Friday, February 02, 2007

Five Mistakes of Security Log Analysis

In DoD Cybercrime Conference 2007 in St. Louis, Missouri, Anton Chuvakin gave a talk about the "Five Mistakes of Security Log Analysis". Anton talks about operational security challenges that organizations face while deploying log and alert collection and analysis infrastructure. You can refer here for his simple presentation.
You also can refer to his previous article for Computerworld. I think this article is useful for us. Chuvaking highlights the top five most common mistakes organizations make in this process:
1: Not looking at the logs
2: Storing logs for too short a time
3: Not normalizing logs
4: Failing to prioritize log records
5: Looking for only the bad stuff

p/s: I think NSM is one of the solution for this five mistakes to reduce problems for my IDS that i'm still using it......hehehhee....


geek00L said...


Normally correlation is done across various form of logs(either from host centric or network centric data). I still think the most important thing is not about the log collection itself when you already have them but the whole analysis process phase that's tricky.

Johncrackernet said...

Hehehe...yup Geekool!!
The whole analysis is very important things we need to look an analyze. The whole analysis process phase that's tricky us to analyze...hehehhe....