SecurityWarrior Consulting的Anton Chuvakin博士在去年底的時(shí)候?qū)戇^(guò)一篇文章：Top 10 Things Your Log Management Vendor Won’t Tell You，很有意思。實(shí)際上，他提醒用戶在選擇日志審計(jì)產(chǎn)品，尤其是用它來(lái)做內(nèi)控的目的的時(shí)候應(yīng)該注意的問(wèn)題。這些注意事項(xiàng)有助于幫助客戶建立起合理的產(chǎn)品預(yù)期，也有助于督促日志審計(jì)/日志管理廠商去思考這些問(wèn)題背后的解決方案。好吧，讓我們大家都擦亮眼睛。
原文摘錄如下：

While many people have seen the “Top 10 things that your chef, real-estate agent, wedding planner or pilot won’t tell you,” the world has not yet seen Top 10 things your log management vendor won’t tell you. Finally, this gap has been closed.

• “We talk analytics, but really, most of our customers only use us for collection.” While some products within SIEM and log management offer advanced analytics features, many customers are not truly ready for them. They need to? start dealing with the basics—logging, log collection, log review—before delving into advanced areas. Buying a product based on features you won’t use is a mistake.
  ?
• “Our tool won’t make you PCI compliant. You’d have to do A LOT of things yourself – every day – to get and maintain compliance.” Sadly, many security solutions—and SIEM / log management are no exception—are sometimes sold as “compliance in a box.” You need to be aware that to stay PCI compliant you need to do more than purchase tools.
  ?
• “No, you cannot buy an entire SOC in this small box.” Just as with compliance, you cannot buy an entire Security Operations Center in a box, big or small. However, some will try to sell you their SIEM as “SOC-in-a-box.” Running an effective SOC includes multiple processes and procedures which are just as necessary as a market-leading SIEM tool.
• “We are cloud-ready, because … mmmmm… well, we are ready for it!” Many vendors will tell you that their tools are cloud-ready – without really thinking about what they mean. Effectively monitoring traditional and multi-tenant cloud environments distributed across regions and countries requires more than updated marketing materials! As a customer, you will need to carefully test the tool in your own hybrid environment before concluding that it is “cloud ready.”
• “Our SIEM is really just a renamed log management tool. But that’s all you probably need.” The confusion around SIEM and log management functionality rages on – it also allows some tools to be sold as SIEM without having any critical SIEM functionality such as correlation and real-time dashboards.? Even though it might be all many customers need, it does not make such tool a SIEM tool.
• “We can do everything with logs, but it might require some SMALL customizations. Our PS team is standing by!” More than a few SIEM vendors will promise support for every possible log including logs they have never seen. However, fully integrating a new log source for reporting, correlation and visualization will always takes work and cannot be taken for granted.
• “If you make a mistake with capacity planning, we’d be happy to sell you more log management than you really need.” Many organizations are having trouble estimating how much log data will be coming into their SIEM or log management tools.? Both underestimating and overestimating are common.? It is recommended that you spend about a week measuring log volumes across the systems that will be reporting to a SIEM.
• “We think our tool is scalable, but we don’t really have production customers of your size. Our engineers believe that it might work.” Scalability claims are cheap and frequently made by SIEM and log management vendors. However, the only real proof that the tool will scale to your requirements is testing the tool in your environment. Thus, you should insist on performance testing during the pilot if there are any doubts.
• “We estimate our performance using really small log message sizes.” Yes, our tools can do a million messages an instant – but these are our special messages that we create in the lab. Nowadays, application logs and the proliferation of XML-based logging has pushed message sizes up to 1 kb or more from the traditional 200 byte logs from firewalls.? Thus, you need to be wary of performance estimates based on such artificially short logs.
• “Our tool offers predictive security intelligence. No, we don’t know what it means either – and we can’t really predict it.” SIEM is one of the most over-hyped and over-marketed security technologies out there. The only way to make sure that a particular tool will satisfy your requirements is too carefully spell out those requirements and then test the tool yourself.

