[ http://www.amazon.com/exec/obidos/ASIN/1597490423/c4iorg
- WK]
Security Log Management - Identifying Patterns in the Chaos
By Jacob Babbin, Dave Kleiman, Everett F. Carter Jr.,
Jeremy Faircloth, Mark Burnett, Esteban Gutierrez
ISBN: 1597490423
Paperback: 350 pages
Syngress Publishing, Inc. Copyright 2006
Reviewer: lyger <lyger (at) attrition dot org>
I have to admit, this book wasn't entirely what I expected.
For
several chapters, I was introduced to more shell scripting,
PHP
scripting, and poorly printed screen shots than what I would
generally
expect from a book that at first appeared to have been
directed
towards security analysts instead of system administrators
and web
developers. However, despite its flaws, "Security Log
Management" does
have its merits during its middle chapters which aren't
based on
excessive code snippets and blatant endorsements for
Microsoft's Log
Parser.
To be honest, the book started off on a bad foot by
mentioning "a
recent report by the group mi2g" (page 12) regarding
the worldwide
cost of malware. The statistics involved, as well as the
dubious
source of the report, may or may not have been checked by an
editor
(more on that later), but there are several examples later
in the book
that show that it was not thoroughly proofread before final
publication. Other pages in chapter 1 describe
"self-poisoning" of DNS
servers, pages upon pages of cut-and-paste code, and poorly
published
graphics. As previously mentioned, not a good start, but the
end-of-chapter summaries and fast track sections are clear
and concise
throughout the entire book.
The book often suggests using free tools to build into
analysis and
reporting for system logs. Excellent point, since using open
source
tools can either provide an adequate amount of data or
provide
justification for the purchase and/or use of larger-scale
solutions.
Chapters 2, 3, and 4 focus on IDS, firewall, and
system/network device
reporting. Page 120 made me cringe a bit with phrases such
as "this is
best done" and "we want to use"; later in
the book, it is pointed out
that each particular environment should choose what type of
log
management is best, so I don't understand why blanket
endorsements or
solutions are given in early chapters. Again, however, the
end-of-chapter summaries are direct and get to the points
that the
texts of the chapters sometimes elude.
Chapter 5 discusses creating a reporting infrastructure and
is
generally heavy on code and graphs, which may or may not be
useful for
any one particular environment. Chapter 6, "Scalable
Enterprise
Solutions", is probably the most informative section
of the book.
While the general focus of the book to this point has been
on code,
graphs, charts, and "solutions", the point that
policies should be
deployed *before* solutions is important and should have
been stressed
much earlier in the book. The sections on ESM
implementation,
usability, and vendor support are well written, and the
mention of the
"human touch" in log analysis was unexpected but
appreciated. Too
often, focus on log analysis is based on systems and not
people.. but
since people are the ones who read the logs, it's nice that
the human
species gets a prop now and then.
The last three chapters mainly deal with Microsoft Log
Parser. I have
to be honest.. I read the chapters, but really didn't see
much value
in them. Calling Microsoft Log Parser "the obvious
choice of tool"
seems somewhat promotional, especially considering the
book's foreward
was written by Gabriele Giuseppini, a developer for
Microsoft Log
Parser. Good information, but not really useful unless
you're either
using (or planning to use) MLP in a particular situation.
Overall, I have mixed feelings about this book. For a person
who reads
logs as a *hobby* (and yes, that's a sad admission, but the
truth), I
found the book to have good tips in some sections, but
somewhat
lacking in many areas. Too much code and too many graphs may
not be
appealing to some readers, and a few sections that say
"this is the
best tool" or "this is best done by..."
(as well as the numerous
typographical and grammatical errors) apparently weren't
scrutinized
by editors. Worth a read for anyone interested in log
analysis, but
feel free to skip over sections and chapters that don't
interest you
or specifically apply to your professional (or personal)
environment.
Lyger (attrition.org)
-=-
Snippets (was re: proof, please):
A recent report by the group mi2g calculates the cost of
malware
"[sic] at around 600 million Windows-based computers
worldwide, which
works out to $281 to $340 worth of damage per
machine." (page 12-13)
For an outbound policy violation, this address will be from
a system
on you LAN;... (page 119)
Q: My Web server has virtually hosts. How should I handle...
(page 164)
_________________________________
InfoSec News v2.0 - Coming Soon!
http://www.infosecnews.org
|