Analytics
12/11/2009
02:13 PM
50%
50%

Tech Insight: Learn To Love Log Analysis

Log analysis and log management can help breach detection and investigations

Log analysis and log management are often considered dirty words to enterprises, unless they're forced to adopt them for compliance reasons. It's not that log analysis and management have a negative impact on the security posture of an organization -- just the opposite. But their uses and technologies are regularly misunderstood, leading to the potential for security breaches going unnoticed for days, weeks, and sometimes months.

According to the Verizon 2009 Data Breach Investigation Report (PDF), "66 percent of victims had sufficient evidence available within their logs to discover the breach had they been more diligent in analyzing such resources." This begs the question: Why is it that organizations big and small fail to do proper log analysis? Or after going through the effort to set up logging, why aren't they using those logs to detect issues as they arise?

The root cause of such problems stems from a fundamental lack of understanding about what should be logged, how the data should be centralized, and how it should be analyzed once collected. Even when a company implements a solution to address the first two issues, it's No. 3 that sends their staff straight into information overload -- a problem that can be just as bad as not having logs at all.

Log analysis is a daunting task that can benefit an organization both proactively and reactively. For example, if log analysis is done regularly, events leading up to a user account being broken into or a piece of hardware failing can be caught before serious damage can occur. Likewise, if a security breach does occur, then log analysis can provide the forensic evidence to determine what happened and which systems were affected.

Centralization is the first step. System administrators and security professionals do not have time to log into tens, hundreds, or even thousands of systems, so logs need to be shipped from the source to a hardened log collection server. The central collection server, whether located geographically or organizationally, can be as simple as a syslog server or as complex as a security information and event management (SIEM) solution.

Collecting logs is the easy part. It's how to manage them that's difficult for most IT shops: how to store the logs, how long to store them, whether you keep all of them, etc. Sometimes that can be handled by a SIEM or complementary product that focuses just on those tasks.

Then there's the analysis. Because no one wants to sit around and stare at logs all day, automation and correlation play a huge role in separating the wheat from the chaff. The key for any solution is to bring the events of interest to the surface so an analyst can alert the right people to address the problem. Essentially, log analysis, whether done through homegrown tools or an expensive SIEM, needs to feed actionable information to operations staff to deal with daily issues and security teams to handle incidents.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Threat Intel Today
Threat Intel Today
The 397 respondents to our new survey buy into using intel to stay ahead of attackers: 85% say threat intelligence plays some role in their IT security strategies, and many of them subscribe to two or more third-party feeds; 10% leverage five or more.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-9710
Published: 2015-05-27
The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time windo...

CVE-2014-9715
Published: 2015-05-27
include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5 uses an insufficiently large data type for certain extension data, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via outbound network traffic that trig...

CVE-2015-2666
Published: 2015-05-27
Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to t...

CVE-2015-2830
Published: 2015-05-27
arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrate...

CVE-2015-2922
Published: 2015-05-27
The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.