How Modern Log Management Strengthens Enterprises’ Security Posture

If security teams are not logging everything, they are increasing security risk and making it more difficult to investigate and recover from a data breach. Modern log management goes beyond just a SIEM.

Simon Simonsen, Sr. Security Architect, CrowdStrike

December 21, 2021

4 Min Read
Analyzing server logs.
Source: Dmytro Olegovich Zakharchuk via Alamy

In 2019, a seemingly innocuous and routine software update from SolarWinds, a Texas-based energy company, cascaded into a major cyberattack that affected the Pentagon, the U.S. Treasury, Justice and Energy departments, and other high-profile companies like Microsoft, going undetected for months. Such attacks cripple enterprises and ecosystems while carrying a hefty price tag — the cost of a data breach rose from $3.86 million USD in 2020 to $4.24 million USD in 2021, the highest average total cost in 17 years. Cybersecurity attacks like these have made a clear case for rethinking how enterprises log data. Logging everything is a clear-cut path to better forensics and can empower cybersecurity and IT teams to catch threat actors in real time.

Why Traditional Log Management Platforms Fail

Logging all data is a lofty goal, which is why most organizations buckle under the sheer volume — especially if they lack a clear data management plan. Organizations often rely on legacy log management platforms or DIY SIEMs (security information and event management), but logging and storing data in these outdated solutions is expensive and unscalable. Already struggling with limited budgets, security professionals are forced to compromise and settle on logging all of their data for a week, or a month at best.

As a result, some logs — especially those from today’s modern information architectures like microservices, containers and multi-cloud environments — get left behind. So if organizations have filled up their budget with firewall logs but they need process execution data, internal DNS or file movement logs, they’re out of luck.

In addition, environments such as containers and microservices do not leave an easily accessible audit trail, which further complicates the problem. When organizations can’t log everything, blind spots increase. Malicious actors can exploit these blind spots and fly under the radar, causing extensive damage. Security teams are left with little assurance they have covered all of their bases, and even after security professionals find a breach, they cannot conduct an accurate and timely post-mortem analysis. 

In order to launch forensics and detect and prevent breaches, organizations must log all of their data in real time. To accomplish this, organizations need a purpose-built log management platform tailored to today’s challenges of complexity and capability.

The Advantages of Modern Log Management

Modern log management platforms aggregate and visualize all streaming data in real time, whether it flows from email, network traffic, hybrid cloud environments, DevOps cycles, containers or microservices. The speed is a game-changer as it gives security professionals the reassurance that they have all pieces of the puzzle to track down threat actors in real time and launch remediation plans quickly in case an intrusion takes place.

By logging everything, companies can work with high-fidelity data whose provenance they can trust. Logging everything also prepares organizations to meet any pressing compliance requirements.

With modern log management platforms, companies are able to respond to incidents faster. Since they’re working with a complete picture, there are no blind spots — and crime attribution becomes easier. Since all of the data is live, security professionals can query the data easily and quickly. For example, a team member can definitively say the problem is confined to 10 specific machines instead of thousands. This narrowed focus makes the IT professional’s job much easier and saves time.

Being armed with thorough log data and knowledge about their infrastructure helps security professionals stay ahead of the game, thwarting attacks from happening in the first place, or at least dulling their impact. With comprehensive log data, organizations can “push left” on the cyber kill chain, set up “trip wires” and continuously hunt threats by utilizing streaming queries. Security professionals can accelerate their observe-orient-decide-act (OODA) loop to get feedback and make decisions faster. As long as defenders have quicker, successful OODA loop completion, they can mitigate the operational impact of adversarial efforts within their infrastructure.

Start Logging Everything Today

The complexities of digital transformation and the growth of a variety of data infrastructure environments have increased cybersecurity risks. Modern log management tools help organizations log all of their data in real time and deliver streaming observability into otherwise siloed, distributed or unmanaged systems. As a result, organizations can fortify their security posture, avoiding fines, ransoms and the untenable consequences of breaches.

About the Author(s)

Simon Simonsen

Sr. Security Architect, CrowdStrike

Simon has worked 15+ years as an IT security subject matter expert in roles that range from systems engineer, incident responder, external technical consultant to security architect. Has both build SecOps in financial and IT security regulated industries and provided advice and reporting to C-level and board of directors.

Simon has spoken on podcasts and conferences on the topics of building security monitoring architecture to gain leverage by knowing your own IT landscape better than the adversary.

He holds a M.A. from Aarhus University in Information Studies, CISA accreditation, and SANS training that covers incident response, digital forensics and Active Directory hardening.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights