Do you know that kids game Telephone? I am wondering if maybe I am like the last person to have a secret whispered in my ear, and missed somethig that is key to the story below making sense to me?
Network World's Ellen Messmer reports on a recent SANS survey and report that reveals security folks aren't spending enough time looking at logs.
"According to the SANS Analyst Program survey on log and event management, "Sorting through the Noise," 22% of respondents use a security information and event manager (SIEM) to collect and analyze data, while 58% use log-management systems, and the remainder rely on other means. Most respondents said one of the main reasons to collect logs is for the purpose of regulatory compliance, though 9% discounted the importance of that."
So...if I got that right than 80% of respondents are using some sort of automation to manage device logs. That's good, right?
Those system's don't run themselves - they require a person to manage them. I would think (hope) that that person, being tasked with minding these systems would have some sort of baseline familiarity with the logs under management, right? If not initially, then over time?
According to Ellen: "...the SANS report emphasized that automated tools cannot be viewed as a complete substitute for the people who are log analysts who develop a "sixth sense" about traffic anomalies and security because they spend some time every day looking at log data."
Well...duh! But...didn't the whole SIEM to automate log management because there were to many devices, too many logs, and way too much data in all those logs for anyone person or team of people to analyze manually?
The SANS report points out that "SIEM-type tools, including log management tools with analysis and reporting options, will help organize and identify patterns and activities that are generally recognized as indicators of problems. Yet, 58% of organizations are not anywhere close to that level of automation."
Wait a minute- what about the 80% SANS said ARE using a SIEM or Log Manager?
Maybe I am misunderstanding something in either the report (which I did not read though) or the article (which I did), but I think what SANS is saying - and this makes total sense -is that you still need a person - preferably, a smart person - making sense of the information being presented by security automation tools (in this case SIEM tools).
Of course the folks managing these tools need enough familiarity with logs and log data to know how to properly leverage the automation SIEMS offer - as in how to tune it, what trends to look for (in general, for compliance, and specific to your organization), or how to recognize a real anomaly from a false positive. But if the whole point of them buying these tools was to deal with the overwhelming volume of information in the logs, how much more time do they need to spend on the logs? If anything, shouldn't they spend that time learning the ins and outs of the SIEM?
Yes? No? if not, what am I missing?