[ISN] Book Review: Security Log Management - Identifying Patterns in the Chaos

Tue Apr 25 03:29:26 EDT 2006

[ http://www.amazon.com/exec/obidos/ASIN/1597490423/c4iorg    - WK]

Security Log Management - Identifying Patterns in the Chaos
By Jacob Babbin, Dave Kleiman, Everett F. Carter Jr., 
Jeremy Faircloth, Mark Burnett, Esteban Gutierrez 
ISBN: 1597490423 
Paperback: 350 pages 
Syngress Publishing, Inc.  Copyright 2006
Reviewer: lyger <lyger (at) attrition dot org>

I have to admit, this book wasn't entirely what I expected. For
several chapters, I was introduced to more shell scripting, PHP
scripting, and poorly printed screen shots than what I would generally
expect from a book that at first appeared to have been directed
towards security analysts instead of system administrators and web
developers. However, despite its flaws, "Security Log Management" does
have its merits during its middle chapters which aren't based on
excessive code snippets and blatant endorsements for Microsoft's Log
Parser.

To be honest, the book started off on a bad foot by mentioning "a
recent report by the group mi2g" (page 12) regarding the worldwide
cost of malware. The statistics involved, as well as the dubious
source of the report, may or may not have been checked by an editor
(more on that later), but there are several examples later in the book
that show that it was not thoroughly proofread before final
publication. Other pages in chapter 1 describe "self-poisoning" of DNS
servers, pages upon pages of cut-and-paste code, and poorly published
graphics. As previously mentioned, not a good start, but the
end-of-chapter summaries and fast track sections are clear and concise
throughout the entire book.

The book often suggests using free tools to build into analysis and
reporting for system logs. Excellent point, since using open source
tools can either provide an adequate amount of data or provide
justification for the purchase and/or use of larger-scale solutions.
Chapters 2, 3, and 4 focus on IDS, firewall, and system/network device
reporting. Page 120 made me cringe a bit with phrases such as "this is
best done" and "we want to use"; later in the book, it is pointed out
that each particular environment should choose what type of log
management is best, so I don't understand why blanket endorsements or
solutions are given in early chapters. Again, however, the
end-of-chapter summaries are direct and get to the points that the
texts of the chapters sometimes elude.

Chapter 5 discusses creating a reporting infrastructure and is
generally heavy on code and graphs, which may or may not be useful for
any one particular environment. Chapter 6, "Scalable Enterprise
Solutions", is probably the most informative section of the book.
While the general focus of the book to this point has been on code,
graphs, charts, and "solutions", the point that policies should be
deployed *before* solutions is important and should have been stressed
much earlier in the book. The sections on ESM implementation,
usability, and vendor support are well written, and the mention of the
"human touch" in log analysis was unexpected but appreciated. Too
often, focus on log analysis is based on systems and not people.. but
since people are the ones who read the logs, it's nice that the human
species gets a prop now and then.

The last three chapters mainly deal with Microsoft Log Parser. I have
to be honest.. I read the chapters, but really didn't see much value
in them.  Calling Microsoft Log Parser "the obvious choice of tool"
seems somewhat promotional, especially considering the book's foreward
was written by Gabriele Giuseppini, a developer for Microsoft Log
Parser. Good information, but not really useful unless you're either
using (or planning to use) MLP in a particular situation.

Overall, I have mixed feelings about this book. For a person who reads
logs as a *hobby* (and yes, that's a sad admission, but the truth), I
found the book to have good tips in some sections, but somewhat
lacking in many areas. Too much code and too many graphs may not be
appealing to some readers, and a few sections that say "this is the
best tool" or "this is best done by..." (as well as the numerous
typographical and grammatical errors) apparently weren't scrutinized
by editors. Worth a read for anyone interested in log analysis, but
feel free to skip over sections and chapters that don't interest you
or specifically apply to your professional (or personal) environment.

Lyger (attrition.org)

-=-

Snippets (was re: proof, please):

A recent report by the group mi2g calculates the cost of malware
"[sic] at around 600 million Windows-based computers worldwide, which
works out to $281 to $340 worth of damage per machine." (page 12-13)

For an outbound policy violation, this address will be from a system
on you LAN;... (page 119)

Q: My Web server has virtually hosts. How should I handle... (page 164)