This video, "Hacking the Future of Log Data" from the CISO Series, explores the evolving landscape of log management, the limitations of traditional SIEM (Security Information and Event Management) systems, and the shift toward "agentic" and purpose-driven data analysis.
The Value and Waste of Log Data
The Hidden Goldmine: Organizations often ignore a massive amount of valuable business and security intelligence hidden in their logs [
00:12 The "Store and Forget" Problem: Roughly 85% to 95% of log data is never actually analyzed [
05:42 06:05 Redundancy: Data is often ingested from multiple sources (e.g., Windows event logs, EDR, and Entra ID) without filtering, leading to high licensing costs for redundant information [
07:13
Strategic Shifts in Log Management
Parsing Before Ingestion: Modern teams are reducing log volume by 40% to 60% by parsing out unnecessary or redundant data before it ever hits the SIEM [
06:32 Purpose-Driven Collection: Instead of "collecting everything," leaders should start with the business goal (e.g., fraud detection, website performance, or specific threat mitigation) and work backward to identify only the necessary logs [
13:03 Decentralized Querying: There is a move toward querying data in its native format within existing platforms (like an EDR) rather than centralizing everything into an expensive intermediary like a traditional SIEM [
25:14
The Role of AI and "Agentic" Workflows
Agentic Analysis: Tools like Strike 48 are moving toward "agenticized" log data, using no-code agent builders to integrate complex workflows that can explore and act on log data in real-time [
19:26 Non-Human Identities: As agents perform more tasks, organizations must decide if these agents should have their own identities for accountability or if they should be tied to the human who created them [
35:36 Mindset Shift: Professionals are being encouraged to shift from "log collectors" to "agent builders," focusing on higher-level skill sets rather than manual data triaging [
56:20
Questions & Answers
Q: Why is "collecting everything" considered bad advice?
A: Focusing solely on getting logs to a destination rather than understanding their content leads to massive licensing costs and "silent" logs that provide no actual visibility [
Q: How can an organization know if they are missing critical logs?
A: Proactive measures like red teaming and purple teaming simulations can expose visibility gaps where specific logs would have been necessary to detect an exploit [
Q: How should a CISO handle vendors that paywall critical logs?
A: Focus on the specific outcome needed. If a vendor blocks access, look for creative API integrations, custom scripts, or alternative data sources (like EDR network connections) to reconstruct the necessary visibility [
Q: What is the most important first step for a team struggling with log fatigue?
A: "Just start the journey" by appreciating that the data has value and experimenting with small, agentic workflows to automate one specific business problem rather than trying to "boil the ocean" [
Video Link:
No comments:
Post a Comment