SlideShare a Scribd company logo

The Future of Log Centralization for SIEMs and DFIR: Is the End Nigh

Download as PPTX, PDF
Anton Chuvakin
Anton Chuvakin

SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the End Nigh? by Anton Chuvakin 2023

Technology
1 of 22
The Future of Log Centralization fo SIEMs and DFIR Is the End Nigh? Dr. Anton Chuvakin https://medium.com/anton-on-security https://cloud.withgoogle.com/cloudsecurity/podcast Office of the CISO, Google Cloud August 2023
Outline ● Logs … still centralized? ○ What worked well? ○ What was always a challenge? ● What changed? ○ So, should we still centralize? ● What does the possible future look like?
How It Started….
The Past
Time Machine to 2003! ● Log centralization ● Syslog dominates ● Syslog UDP is still cool (in a late 1980s kinda way) ● SIEM does not exist, yet SIM and SEM do ● Log management is a generic term, not a market name…
Wise Advice … from 2003?
The, ahem, Recent Past ● Log centralization … can be distributed. ● Distributed? Centralization? Huh?
The Present
Scenario 1 Multi-cloud at Scale ● Big presence in Google Cloud ● Also, big presence in another cloud ● AND finally, still sizable present on premise ● Where do the logs go?
Scenario 2 Useful Logs, “Useless” Logs ● Megabytes of alerts ● Gigabytes of priority logs ● AND petabytes of information logs ● Now, add observability traces ● Do we centralize … at per GB price?
Scenario 3 Very SaaSy (But not SASE!) ● Lots of SaaS use - CRM, HR, marketing, etc ● CASB in use ● No data centers ● Do we centralize log at … eh…well…eh… WHERE?
The Future?
“Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is today.” -- Marcus Ranum (in ~early 2000)
So You Want to Decentralize? ● How to assure retention? ○ … and impress our “friends”, the auditors!? ○ … and assure evidence availability for IR ● How to normalize? ● How to correlate? ● How to ML?
Decisions, Decisions, etc “Damn the torpedoes, we are centralizing anyway” ● Compliance mandates (PCI DSS, etc) ● Need guaranteed data retention ● Have a scope of data to normalize “Hold your horses, we need to think about it” ● Still need to centralize … ● … but not everything ● Centralized/distributed for low stakes data “Decentralized all the way!” ● Heavy cloud, and especially SaaS use ● No center to centralize into ● Focus on best-effort search ● “Magical” normalization (OCSF)
Why Bite the Bullet and CENTRALIZE ANYWAY!?! ● Specific mandate that says “centralize logs” ○ Centralize does not mean ONE place. ● Contractual pressure to have logs available in 100% cases ○ “If you need it done, you do it yourself!” ● Cost effective (=cloud-native) tool is available to store logs … and not pay “per GB”... ● Don’t pay for 4 copies of the same data…
Example from Query.AI Multi-vendor, “open” federated search across many vendor technologies
What to Do?
Recommendations ● Stick to centralized approach to logs/data that you alert on or analyze directly ○ Use cloud-native, SaaS SIEM platform for this ● Be ready for the world where you cannot centralize all logs in one place ○ Start reviewing the tools that support distributed queries over decentralized stores ○ Beware of their inherent limitations, however ● Long term, assume centralized/decentralized model for log analysis
Resources ● “Log Centralization: The End Is Nigh?” ● “Anton Chuvakin Discusses “20 Years of SIEM – What’s Next?”” SANS webinar ● “20 Years of SIEM: Celebrating My Dubious Anniversary” blog ● “On “Output-driven” SIEM” blog (2012) ● “Anton and The Great XDR Debate, Part 1” ● … and of course https://medium.com/anton-on-security ● and https://cloud.withgoogle.com/cloudsecurity/podcast/

Recommended

What drives Innovation? Innovations And Technological Solutions for the Distr...
What drives Innovation? Innovations And Technological Solutions for the Distr...What drives Innovation? Innovations And Technological Solutions for the Distr...
What drives Innovation? Innovations And Technological Solutions for the Distr...Stefano Fago
 
