaS SIEM platform for this ● Be ready for the world where you cannot centralize all logs in one place ○ Start reviewing the tools that support distributed queries over decentralized stores ○ Beware of their inherent limitations, however ● Long term, assume centralized/decentralized model for log analysis
Resources ● “Log Centralization: The End Is Nigh?” ● “Anton Chuvakin Discusses “20 Years of SIEM – What’s Next?”” SANS webinar ● “20 Years of SIEM: Celebrating My Dubious Anniversary” blog ● “On “Output-driven” SIEM” blog (2012) ● “Anton and The Great XDR Debate, Part 1” ● … and of course https://medium.com/anton-on-security ● and https://cloud.withgoogle.com/cloudsecurity/podcast/

Recommended

What drives Innovation? Innovations And Technological Solutions for the Distr...
What drives Innovation? Innovations And Technological Solutions for the Distr...What drives Innovation? Innovations And Technological Solutions for the Distr...
What drives Innovation? Innovations And Technological Solutions for the Distr...
Stefano Fago
 
Reasoning about data and consistency in systems
Reasoning about data and consistency in systemsReasoning about data and consistency in systems
Reasoning about data and consistency in systems
Daniel Norman
 
ASA Trial Workshop Slides for Archives NZ [2016-09-28]
ASA Trial Workshop Slides for Archives NZ [2016-09-28]ASA Trial Workshop Slides for Archives NZ [2016-09-28]
ASA Trial Workshop Slides for Archives NZ [2016-09-28]
Ross Spencer
 
Cloud accounting software uk
Cloud accounting software ukCloud accounting software uk
Cloud accounting software uk
Arcus Universe Ltd
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
DynamicInfraDays
 
Voyage en terre du multi-cloud
Voyage en terre du multi-cloudVoyage en terre du multi-cloud
Voyage en terre du multi-cloud
Frederic Leger
 
Future of ai on the jvm
Future of ai on the jvmFuture of ai on the jvm
Future of ai on the jvm
Adam Gibson
 
AMW43 - Unba.se, Distributed database for human interaction
AMW43 - Unba.se, Distributed database for human interactionAMW43 - Unba.se, Distributed database for human interaction
AMW43 - Unba.se, Distributed database for human interaction
Daniel Norman
 

Recommended

What drives Innovation? Innovations And Technological Solutions for the Distr...
What drives Innovation? Innovations And Technological Solutions for the Distr...What drives Innovation? Innovations And Technological Solutions for the Distr...
What drives Innovation? Innovations And Technological Solutions for the Distr...
Stefano Fago
 
Reasoning about data and consistency in systems
Reasoning about data and consistency in systemsReasoning about data and consistency in systems
Reasoning about data and consistency in systems
Daniel Norman
 
ASA Trial Workshop Slides for Archives NZ [2016-09-28]
ASA Trial Workshop Slides for Archives NZ [2016-09-28]ASA Trial Workshop Slides for Archives NZ [2016-09-28]
ASA Trial Workshop Slides for Archives NZ [2016-09-28]
Ross Spencer
 
Cloud accounting software uk
Cloud accounting software ukCloud accounting software uk
Cloud accounting software uk
Arcus Universe Ltd
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
DynamicInfraDays
 
Voyage en terre du multi-cloud
Voyage en terre du multi-cloudVoyage en terre du multi-cloud
Voyage en terre du multi-cloud
Frederic Leger
 
Future of ai on the jvm
Future of ai on the jvmFuture of ai on the jvm
Future of ai on the jvm
Adam Gibson
 
AMW43 - Unba.se, Distributed database for human interaction
AMW43 - Unba.se, Distributed database for human interactionAMW43 - Unba.se, Distributed database for human interaction
AMW43 - Unba.se, Distributed database for human interaction
Daniel Norman
 
A DevOps Checklist for Startups
A DevOps Checklist for StartupsA DevOps Checklist for Startups
A DevOps Checklist for Startups
Rick Manelius
 
Privacy preserving machine learning
Privacy preserving machine learningPrivacy preserving machine learning
Privacy preserving machine learning
Michał Kuźba
 
Webinar: Cloud Storage vs. On-Premises Storage
Webinar: Cloud Storage vs. On-Premises StorageWebinar: Cloud Storage vs. On-Premises Storage
Webinar: Cloud Storage vs. On-Premises Storage
Storage Switzerland
 
Advanced Administration, Monitoring and Backup
Advanced Administration, Monitoring and BackupAdvanced Administration, Monitoring and Backup
Advanced Administration, Monitoring and Backup
MongoDB
 
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
Omid Vahdaty
 
Don’t give up, You can... Cache!
Don’t give up, You can... Cache!Don’t give up, You can... Cache!
Don’t give up, You can... Cache!
Stefano Fago
 
SecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsSecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operations
Phillip Maddux
 
A few questions about large scale machine learning
A few questions about large scale machine learningA few questions about large scale machine learning
A few questions about large scale machine learning
Theodoros Vasiloudis
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
DynamicInfraDays
 
I Know What You Did Last Summer
I Know What You Did Last SummerI Know What You Did Last Summer
I Know What You Did Last Summer
Martin Packer
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
Anton Chuvakin
 
Simply Business' Data Platform
Simply Business' Data PlatformSimply Business' Data Platform
Simply Business' Data Platform
Dani Solà Lagares
 
Infrastructure - a journey from datacentres to cloud
Infrastructure - a journey from datacentres to cloudInfrastructure - a journey from datacentres to cloud
Infrastructure - a journey from datacentres to cloud
Equal Experts
 
Python in Industry
Python in IndustryPython in Industry
Python in Industry
Dharmit Shah
 
5 facets of cloud computing - Presentation to AGBC
5 facets of cloud computing - Presentation to AGBC5 facets of cloud computing - Presentation to AGBC
5 facets of cloud computing - Presentation to AGBC
Raymond Gao
 
eDreams: mayor supervisión de la seguridad con Elastic Stack
eDreams: mayor supervisión de la seguridad con Elastic StackeDreams: mayor supervisión de la seguridad con Elastic Stack
eDreams: mayor supervisión de la seguridad con Elastic Stack
Elasticsearch
 
Distributed systems and consistency
Distributed systems and consistencyDistributed systems and consistency
Distributed systems and consistency
seldo
 
Machine Learning Intro for Anyone and Everyone
Machine Learning Intro for Anyone and EveryoneMachine Learning Intro for Anyone and Everyone
Machine Learning Intro for Anyone and Everyone
bigdata trunk
 
LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...
LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...
LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...
LogDNA
 
Google IO - When Bigquery meeet Node.js
Google IO - When Bigquery meeet Node.jsGoogle IO - When Bigquery meeet Node.js
Google IO - When Bigquery meeet Node.js
Simon Su
 
Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less Operations
Anton Chuvakin
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
Anton Chuvakin
 

More Related Content

Similar to SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the End Nigh?

Advanced Administration, Monitoring and Backup
Advanced Administration, Monitoring and BackupAdvanced Administration, Monitoring and Backup
Advanced Administration, Monitoring and Backup
MongoDB
 
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
Omid Vahdaty
 

Similar to SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the End Nigh? (20)

A DevOps Checklist for Startups
A DevOps Checklist for StartupsA DevOps Checklist for Startups
A DevOps Checklist for Startups
 
Privacy preserving machine learning
Privacy preserving machine learningPrivacy preserving machine learning
Privacy preserving machine learning
 
Webinar: Cloud Storage vs. On-Premises Storage
Webinar: Cloud Storage vs. On-Premises StorageWebinar: Cloud Storage vs. On-Premises Storage
Webinar: Cloud Storage vs. On-Premises Storage
 
Advanced Administration, Monitoring and Backup
Advanced Administration, Monitoring and BackupAdvanced Administration, Monitoring and Backup
Advanced Administration, Monitoring and Backup
 
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
 
Don’t give up, You can... Cache!
Don’t give up, You can... Cache!Don’t give up, You can... Cache!
Don’t give up, You can... Cache!
 
SecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsSecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operations
 
A few questions about large scale machine learning
A few questions about large scale machine learningA few questions about large scale machine learning
A few questions about large scale machine learning
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
 
I Know What You Did Last Summer
I Know What You Did Last SummerI Know What You Did Last Summer
I Know What You Did Last Summer
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
 
Simply Business' Data Platform
Simply Business' Data PlatformSimply Business' Data Platform
Simply Business' Data Platform
 
Infrastructure - a journey from datacentres to cloud
Infrastructure - a journey from datacentres to cloudInfrastructure - a journey from datacentres to cloud
Infrastructure - a journey from datacentres to cloud
 
Python in Industry
Python in IndustryPython in Industry
Python in Industry
 
5 facets of cloud computing - Presentation to AGBC
5 facets of cloud computing - Presentation to AGBC5 facets of cloud computing - Presentation to AGBC
5 facets of cloud computing - Presentation to AGBC
 
eDreams: mayor supervisión de la seguridad con Elastic Stack
eDreams: mayor supervisión de la seguridad con Elastic StackeDreams: mayor supervisión de la seguridad con Elastic Stack
eDreams: mayor supervisión de la seguridad con Elastic Stack
 
Distributed systems and consistency
Distributed systems and consistencyDistributed systems and consistency
Distributed systems and consistency
 
Machine Learning Intro for Anyone and Everyone
Machine Learning Intro for Anyone and EveryoneMachine Learning Intro for Anyone and Everyone
Machine Learning Intro for Anyone and Everyone
 
LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...
LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...
LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...
 