讀完這篇文章，我也是頗有體會(huì)。
的確，對(duì)于我接觸到的目前國(guó)內(nèi)大部分客戶而言，使用日志審計(jì)/日志管理產(chǎn)品的主要用途就是收集日志，進(jìn)行查詢、統(tǒng)計(jì)和報(bào)表。關(guān)聯(lián)分析幾乎很少使用。一方面，關(guān)聯(lián)分析功能是一個(gè)吃力難討好的技術(shù)，要么就要做到滿足用戶期望80分以上，否則再做也沒(méi)啥用。用戶對(duì)于關(guān)聯(lián)分析的期望往往較高，即要求分析能力強(qiáng)，又要求對(duì)普通管理員易用易懂。從技術(shù)層面來(lái)說(shuō)，還有一段路要走，要看商業(yè)智能（Business Intelligence）技術(shù)發(fā)展到什么程度了。另一方面，即便有較強(qiáng)的關(guān)聯(lián)分析功能，大部分用戶也并不關(guān)注。對(duì)于他們而言，當(dāng)前工作的重心還是在收集、存儲(chǔ)、查詢、統(tǒng)計(jì)上，因?yàn)檫@些功能對(duì)用戶是切實(shí)有用的，是基本的功能點(diǎn)。我覺(jué)得這是當(dāng)前LM產(chǎn)品的重點(diǎn)所在。實(shí)際上，即便是這些看似基本的功能點(diǎn)也隱藏著巨大的技術(shù)挑戰(zhàn)。因?yàn)槊鎸?duì)海量異構(gòu)事件的收集、存儲(chǔ)和查詢，LM廠商們將必須將性能提升到一個(gè)用戶可以接受的水平。

與Anton Chuvakin的觀點(diǎn)差不多，我也認(rèn)為對(duì)于用戶而言，在考慮SOC之前最好先考慮SIEM，或者干脆先考慮LM。至少不要在考慮的SOC的同時(shí)忽略SIEM和LM。

既然對(duì)于用戶而言，對(duì)于當(dāng)前的日志審計(jì)/LM產(chǎn)品重點(diǎn)是考察收集、存儲(chǔ)和查詢統(tǒng)計(jì)，那么又如何去甄別各個(gè)廠商對(duì)此的宣傳和技術(shù)參數(shù)呢？例如，最重要的一個(gè)技術(shù)參數(shù)叫做EPS（Event per Second），亦即每秒事件數(shù)。實(shí)際上，各個(gè)廠商在給出這個(gè)值的時(shí)候，其條件和內(nèi)涵可能完全不同。首先，你需要知道這個(gè)值是在什么條件下獲得的，至少要知道是什么CPU、多少內(nèi)存、多少硬件資源的條件下獲得的；可能的話，還要知道測(cè)試的基準(zhǔn)日志源是什么樣的，這些日志是單設(shè)備日志，還是多源日志，平均日志長(zhǎng)度是多少？除此之外，你還需要知道EPS的內(nèi)涵所指為何？是單純收集上來(lái)的EPS?還是指收集上來(lái)且歸一化后的EPS？抑或是收集上來(lái)、歸一化并持久化存儲(chǔ)后的EPS。內(nèi)涵不同，LM產(chǎn)品的工作機(jī)制不同，進(jìn)行EPS的數(shù)值比較可能沒(méi)有什么意義。而往往，幾乎不會(huì)有廠商主動(dòng)告訴你這些。如果你比較Care這些，最好的方式是建立自己的測(cè)試基準(zhǔn)，進(jìn)行橫向?qū)嶋H測(cè)試比較。所以，對(duì)于重要的客戶，我比較強(qiáng)調(diào)PoC。

用戶必須清楚的認(rèn)識(shí)到，LM是一類管理系統(tǒng)，其運(yùn)用必須遵循管理類系統(tǒng)的生命周期。簡(jiǎn)單的說(shuō)，無(wú)論廠商如何說(shuō)LM，用戶都是清楚認(rèn)識(shí)到實(shí)施LM的工作內(nèi)容，并且這些工作有很多是你必須參與其中，無(wú)法逃脫的。例如，我們?cè)谏螸M的時(shí)候，應(yīng)該了解到日志源種類和類型、規(guī)劃日志容量、設(shè)計(jì)查詢統(tǒng)計(jì)模板，同時(shí)，配套的運(yùn)維也需要建立起來(lái)。別幻想一聽(tīng)完廠商的產(chǎn)品介紹就認(rèn)為有了這個(gè)產(chǎn)品一切都OK了。

轉(zhuǎn)載于:https://blog.51cto.com/yepeng/570955

總結(jié)

以上是生活随笔為你收集整理的Anton Chuvakin：关于日志管理产品的十个注意事项的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。