Log Review Challenges

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> You've got your security operation center
00:00
>> up and humming.
00:00
>> All of those logs are flowing in.
00:00
You've got perfect monitoring and configuration set up
00:00
on all your cloud-based servers and devices.
00:00
Well, there are still going to be challenges.
00:00
In this lesson, we're going to
00:00
talk about the importance of
00:00
log review in Cloud security operations,
00:00
talk about the difficulties that accompany log review,
00:00
and also go over methods to address these challenges.
00:00
Log review challenges.
00:00
We talked about how effective monitoring is really
00:00
essential to capture any deviations in
00:00
either a performance or behavior
00:00
within a cloud deployment.
00:00
But with this increased visibility and
00:00
improved monitoring from the Cloud environment
00:00
, also comes challenges.
00:00
One of the first is that sometimes doing log review on
00:00
certain systems and conducting
00:00
analysis isn't always a priority.
00:00
There can be ongoing projects or items
00:00
that steal time and attention away.
00:00
It's a necessary,
00:00
but sometimes feels like a lower priority activity.
00:00
But when on the odd occasion,
00:00
you can discover something
00:00
that needs to be addressed immediately,
00:00
and may become an incident.
00:00
How we're dealing with that priority
00:00
versus other projects pieces often difficult.
00:00
[NOISE] It's inevitable.
00:00
Doing log review is very repetitive.
00:00
It is mundane.
00:00
You're just seeing the same things often.
00:00
Most of the things you're seeing,
00:00
hopefully, are false positives in your environment,
00:00
and that, over time,
00:00
breeds a sense of, oh,
00:00
well what am I really doing?
00:00
Alert fatigue. You can see all of these alerts,
00:00
you investigate, it's nothing.
00:00
This can decrease the effectiveness of
00:00
security analysts or whoever is doing the log review,
00:00
because they just [inaudible] the fatigue.
00:00
Now, the alerts really ever seem
00:00
to result in something,
00:00
so it creates this feedback loop that
00:00
disincentive prompt log review
00:00
and prompt log investigation.
00:00
Then in order to make sure that people can do this,
00:00
you really have to have someone who has
00:00
the appropriate technological and
00:00
security experience to find and
00:00
investigate real threats or
00:00
deviations that are found within the logs.
00:00
Now, one of the ways to address
00:00
this problem with alert fatigue
00:00
is ensuring that people who do
00:00
log review aren't just only doing that,
00:00
that there are job rotations,
00:00
opportunities for them to go
00:00
around different aspects of Cloud security,
00:00
maybe they spend some more time on
00:00
patching or configuration,
00:00
maybe they help in incident response,
00:00
something to get them off of
00:00
this alert fatigue that
00:00
comes with looking at logs all day.
00:00
For other people who are rotated in,
00:00
they have fresh eyes.
00:00
They may see things that people
00:00
who've succumbed to the alert fatigue may miss,
00:00
and may come up with new ways of
00:00
improving the log review process.
00:00
Another difficult aspect of log view is that in
00:00
order to appreciate what
00:00
you're seeing from a logging perspective,
00:00
you have to have knowledge of the operations.
00:00
This is another area where
00:00
doing small rotations or working groups with
00:00
business and stakeholders can
00:00
help security professionals have
00:00
a better and more well-rounded understanding of what to
00:00
expect when monitoring and
00:00
looking at logs from different Cloud environments.
00:00
All right. Quiz question. Which of the
00:00
following is a potential solution to alert fatigue?
00:00
One, training courses, two,
00:00
job rotations, or three, alert tuning?
00:00
Job rotations are really the best answer here.
00:00
Although training courses can make people more
00:00
stood and help them be better at reviewing logs,
00:00
it doesn't really help with the fatigue aspect.
00:00
Alert tuning may help with
00:00
alert fatigue to an extent that there will be less,
00:00
or fewer false positives that appear in the logs.
00:00
However, it really is
00:00
job rotation that is the best solution for
00:00
addressing the alert fatigue
00:00
that comes from extensive time at log review.
00:00
In summary, we talked about the importance
00:00
of log monitoring,
00:00
talked about those challenges
00:00
of looking through and coming through the logs,
00:00
and then we talked about ways to address it,
00:00
such as more training,
00:00
doing job rotations,
00:00
to ensure that there's a fresh pair of eyes looking
00:00
at the logs and hunting for deviations,
00:00
to catch any threats before
00:00
they can do any real damage, or steal data.
00:00
All right, I'll see you in the next lesson.
Up Next