门户网站网页设计规范,淘宝手机网站模板下载安装,wordpress生成多个尺寸图片大小,宝塔做两个网站SecurityWarrior Consulting的Anton Chuvakin博士在去年底的时候写过一篇文章#xff1a;Top 10 Things Your Log Management Vendor Won’t Tell You#xff0c;很有意思。实际上#xff0c;他提醒用户在选择日志审计产品#xff0c;尤其是用它来做内控的目的的时候应该注… SecurityWarrior Consulting的Anton Chuvakin博士在去年底的时候写过一篇文章Top 10 Things Your Log Management Vendor Won’t Tell You很有意思。实际上他提醒用户在选择日志审计产品尤其是用它来做内控的目的的时候应该注意的问题。这些注意事项有助于帮助客户建立起合理的产品预期也有助于督促日志审计/日志管理厂商去思考这些问题背后的解决方案。好吧让我们大家都擦亮眼睛。 原文摘录如下 While many people have seen the “Top 10 things that your chef, real-estate agent, wedding planner or pilot won’t tell you,” the world has not yet seen Top 10 things your log management vendor won’t tell you. Finally, this gap has been closed. “We talk analytics, but really, most of our customers only use us for collection.” While some products within SIEM and log management offer advanced analytics features, many customers are not truly ready for them. They need to start dealing with the basics—logging, log collection, log review—before delving into advanced areas. Buying a product based on features you won’t use is a mistake. “Our tool won’t make you PCI compliant. You’d have to do A LOT of things yourself – every day – to get and maintain compliance.” Sadly, many security solutions—and SIEM / log management are no exception—are sometimes sold as “compliance in a box.” You need to be aware that to stay PCI compliant you need to do more than purchase tools. “No, you cannot buy an entire SOC in this small box.” Just as with compliance, you cannot buy an entire Security Operations Center in a box, big or small. However, some will try to sell you their SIEM as “SOC-in-a-box.” Running an effective SOC includes multiple processes and procedures which are just as necessary as a market-leading SIEM tool.“We are cloud-ready, because … mmmmm… well, we are ready for it!” Many vendors will tell you that their tools are cloud-ready – without really thinking about what they mean. Effectively monitoring traditional and multi-tenant cloud environments distributed across regions and countries requires more than updated marketing materials! As a customer, you will need to carefully test the tool in your own hybrid environment before concluding that it is “cloud ready.”“Our SIEM is really just a renamed log management tool. But that’s all you probably need.” The confusion around SIEM and log management functionality rages on – it also allows some tools to be sold as SIEM without having any critical SIEM functionality such as correlation and real-time dashboards. Even though it might be all many customers need, it does not make such tool a SIEM tool.“We can do everything with logs, but it might require some SMALL customizations. Our PS team is standing by!” More than a few SIEM vendors will promise support for every possible log including logs they have never seen. However, fully integrating a new log source for reporting, correlation and visualization will always takes work and cannot be taken for granted.“If you make a mistake with capacity planning, we’d be happy to sell you more log management than you really need.” Many organizations are having trouble estimating how much log data will be coming into their SIEM or log management tools. Both underestimating and overestimating are common. It is recommended that you spend about a week measuring log volumes across the systems that will be reporting to a SIEM.“We think our tool is scalable, but we don’t really have production customers of your size. Our engineers believe that it might work.” Scalability claims are cheap and frequently made by SIEM and log management vendors. However, the only real proof that the tool will scale to your requirements is testing the tool in your environment. Thus, you should insist on performance testing during the pilot if there are any doubts.“We estimate our performance using really small log message sizes.” Yes, our tools can do a million messages an instant – but these are our special messages that we create in the lab. Nowadays, application logs and the proliferation of XML-based logging has pushed message sizes up to 1 kb or more from the traditional 200 byte logs from firewalls. Thus, you need to be wary of performance estimates based on such artificially short logs.“Our tool offers predictive security intelligence. No, we don’t know what it means either – and we can’t really predict it.” SIEM is one of the most over-hyped and over-marketed security technologies out there. The only way to make sure that a particular tool will satisfy your requirements is too carefully spell out those requirements and then test the tool yourself. 读完这篇文章我也是颇有体会。 的确对于我接触到的目前国内大部分客户而言使用日志审计/日志管理产品的主要用途就是收集日志进行查询、统计和报表。关联分析几乎很少使用。一方面关联分析功能是一个吃力难讨好的技术要么就要做到满足用户期望80分以上否则再做也没啥用。用户对于关联分析的期望往往较高即要求分析能力强又要求对普通管理员易用易懂。从技术层面来说还有一段路要走要看商业智能Business Intelligence技术发展到什么程度了。另一方面即便有较强的关联分析功能大部分用户也并不关注。对于他们而言当前工作的重心还是在收集、存储、查询、统计上因为这些功能对用户是切实有用的是基本的功能点。我觉得这是当前LM产品的重点所在。实际上即便是这些看似基本的功能点也隐藏着巨大的技术挑战。因为面对海量异构事件的收集、存储和查询LM厂商们将必须将性能提升到一个用户可以接受的水平。 与Anton Chuvakin的观点差不多我也认为对于用户而言在考虑SOC之前最好先考虑SIEM或者干脆先考虑LM。至少不要在考虑的SOC的同时忽略SIEM和LM。 既然对于用户而言对于当前的日志审计/LM产品重点是考察收集、存储和查询统计那么又如何去甄别各个厂商对此的宣传和技术参数呢例如最重要的一个技术参数叫做EPSEvent per Second亦即每秒事件数。实际上各个厂商在给出这个值的时候其条件和内涵可能完全不同。首先你需要知道这个值是在什么条件下获得的至少要知道是什么CPU、多少内存、多少硬件资源的条件下获得的可能的话还要知道测试的基准日志源是什么样的这些日志是单设备日志还是多源日志平均日志长度是多少除此之外你还需要知道EPS的内涵所指为何是单纯收集上来的EPS?还是指收集上来且归一化后的EPS抑或是收集上来、归一化并持久化存储后的EPS。内涵不同LM产品的工作机制不同进行EPS的数值比较可能没有什么意义。而往往几乎不会有厂商主动告诉你这些。如果你比较Care这些最好的方式是建立自己的测试基准进行横向实际测试比较。所以对于重要的客户我比较强调PoC。 用户必须清楚的认识到LM是一类管理系统其运用必须遵循管理类系统的生命周期。简单的说无论厂商如何说LM用户都是清楚认识到实施LM的工作内容并且这些工作有很多是你必须参与其中无法逃脱的。例如我们在上LM的时候应该了解到日志源种类和类型、规划日志容量、设计查询统计模板同时配套的运维也需要建立起来。别幻想一听完厂商的产品介绍就认为有了这个产品一切都OK了。 转载于:https://blog.51cto.com/yepeng/570955