Reasoning about data and consistency in systems
Reasoning about data and consistency in systemsReasoning about data and consistency in systems
Reasoning about data and consistency in systemsDaniel Norman
 
ASA Trial Workshop Slides for Archives NZ [2016-09-28]
ASA Trial Workshop Slides for Archives NZ [2016-09-28]ASA Trial Workshop Slides for Archives NZ [2016-09-28]
ASA Trial Workshop Slides for Archives NZ [2016-09-28]Ross Spencer
 
Cloud accounting software uk
Cloud accounting software ukCloud accounting software uk
Cloud accounting software ukArcus Universe Ltd
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...DynamicInfraDays
 
Voyage en terre du multi-cloud
Voyage en terre du multi-cloudVoyage en terre du multi-cloud
Voyage en terre du multi-cloudFrederic Leger
 
Future of ai on the jvm
Future of ai on the jvmFuture of ai on the jvm
Future of ai on the jvmAdam Gibson
 
AMW43 - Unba.se, Distributed database for human interaction
AMW43 - Unba.se, Distributed database for human interactionAMW43 - Unba.se, Distributed database for human interaction
AMW43 - Unba.se, Distributed database for human interactionDaniel Norman
 

Recommended

What drives Innovation? Innovations And Technological Solutions for the Distr...
What drives Innovation? Innovations And Technological Solutions for the Distr...What drives Innovation? Innovations And Technological Solutions for the Distr...
What drives Innovation? Innovations And Technological Solutions for the Distr...Stefano Fago
 
Reasoning about data and consistency in systems
Reasoning about data and consistency in systemsReasoning about data and consistency in systems
Reasoning about data and consistency in systemsDaniel Norman
 
ASA Trial Workshop Slides for Archives NZ [2016-09-28]
ASA Trial Workshop Slides for Archives NZ [2016-09-28]ASA Trial Workshop Slides for Archives NZ [2016-09-28]
ASA Trial Workshop Slides for Archives NZ [2016-09-28]Ross Spencer
 
Cloud accounting software uk
Cloud accounting software ukCloud accounting software uk
Cloud accounting software ukArcus Universe Ltd
 
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...
ContainerDays Boston 2016: "Hiding in Plain Sight: Managing Secrets in a Cont...DynamicInfraDays
 
Voyage en terre du multi-cloud
Voyage en terre du multi-cloudVoyage en terre du multi-cloud
Voyage en terre du multi-cloudFrederic Leger
 
Future of ai on the jvm
Future of ai on the jvmFuture of ai on the jvm
Future of ai on the jvmAdam Gibson
 
AMW43 - Unba.se, Distributed database for human interaction
AMW43 - Unba.se, Distributed database for human interactionAMW43 - Unba.se, Distributed database for human interaction
AMW43 - Unba.se, Distributed database for human interactionDaniel Norman
 
A DevOps Checklist for Startups
A DevOps Checklist for StartupsA DevOps Checklist for Startups
A DevOps Checklist for StartupsRick Manelius
 
Privacy preserving machine learning
Privacy preserving machine learningPrivacy preserving machine learning
Privacy preserving machine learningMichał Kuźba
 
Webinar: Cloud Storage vs. On-Premises Storage
Webinar: Cloud Storage vs. On-Premises StorageWebinar: Cloud Storage vs. On-Premises Storage
Webinar: Cloud Storage vs. On-Premises StorageStorage Switzerland
 
Advanced Administration, Monitoring and Backup
Advanced Administration, Monitoring and BackupAdvanced Administration, Monitoring and Backup
Advanced Administration, Monitoring and BackupMongoDB
 
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned Omid Vahdaty
 
Don’t give up, You can... Cache!
Don’t give up, You can... Cache!Don’t give up, You can... Cache!
Don’t give up, You can... Cache!Stefano Fago
 
SecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsSecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsPhillip Maddux
 
A few questions about large scale machine learning
A few questions about large scale machine learningA few questions about large scale machine learning
A few questions about large scale machine learningTheodoros Vasiloudis
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...DynamicInfraDays
 
