You know, at its root, log management and SIEM is about reducing (log) information down to what you really need to review and respond to. That sounds so much more simple than it really is and I think we often go about it the wrong way. For instance, some log management solutions tout the “hundreds of reports” that are built into their solution that correspond to all of the different log sources they support. Well, it’s great that they support so many different log sources but is hundreds of different reports the best way to analyze that data?
In this webinar, I’ll look at 5 different ways to reduce the information overload that your log management and SIEM technologies have to deal with and much more importantly, how much information you have to review.
First, we’ll explore several examples of audit log data that is just complete noise, that has no security value at all and that is best to prevent systems from generating in the first place or at least filter out as early as possible in your log management process.
Then, we’ll look at common event types that folks waste time investigating - events that have very little likelihood of indicating anything nefarious or of being able to distinguish from innocent events.
We’ll also look at common compliance requirements like “daily review of system audit logs” and discuss how to meet the requirement while avoiding busy-work/check-the-box type processes.
Finally, we’ll examine 3 advanced, higher analysis techniques for distilling raw log data into actionable information:
1. Normalization
2. Categorization
3. Aggregation
After my training presentation, David Pack, from this webinar’s sponsor, LogRhythm, will show you how they implement those 3 analysis techniques to greatly reduce the volume of information you must review while helping you zero in on the activity that matters.
Don’t’ miss this real training for free™event!