Google IO - When Bigquery meeet Node.js
Google IO - When Bigquery meeet Node.jsGoogle IO - When Bigquery meeet Node.js
Google IO - When Bigquery meeet Node.js
 

More from Anton Chuvakin

SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
Anton Chuvakin
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
Anton Chuvakin
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Anton Chuvakin
 

More from Anton Chuvakin (20)

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less Operations
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
 
Generic siem how_2017
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
 
On Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinOn Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton Chuvakin
 

Recently uploaded

Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
ScyllaDB
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
UXDXConf
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
Syngulon
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
UXDXConf
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
UXDXConf
 

Recently uploaded (20)

Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
SOQL 201 for Admins & Developers: Slice & Dice Your Org’s Data With Aggregate...
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Structuring Teams and Portfolios for Success
Structuring Teams and Portfolios for SuccessStructuring Teams and Portfolios for Success
Structuring Teams and Portfolios for Success
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
Demystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John StaveleyDemystifying gRPC in .Net by John Staveley
Demystifying gRPC in .Net by John Staveley
 
Syngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdfSyngulon - Selection technology May 2024.pdf
Syngulon - Selection technology May 2024.pdf
 
Powerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara LaskowskaPowerful Start- the Key to Project Success, Barbara Laskowska
Powerful Start- the Key to Project Success, Barbara Laskowska
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024Top 10 Symfony Development Companies 2024
Top 10 Symfony Development Companies 2024
 
Google I/O Extended 2024 Warsaw
Google I/O Extended 2024 WarsawGoogle I/O Extended 2024 Warsaw
Google I/O Extended 2024 Warsaw
 

SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the End Nigh?

  • 1. The Future of Log Centralization fo SIEMs and DFIR Is the End Nigh? Dr. Anton Chuvakin https://medium.com/anton-on-security https://cloud.withgoogle.com/cloudsecurity/podcast Office of the CISO, Google Cloud August 2023
  • 2. Outline ● Logs … still centralized? ○ What worked well? ○ What was always a challenge? ● What changed? ○ So, should we still centralize? ● What does the possible future look like?
  • 5. Time Machine to 2003! ● Log centralization ● Syslog dominates ● Syslog UDP is still cool (in a late 1980s kinda way) ● SIEM does not exist, yet SIM and SEM do ● Log management is a generic term, not a market name…
  • 6. Wise Advice … from 2003?
  • 7. The, ahem, Recent Past ● Log centralization … can be distributed. ● Distributed? Centralization? Huh?
  • 9. Scenario 1 Multi-cloud at Scale ● Big presence in Google Cloud ● Also, big presence in another cloud ● AND finally, still sizable present on premise ● Where do the logs go?
  • 10. Scenario 2 Useful Logs, “Useless” Logs ● Megabytes of alerts ● Gigabytes of priority logs ● AND petabytes of information logs ● Now, add observability traces ● Do we centralize … at per GB price?
  • 11. Scenario 3 Very SaaSy (But not SASE!) ● Lots of SaaS use - CRM, HR, marketing, etc ● CASB in use ● No data centers ● Do we centralize log at … eh…well…eh… WHERE?
  • 13. “Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is today.” -- Marcus Ranum (in ~early 2000)
  • 14.
  • 15. So You Want to Decentralize? ● How to assure retention? ○ … and impress our “friends”, the auditors!? ○ … and assure evidence availability for IR ● How to normalize? ● How to correlate? ● How to ML?
  • 16. Decisions, Decisions, etc “Damn the torpedoes, we are centralizing anyway” ● Compliance mandates (PCI DSS, etc) ● Need guaranteed data retention ● Have a scope of data to normalize “Hold your horses, we need to think about it” ● Still need to centralize … ● … but not everything ● Centralized/distributed for low stakes data “Decentralized all the way!” ● Heavy cloud, and especially SaaS use ● No center to centralize into ● Focus on best-effort search ● “Magical” normalization (OCSF)
  • 17. Why Bite the Bullet and CENTRALIZE ANYWAY!?! ● Specific mandate that says “centralize logs” ○ Centralize does not mean ONE place. ● Contractual pressure to have logs available in 100% cases ○ “If you need it done, you do it yourself!” ● Cost effective (=cloud-native) tool is available to store logs … and not pay “per GB”... ● Don’t pay for 4 copies of the same data…
  • 18. Example from Query.AI Multi-vendor, “open” federated search across many vendor technologies
  • 19.
  • 21. Recommendations ● Stick to centralized approach to logs/data that you alert on or analyze directly ○ Use cloud-native, SaaS SIEM platform for this ● Be ready for the world where you cannot centralize all logs in one place ○ Start reviewing the tools that support distributed queries over decentralized stores ○ Beware of their inherent limitations, however ● Long term, assume centralized/decentralized model for log analysis
  • 22. Resources ● “Log Centralization: The End Is Nigh?” ● “Anton Chuvakin Discusses “20 Years of SIEM – What’s Next?”” SANS webinar ● “20 Years of SIEM: Celebrating My Dubious Anniversary” blog ● “On “Output-driven” SIEM” blog (2012) ● “Anton and The Great XDR Debate, Part 1” ● … and of course https://medium.com/anton-on-security ● and https://cloud.withgoogle.com/cloudsecurity/podcast/