I Know What You Did Last Summer
I Know What You Did Last SummerI Know What You Did Last Summer
I Know What You Did Last SummerMartin Packer
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC Anton Chuvakin
 
Simply Business' Data Platform
Simply Business' Data PlatformSimply Business' Data Platform
Simply Business' Data PlatformDani Solà Lagares
 
Infrastructure - a journey from datacentres to cloud
Infrastructure - a journey from datacentres to cloudInfrastructure - a journey from datacentres to cloud
Infrastructure - a journey from datacentres to cloudEqual Experts
 
Python in Industry
Python in IndustryPython in Industry
Python in IndustryDharmit Shah
 
5 facets of cloud computing - Presentation to AGBC
5 facets of cloud computing - Presentation to AGBC5 facets of cloud computing - Presentation to AGBC
5 facets of cloud computing - Presentation to AGBCRaymond Gao
 
eDreams: mayor supervisión de la seguridad con Elastic Stack
eDreams: mayor supervisión de la seguridad con Elastic StackeDreams: mayor supervisión de la seguridad con Elastic Stack
eDreams: mayor supervisión de la seguridad con Elastic StackElasticsearch
 
Distributed systems and consistency
Distributed systems and consistencyDistributed systems and consistency
Distributed systems and consistencyseldo
 
Machine Learning Intro for Anyone and Everyone
Machine Learning Intro for Anyone and EveryoneMachine Learning Intro for Anyone and Everyone
Machine Learning Intro for Anyone and Everyonebigdata trunk
 
LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...
LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...
LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...LogDNA
 
Google IO - When Bigquery meeet Node.js
Google IO - When Bigquery meeet Node.jsGoogle IO - When Bigquery meeet Node.js
Google IO - When Bigquery meeet Node.jsSimon Su
 
Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsAnton Chuvakin
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?Anton Chuvakin
 

More Related Content

Similar to The Future of Log Centralization for SIEMs and DFIR: Is the End Nigh

A DevOps Checklist for Startups
A DevOps Checklist for StartupsA DevOps Checklist for Startups
A DevOps Checklist for StartupsRick Manelius
 
Privacy preserving machine learning
Privacy preserving machine learningPrivacy preserving machine learning
Privacy preserving machine learningMichał Kuźba
 
Webinar: Cloud Storage vs. On-Premises Storage
Webinar: Cloud Storage vs. On-Premises StorageWebinar: Cloud Storage vs. On-Premises Storage
Webinar: Cloud Storage vs. On-Premises StorageStorage Switzerland
 
Advanced Administration, Monitoring and Backup
Advanced Administration, Monitoring and BackupAdvanced Administration, Monitoring and Backup
Advanced Administration, Monitoring and BackupMongoDB
 
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned Omid Vahdaty
 
Don’t give up, You can... Cache!
Don’t give up, You can... Cache!Don’t give up, You can... Cache!
Don’t give up, You can... Cache!Stefano Fago
 
SecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsSecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsPhillip Maddux
 
A few questions about large scale machine learning
A few questions about large scale machine learningA few questions about large scale machine learning
A few questions about large scale machine learningTheodoros Vasiloudis
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...DynamicInfraDays
 
I Know What You Did Last Summer
I Know What You Did Last SummerI Know What You Did Last Summer
I Know What You Did Last SummerMartin Packer
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC Anton Chuvakin
 
Simply Business' Data Platform
Simply Business' Data PlatformSimply Business' Data Platform
Simply Business' Data PlatformDani Solà Lagares
 
Infrastructure - a journey from datacentres to cloud
Infrastructure - a journey from datacentres to cloudInfrastructure - a journey from datacentres to cloud
Infrastructure - a journey from datacentres to cloudEqual Experts
 
Python in Industry
Python in IndustryPython in Industry
Python in IndustryDharmit Shah
 
