The SANS WhatWorks 2009 Log Management & Analysis Summit

What Works in Log Management & Analysis for Compliance, Operations and Security

Dates:

Pre-Summit Classes: April 5, 2009

Summit: April 6 - 7, 2009

Summit Venue:

Westin Washington, DC City Center
1400 M Street NW
Washington, District of Columbia 20005
Phone: (202) 429-1700
Web site: http://specialoffers.starwoodhotels.com/westin_city_center_dc/

As a company struggling with the idea of log management, the result of this summit is a massive savings of time and money. - Andrew Kerr, SackTel

Excellent content. Each minute was well packed with information, lessons learned and vendor information. Outstanding ability to talk to many of the high level folks at vendors. And a good opportunity to network with other IT folks having similar needs. - Paul Buhler, Russell Stover Candies

A great opportunity to find out what is happening in the Log Management/ Analysis market. - Nick Connor, Assuria, Ltd.

This was a great setting to not only see the vendors but to meet with others in the IT area that have used the solution and can tell us the trials of what works and how they did it. - Harlon Mattos, Hawaiian Electric

Beyond Compliance - Increase your ROI and Solve Multiple Security Issues with Log Management

Many organizations are discovering some surprises as they deploy log management and one big surprise is that log management showed up on a very exclusive list of the highest-priority security controls. The list was compiled by the best and brightest of the DoD red and blue teamers and twenty other government and private organizations that conduct cyber attacks and clean up after the attacks that got through the defenses. They were asked to agree on which controls were the most important - the ones that would have blocked their attacks or kept the attackers from getting a strong foothold on the target computers. Log management was one of the top ones. Seeing it there is thought-provoking, so many organizations buy log management tools only to meet PCI or HIPAA of GLB or SOX compliance requirements. They don't know what a powerful weapon they have in their arsenal, and they don't take advantage of its power. But some do. And you can too.

Some Surprises You Will Learn at The Summit

1. Log management systems let you enforce policy and have a surprising impact on your effectiveness. Remember the saying "trust but verify." Security managers often put out policies but have no way to know whether they are being implemented universally. A log management system can make you appear "omniscient" to your users and gain active support for, and compliance with, your most important security policies. They can even save you the cost of a data leakage protection tool.

2. Architecture of log management systems actually matters. Salespeople who sell log management tools do not understand how those tools are used or how their performance varies under different types of loads. If all you are doing is running a tool for compliance, then it doesn't matter - but if that's your strategy you resemble the dinosaurs when the meteor was on its way to wipe them out. When you actually use the log management system for operations and security improvements, the architecture you choose matters. The vendor comparisons at the Summit will help you sort that out and show you why you may want to throw out the log management system you have already purchased.

3. Some log management reports are much more valuable than others.
If your log management system produces too many reports or alerts, it gets ignored. Focusing on a few very high pay-off reports, plus using it wisely for forensics, makes a big difference in whether the tool is useful.

4. The biggest bang for the buck from log management often comes from the network and system management teams - not security. Logs record more than security events and if you use them wisely you can become a hero in the eyes of your network 'gods' and your system management folks - very good people for security managers to have as allies. The examples are really impressive.

Summit Overview

Regulatory requirements have made log management & analysis one of the two fastest growing areas of security. In fact, nearly every major regulation affecting cyber security now demands or implies the need for continuous logging and effective log management HIPAA, SOX, ISO 27001, COBIT. Even the Payment Card Industry (PCI) standard appears to demand it. And regulations governing information security technology are evolving as fast as the technology itself.

The Log Management & Analysis Summit is a user-to-user, non-commercial conference on what works in log management & analysis. It is the only place where you can learn about the strengths and weaknesses of competing technologies, where users will share the lessons they learned about what to log and what to keep and what to report.

Register Today to get answers to these key questions and more in Log Management & Analysis

1. What specific requirements of HIPAA, Sarbanes Oxley and the PCI standard (and other standards and regulations) make log management mandatory?
2. How can log management data be culled and normalized so every system administrator gets a daily report summarizing just the things he or she needs to know from the logs?
3. What specific security events can be flagged through logs and how do you do it? How can advanced intelligence make the information in the logs more valuable?
4. What are consensus best practices in log management & analysis? Which reports are most useful, and how do you create them? How should they be interpreted? How can log management effectively integrate with intrusion detection for maximum value?
5. What log management and security event management architectures make the most sense in your business environment, with your technological requirements? Which products implement those architectures?
6. What are the biggest mistakes organizations make when they implement log management systems and how can those mistakes be avoided?

Why Log Management & Analysis Matters

Operating system and application logs are an untapped mine of vital information about the health and well-being of an organization's computer infrastructure. When properly configured, these logs record the day-to-day activity of system users; administrative changes made by the folks who manage critical production systems; and capture evidence produced by malicious activity. When log management is working, you can review changes to your operational environment made by system administrators and operators. You can see unusual activity from your authorized users; you will be able to monitor people without credentials who are trying to get in and you can track what they are doing when they do get in.

Best of all, with the right logging configuration you'll capture the history of a hacker's activity on your machine, from the establishment of unauthorized accounts to the installation of back-doors, enabling you to quickly isolate and repair affected systems after an intrusion.

All organizations have a responsibility for the contents, protection and ability to produce log files. According to Benjamin Wright, attorney and author of Business Law and Computer Security, "System logs are critical to protect an enterprise under California's Senate Bill 1386. That law requires a holder of personal data to notify the data subject if there exists reason to believe the data's security has been compromised. Clean system logs are the enterprise's proof that it has no reason to suspect a compromise."

The smallest network has numerous devices that generate log data. Servers, routers, firewalls, wireless access points, anti virus systems and most other network components can be set to generate a substantial amount of vital information about the health of the network. Very few companies take advantage of this information; few proactively monitor their system logs, and even fewer have in place the technology and intelligence to efficiently review the logs in the event of an incident. Best practices dictate that logs should be generated, archived and monitored regularly, for oversight of employee activity, as well as for prevention and detection of system outages and security breaches.

Without real log management & analysis, organizations are out of compliance and at risk.

How Good Are SANS Summits?

Here's what people who attended the last Summit said:

• It's great to network with people who share and experience the same problem and pain. The knowledge exchange exploring problems and solutions and futures has given me valuable insight for future planning and implementation of a log management solution. - Rick Genes, Lockheed Martin
• It's events like this one that set the log standards that others use as their baselines. It's not all about the conference sessions - it's also about making peer contacts. - Gord Taylor, Royal Bank of Canada

Steering Committee

• Stephen Northcutt, SANS Institute
• Chris Brenton
• Mike Poor, InGuardians
• Chris Petersen, CTO LogRhythm Inc.
• Ansh Patnaik, ArcSight
• Randy Rosenbaum, Alert Logic

Who Should Attend?

• Storage managers, database and data warehousing managers, and security managers should attend as a team. Organizations that care about protecting sensitive information need managers who can reliably work together to deploy the right technologies and process to secure that information. Joint attendance at the Summit will go a long way toward getting everyone reading off the same page.
• Security auditors and incident handlers who need to know the greatest threats to their organizations' data and what needs to be done to protect it.
• Security architects and CTOs who are trying to determine what technologies and processes are most critical for protecting sensitive information stored in their organizations.
• Consultants tasked with helping organizations design the right defenses to protect their sensitive information.