Editor's Notes

  1. https://www.sans.org/webcasts/the-future-of-log-centralization-for-siems-and-dfir-is-the-end-nigh/?source=cardinalops1 https://cardinalops.com/webinars-events/the-future-of-log-centralization-for-siems-and-dfir-is-the-end-nigh/ https://medium.com/anton-on-security/log-centralization-the-end-is-nigh-b28efaa98379
  2. https://www.sans.org/webcasts/the-future-of-log-centralization-for-siems-and-dfir-is-the-end-nigh/?source=cardinalops1 https://cardinalops.com/webinars-events/the-future-of-log-centralization-for-siems-and-dfir-is-the-end-nigh/ https://medium.com/anton-on-security/log-centralization-the-end-is-nigh-b28efaa98379
  3. Namely, this one: https://gartner.com/document/4017131… that says "Federated security log management (SLM) is emerging as an alternative to centrally collecting logs."
  4. https://www.slideshare.net/anton_chuvakin/anton-chuvakin-on-security-data-centralization
  5. https://www.slideshare.net/anton_chuvakin/anton-chuvakin-on-security-data-centralization https://www.slideshare.net/anton_chuvakin/anton-chuvakin-on-security-data-centralization
  6. https://www.splunk.com/en_us/pdfs/tech-brief/splunk-validated-architectures.pdf
  7. https://medium.com/anton-on-security/log-centralization-the-end-is-nigh-b28efaa98379 Let’s go through a few basic examples. The very example that inspired that line of thinking involved multi-cloud. If you are present in multiple public cloud providers, and present there at scale, it is very likely that you are NOT collecting logs into one place in one cloud. Various complexities, egress costs, storage costs all play into this becoming a questionable decision for most organizations. So you perhaps centralize per cloud, but what if we include SaaS services into this? Then it becomes an even bigger mess, as most large organizations use 100s of those.
  8. https://medium.com/anton-on-security/log-centralization-the-end-is-nigh-b28efaa98379 Another trivial example refers to the log types that are useful for investigations or in bulk, but where each individual record is unlikely to be used for detection. For example, I’ve noticed that many organizations don’t collect and retain DHCP logs (of course, Chronicle customers do!). They fail to do it not because these logs are not useful (they are very useful as context), but because they don’t use them for any direct detections, and thus see them as “too costly to centralize” (especially if their SIEM vendor charges per EPS…).
  9. https://medium.com/anton-on-security/log-centralization-the-end-is-nigh-b28efaa98379 Another trivial example refers to the log types that are useful for investigations or in bulk, but where each individual record is unlikely to be used for detection. For example, I’ve noticed that many organizations don’t collect and retain DHCP logs (of course, Chronicle customers do!). They fail to do it not because these logs are not useful (they are very useful as context), but because they don’t use them for any direct detections, and thus see them as “too costly to centralize” (especially if their SIEM vendor charges per EPS…).
  10. https://www.ranum.com/security/computer_security/editorials/point-counterpoint/homeusers.htm
  11. Source: Gartner 2023
  12. https://www.query.ai/federated-search/ “Open federated search retrieves information from across vendor solutions and environments. It uses API integrations with third parties to perform a unified search across the data sources that are participating in the federation, and it does this without requiring data transfer or centralization. This approach also provides the flexibility to choose and integrate the best-of-breed security solutions vs having a single-vendor lock-in.” https://www.query.ai/wp-content/uploads/2023/05/QWP-002_Evaluating-Federated-Search-for-Security.pdf
  13. https://docs.google.com/presentation/d/1ibY3_Z7W2u-FpFpNwn06XCRYYDFqpQW1QwAhqKaibyE/edit#slide=id.g27564ae2c70_1_368 https://drive.google.com/corp/drive/folders/1oH4rmdlm2B0iT8cuuun-OVMykLIFXZwx
  14. https://medium.com/anton-on-security/log-centralization-the-end-is-nigh-b28efaa98379