5 facets of cloud computing - Presentation to AGBC
5 facets of cloud computing - Presentation to AGBC5 facets of cloud computing - Presentation to AGBC
5 facets of cloud computing - Presentation to AGBCRaymond Gao
 
eDreams: mayor supervisión de la seguridad con Elastic Stack
eDreams: mayor supervisión de la seguridad con Elastic StackeDreams: mayor supervisión de la seguridad con Elastic Stack
eDreams: mayor supervisión de la seguridad con Elastic StackElasticsearch
 
Distributed systems and consistency
Distributed systems and consistencyDistributed systems and consistency
Distributed systems and consistencyseldo
 
Machine Learning Intro for Anyone and Everyone
Machine Learning Intro for Anyone and EveryoneMachine Learning Intro for Anyone and Everyone
Machine Learning Intro for Anyone and Everyonebigdata trunk
 
LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...
LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...
LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...LogDNA
 
Google IO - When Bigquery meeet Node.js
Google IO - When Bigquery meeet Node.jsGoogle IO - When Bigquery meeet Node.js
Google IO - When Bigquery meeet Node.jsSimon Su
 

Similar to The Future of Log Centralization for SIEMs and DFIR: Is the End Nigh (20)

A DevOps Checklist for Startups
A DevOps Checklist for StartupsA DevOps Checklist for Startups
A DevOps Checklist for Startups
 
Privacy preserving machine learning
Privacy preserving machine learningPrivacy preserving machine learning
Privacy preserving machine learning
 
Webinar: Cloud Storage vs. On-Premises Storage
Webinar: Cloud Storage vs. On-Premises StorageWebinar: Cloud Storage vs. On-Premises Storage
Webinar: Cloud Storage vs. On-Premises Storage
 
Advanced Administration, Monitoring and Backup
Advanced Administration, Monitoring and BackupAdvanced Administration, Monitoring and Backup
Advanced Administration, Monitoring and Backup
 
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
AWS Big Data Demystified #1.2 | Big Data architecture lessons learned
 
Don’t give up, You can... Cache!
Don’t give up, You can... Cache!Don’t give up, You can... Cache!
Don’t give up, You can... Cache!
 
SecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operationsSecOps Armageddon: A look into the future of security & operations
SecOps Armageddon: A look into the future of security & operations
 
A few questions about large scale machine learning
A few questions about large scale machine learningA few questions about large scale machine learning
A few questions about large scale machine learning
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
 
I Know What You Did Last Summer
I Know What You Did Last SummerI Know What You Did Last Summer
I Know What You Did Last Summer
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
 
Simply Business' Data Platform
Simply Business' Data PlatformSimply Business' Data Platform
Simply Business' Data Platform
 
Infrastructure - a journey from datacentres to cloud
Infrastructure - a journey from datacentres to cloudInfrastructure - a journey from datacentres to cloud
Infrastructure - a journey from datacentres to cloud
 
Python in Industry
Python in IndustryPython in Industry
Python in Industry
 
5 facets of cloud computing - Presentation to AGBC
5 facets of cloud computing - Presentation to AGBC5 facets of cloud computing - Presentation to AGBC
5 facets of cloud computing - Presentation to AGBC
 
eDreams: mayor supervisión de la seguridad con Elastic Stack
eDreams: mayor supervisión de la seguridad con Elastic StackeDreams: mayor supervisión de la seguridad con Elastic Stack
eDreams: mayor supervisión de la seguridad con Elastic Stack
 
Distributed systems and consistency
Distributed systems and consistencyDistributed systems and consistency
Distributed systems and consistency
 
Machine Learning Intro for Anyone and Everyone
Machine Learning Intro for Anyone and EveryoneMachine Learning Intro for Anyone and Everyone
Machine Learning Intro for Anyone and Everyone
 
LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...
LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...
LogDNA and CloudFoundry Webinar: Open Ecosystems, Interoperability + Multi-Cl...
 
