The problem with looking through logs is its a little like looking through a whole lot of poop. Metaphorically speaking. I mean I have never really spent a whole lot of time looking through or pondering poop so I’m reaching here a bit. That isn’t to say there isn’t value in looking at it. Once you get a baseline, changes in color, volume, frequency, consistency etc can all point to a person’s general health. There comes a point though where all it is really saying is someone ate something sometime. The point is logs generally tend to fall into the same category. They are evidences of things that have happened. The problem is “what happened” doesn’t always translate well to “why something happened”. That might sound a bit crazy but walk with me a bit. The sales pitch of a SIEM vendor generally goes like this. “What if a user goes to a malicious site…or gets an infected file…or the user plugs in an infected USB, gets infected, and then the computer starts doing X, Y, and Z. Wouldn’t you want to see/alert on that?” Of course. But while the scenario sounds good what you have heard, even on a subconscious level, is the SIEM will be able to work backwards and tell you why something happened. In reality not only do you not (generally) start out knowing the computer is infected (aka why it generated the logs), the events it does create are drowning in a steaming cesspool…cessocean of crap from all over. The damn dingleberrys (ahem..sorry) are hiding in millions and millions of events.
The conclusion? Am not sure. I was just pondering the multitude of issues surrounding the expectations different people and different levels of management have when it comes to what your SIEM might tell you. In reality it doesn’t really “tell” you a whole lot. Now, that isn’t the same as saying it doesn’t tell you anything. The - or at least “a” – conflict comes from the use case discussion ground in the conceptual. While a technical implementation has to start from the reality of the events and almost work backward…until you run out of events and have a gap between there and the conceptual conclusion where you had hoped to arrive.
Enough thought. Time for some more Tylenol sinus and bed.
No comments:
Post a Comment