Analytics
12/11/2009
02:13 PM
50%
50%

Tech Insight: Learn To Love Log Analysis

Log analysis and log management can help breach detection and investigations

Log analysis and log management are often considered dirty words to enterprises, unless they're forced to adopt them for compliance reasons. It's not that log analysis and management have a negative impact on the security posture of an organization -- just the opposite. But their uses and technologies are regularly misunderstood, leading to the potential for security breaches going unnoticed for days, weeks, and sometimes months.

According to the Verizon 2009 Data Breach Investigation Report (PDF), "66 percent of victims had sufficient evidence available within their logs to discover the breach had they been more diligent in analyzing such resources." This begs the question: Why is it that organizations big and small fail to do proper log analysis? Or after going through the effort to set up logging, why aren't they using those logs to detect issues as they arise?

The root cause of such problems stems from a fundamental lack of understanding about what should be logged, how the data should be centralized, and how it should be analyzed once collected. Even when a company implements a solution to address the first two issues, it's No. 3 that sends their staff straight into information overload -- a problem that can be just as bad as not having logs at all.

Log analysis is a daunting task that can benefit an organization both proactively and reactively. For example, if log analysis is done regularly, events leading up to a user account being broken into or a piece of hardware failing can be caught before serious damage can occur. Likewise, if a security breach does occur, then log analysis can provide the forensic evidence to determine what happened and which systems were affected.

Centralization is the first step. System administrators and security professionals do not have time to log into tens, hundreds, or even thousands of systems, so logs need to be shipped from the source to a hardened log collection server. The central collection server, whether located geographically or organizationally, can be as simple as a syslog server or as complex as a security information and event management (SIEM) solution.

Collecting logs is the easy part. It's how to manage them that's difficult for most IT shops: how to store the logs, how long to store them, whether you keep all of them, etc. Sometimes that can be handled by a SIEM or complementary product that focuses just on those tasks.

Then there's the analysis. Because no one wants to sit around and stare at logs all day, automation and correlation play a huge role in separating the wheat from the chaff. The key for any solution is to bring the events of interest to the surface so an analyst can alert the right people to address the problem. Essentially, log analysis, whether done through homegrown tools or an expensive SIEM, needs to feed actionable information to operations staff to deal with daily issues and security teams to handle incidents.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8896
Published: 2014-12-22
The Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 allows remote authenticated users to modify ...

CVE-2014-8897
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

CVE-2014-8898
Published: 2014-12-22
Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.