Google IO - When Bigquery meeet Node.js
Google IO - When Bigquery meeet Node.jsGoogle IO - When Bigquery meeet Node.js
Google IO - When Bigquery meeet Node.js
 

More from Anton Chuvakin

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsAnton Chuvakin
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?Anton Chuvakin
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinAnton Chuvakin
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinAnton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothAnton Chuvakin
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022Anton Chuvakin
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsAnton Chuvakin
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020Anton Chuvakin
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton Chuvakin
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)Anton Chuvakin
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationAnton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinAnton Chuvakin
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinAnton Chuvakin
 
On Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinOn Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinAnton Chuvakin
 

More from Anton Chuvakin (20)

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less Operations
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
 
Generic siem how_2017
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
 
On Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinOn Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton Chuvakin
 

Recently uploaded

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 

Recently uploaded (20)

CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 

The Future of Log Centralization for SIEMs and DFIR: Is the End Nigh

  • 1. The Future of Log Centralization fo SIEMs and DFIR Is the End Nigh? Dr. Anton Chuvakin https://medium.com/anton-on-security https://cloud.withgoogle.com/cloudsecurity/podcast Office of the CISO, Google Cloud August 2023
  • 2. Outline ● Logs … still centralized? ○ What worked well? ○ What was always a challenge? ● What changed? ○ So, should we still centralize? ● What does the possible future look like?
  • 5. Time Machine to 2003! ● Log centralization ● Syslog dominates ● Syslog UDP is still cool (in a late 1980s kinda way) ● SIEM does not exist, yet SIM and SEM do ● Log management is a generic term, not a market name…
  • 6. Wise Advice … from 2003?
  • 7. The, ahem, Recent Past ● Log centralization … can be distributed. ● Distributed? Centralization? Huh?
  • 9. Scenario 1 Multi-cloud at Scale ● Big presence in Google Cloud ● Also, big presence in another cloud ● AND finally, still sizable present on premise ● Where do the logs go?
  • 10. Scenario 2 Useful Logs, “Useless” Logs ● Megabytes of alerts ● Gigabytes of priority logs ● AND petabytes of information logs ● Now, add observability traces ● Do we centralize … at per GB price?
  • 11. Scenario 3 Very SaaSy (But not SASE!) ● Lots of SaaS use - CRM, HR, marketing, etc ● CASB in use ● No data centers ● Do we centralize log at … eh…well…eh… WHERE?
  • 13. “Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is today.” -- Marcus Ranum (in ~early 2000)
  • 14.
  • 15. So You Want to Decentralize? ● How to assure retention? ○ … and impress our “friends”, the auditors!? ○ … and assure evidence availability for IR ● How to normalize? ● How to correlate? ● How to ML?
  • 16. Decisions, Decisions, etc “Damn the torpedoes, we are centralizing anyway” ● Compliance mandates (PCI DSS, etc) ● Need guaranteed data retention ● Have a scope of data to normalize “Hold your horses, we need to think about it” ● Still need to centralize … ● … but not everything ● Centralized/distributed for low stakes data “Decentralized all the way!” ● Heavy cloud, and especially SaaS use ● No center to centralize into ● Focus on best-effort search ● “Magical” normalization (OCSF)
  • 17. Why Bite the Bullet and CENTRALIZE ANYWAY!?! ● Specific mandate that says “centralize logs” ○ Centralize does not mean ONE place. ● Contractual pressure to have logs available in 100% cases ○ “If you need it done, you do it yourself!” ● Cost effective (=cloud-native) tool is available to store logs … and not pay “per GB”... ● Don’t pay for 4 copies of the same data…
  • 18. Example from Query.AI Multi-vendor, “open” federated search across many vendor technologies
  • 19.
  • 21. Recommendations ● Stick to centralized approach to logs/data that you alert on or analyze directly ○ Use cloud-native, SaaS SIEM platform for this ● Be ready for the world where you cannot centralize all logs in one place ○ Start reviewing the tools that support distributed queries over decentralized stores ○ Beware of their inherent limitations, however ● Long term, assume centralized/decentralized model for log analysis
  • 22. Resources ● “Log Centralization: The End Is Nigh?” ● “Anton Chuvakin Discusses “20 Years of SIEM – What’s Next?”” SANS webinar ● “20 Years of SIEM: Celebrating My Dubious Anniversary” blog ● “On “Output-driven” SIEM” blog (2012) ● “Anton and The Great XDR Debate, Part 1” ● … and of course https://medium.com/anton-on-security ● and https://cloud.withgoogle.com/cloudsecurity/podcast/

