Dark Reading
Protect The Business - Enable Access
Do more than just cursory scans. Develop
a holistic approach to app security.
Find out how!
Learn to take the ambiguity out of managing IT so you can guide your business forward.
Download now!
Use these tips from Gartner to identify the EPP solution that best suits your business.
Download now!
Top Excuses For Foregoing Security Monitoring, Logging
Monitoring for security incidents can be tough. It's tougher when you don't know what to look for. Now imagine trying to investigate an incident when you don't have any logs to analyze. By John H. SawyerDark Reading
Monitoring for security incidents can be tough. It's tougher when you don't know what to look for. Now imagine trying to investigate an incident when you don't have any logs to analyze.In this day and age, it's simply irresponsible for organizations to shrug the value and basic need of having a centralized logging infrastructure. Instead, they make excuses for why it can't be done and let the logs autorotate themselves into the ether.
There are two excuses I hear repeatedly regarding why organizations (of all sizes) don't enable logging, centralize the logs, and monitor them in some way.
1. The first is they simply don't have the manpower to devote to log monitoring. Really? I guess if you're talking about devoting a full-time person to watching logs as they scroll by on the screen, then sure, I wouldn't want to allocate any manpower to that task either. It'd be a boring, monotonous job that would likely end up with a lot of turnover.
Have you ever had to deal with a security breach? How about one that led to notification -- or should have led to notification -- but management swept it under the rug? Those investigations can be lengthy, and the more systems involved, the longer it takes. Having the logs from all of your systems in one place can drastically cut that time.
Setting up a logging infrastructure, configuring automated reports that get e-mailed on a regular schedule, and a few real-time alerts using Splunk or OSSEC HIDS takes a lot less time than the typical multisystem breach investigation. And when done right, it can even prevent a breach or at least prevent serious collateral damage.
2. The second excuse that gets thrown at me (complete with a sad face) is that centralizing logs is too expensive. If you're looking to put an expensive SAN behind your logging solution, then it can definitely be pricey. Since the logs are generated for free, you should take advantage of them -- at the very least throw some cheap storage at the problem.
You can get a 2 TB hard drive for around $100, so buy one, shove it into that server sitting in the corner, install Linux running syslog or Windows running Kiwi Syslog Daemon, and start sending logs to it. Then at least you'll have them for when the stuff hits that fan, which is much better than staring at your CIO with a dumb look on your face when he asks why you can't figure out what happened or how long it has been going on for.
Storage needs aside, the software needed to centralize logs is available freely. Sure, plenty of vendors will sell you some expensive log management appliance that will suck down the logs and make them available via a pretty Web interface, but you can do that for free with Linux (same OS the appliances are running) and Splunk (using the free edition of Splunk that is limited in some features).
Even the software to get the logs from the systems doing the logging is free if it's not already included. For example, to get the logs from Windows systems, Snare and LASSO are great, free options that push Windows Event Logs and some text-based logs (e.g., IIS and DHCP) to a syslog server.
As we approach the looming PCI deadline, logging is something companies will be scrambling to implement as they try to fill in all the boxes on their compliance checklists. Once they realize it really isn't that hard, they'll be asking why they weren't doing it sooner.
John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.
 |
To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy. |
Subscribe to RSSSecurity Leaders Urged To Take Action, Responsibility
Obama Cybersecurity Czar Schmidt Steps Down
Threat Intelligence Becoming A Do-It-Yourself Project For Enterprises
MORE KEYHOLE