Editor's Notes

  1. https://www.sans.org/webcasts/the-future-of-log-centralization-for-siems-and-dfir-is-the-end-nigh/?source=cardinalops1 https://cardinalops.com/webinars-events/the-future-of-log-centralization-for-siems-and-dfir-is-the-end-nigh/ https://medium.com/anton-on-security/log-centralization-the-end-is-nigh-b28efaa98379
  2. https://www.sans.org/webcasts/the-future-of-log-centralization-for-siems-and-dfir-is-the-end-nigh/?source=cardinalops1 https://cardinalops.com/webinars-events/the-future-of-log-centralization-for-siems-and-dfir-is-the-end-nigh/ https://medium.com/anton-on-security/log-centralization-the-end-is-nigh-b28efaa98379
  3. Namely, this one: https://gartner.com/document/4017131… that says "Federated security log management (SLM) is emerging as an alternative to centrally collecting logs."
  4. https://www.slideshare.net/anton_chuvakin/anton-chuvakin-on-security-data-centralization
  5. https://www.slideshare.net/anton_chuvakin/anton-chuvakin-on-security-data-centralization https://www.slideshare.net/anton_chuvakin/anton-chuvakin-on-security-data-centralization
  6. https://www.splunk.com/en_us/pdfs/tech-brief/splunk-validated-architectures.pdf
  7. https://medium.com/anton-on-security/log-centralization-the-end-is-nigh-b28efaa98379 Let’s go through a few basic examples. The very example that inspired that line of thinking involved multi-cloud. If you are present in multiple public cloud providers, and present there at scale, it is very likely that you are NOT collecting logs into one place in one cloud. Various complexities, egress costs, storage costs all play into this becoming a questionable decision for most organizations. So you perhaps centralize per cloud, but what if we include SaaS services into this? Then it becomes an even bigger mess, as most large organizations use 100s of those.
  8. https://medium.com/anton-on-security/log-centralization-the-end-is-nigh-b28efaa98379 Another trivial example refers to the log types that are useful for investigations or in bulk, but where each individual record is unlikely to be used for detection. For example, I’ve noticed that many organizations don’t collect and retain DHCP logs (of course, Chronicle customers do!). They fail to do it not because these logs are not useful (they are very useful as context), but because they don’t use them for any direct detections, and thus see them as “too costly to centralize” (especially if their SIEM vendor charges per EPS…).
  9. https://medium.com/anton-on-security/log-centralization-the-end-is-nigh-b28efaa98379 Another trivial example refers to the log types that are useful for investigations or in bulk, but where each individual record is unlikely to be used for detection. For example, I’ve noticed that many organizations don’t collect and retain DHCP logs (of course, Chronicle customers do!). They fail to do it not because these logs are not useful (they are very useful as context), but because they don’t use them for any direct detections, and thus see them as “too costly to centralize” (especially if their SIEM vendor charges per EPS…).
  10. https://www.ranum.com/security/computer_security/editorials/point-counterpoint/homeusers.htm
  11. Source: Gartner 2023
  12. https://www.query.ai/federated-search/ “Open federated search retrieves information from across vendor solutions and environments. It uses API integrations with third parties to perform a unified search across the data sources that are participating in the federation, and it does this without requiring data transfer or centralization. This approach also provides the flexibility to choose and integrate the best-of-breed security solutions vs having a single-vendor lock-in.” https://www.query.ai/wp-content/uploads/2023/05/QWP-002_Evaluating-Federated-Search-for-Security.pdf
  13. https://docs.google.com/presentation/d/1ibY3_Z7W2u-FpFpNwn06XCRYYDFqpQW1QwAhqKaibyE/edit#slide=id.g27564ae2c70_1_368 https://drive.google.com/corp/drive/folders/1oH4rmdlm2B0iT8cuuun-OVMykLIFXZwx
  14. https://medium.com/anton-on-security/log-centralization-the-end-is-nigh-b28efaa98379