Bringing together all your information to make better decisions.
Firewalls, routers, intrusion prevention systems, web content filters, mail gateways, application servers, authentication servers, host-based intrusion prevention, end point client software.
The list of devices and applications that generate security logs already seems endless, and yet the list continues to grow as new security tools are used in response to the ever-evolving threat landscape. These logs often produce enormous amounts of information and are delivered in a variety of formats making it very difficult to gather useful information or troubleshoot a problem.
Making the situation even more difficult is the fact that many organizations now have remote offices and workers with equipment and logs of their own. These systems and applications must also be monitored to ensure you have consistent security across your organization, and that your remote users and networks aren’t a security weak point that could lead to exploits. Managing, maintaining and making sense of all this information is a daunting task for any organization, but can be especially challenging for smaller organizations with limited budgets and IT resources.
Despite these challenges, an effective log management strategy is a critical piece of any organization’s IT security program, and used properly, log management can help you make better decisions relating to IT resources, purchasing, and the overall security and health of your network.
The enormous amount of information that IT systems generate can be used to fix issues, provide audit trails and baselines, and proactively prevent problems. This information can also be used to maintain or achieve compliance, and storing logs for long periods is often a requirement. How to do so properly is one of the major concerns for any organization implementing a log management program.
Organizations that wish to implement an effective log management strategy need to first define their goals and requirements. Is the goal compliance, problem analysis, network monitoring, IT security? If your goal is just to monitor network equipment and/or troubleshoot security issues, then having IT staff handle log management may suffice. However, if your goal includes all of the above, you may need to split up log management responsibility across different departments or teams to ensure that the proper resources have the information they need.
Once you’ve defined your goals and understand what information is needed and who should be responsible, you can confirm which types of logs are available to fit these needs and what may be missing. This will help you determine if another solution or perhaps some specific information is needed to achieve your goals. Perhaps HR needs to monitor web usage by user name, but that information is not currently available on your web filtering device. It may be that a fairly simple configuration change is needed to gather this information, or it may be necessary to re-evaluate the product you’re using.
Understanding what information is needed will also allow you to start thinking about how much storage space is needed for these logs, and whether it’s acceptable to overwrite old logs once a certain time period has passed.
The next step is to determine what will be done with these logs, how long they’ll be stored, and if there are any special requirements such as encryption. Many logs contain sensitive information such as user names and sometimes even passwords, so securing these logs is a very important consideration. If you’re gathering logs from different locations you’ll also need to ensure that this information is protected while in transit. Once you have the logs, will they be actively monitored for events or should they be stored in case they’re needed? If storing logs for future analysis, thought needs to go into how easily archived information can be gathered.
Once you’ve figured out your goals, responsible parties, and what information is needed, you can start to determine which type of log management solution is best for your organization. Fortunately, there are many different options out there for companies developing their log management infrastructure. A variety of open source and commercial applications can help aggregate and parse logs from different vendors and systems, and new cloud-based solutions can offload tasks such as data security and storage and provide redundancy to protect your data. Choosing the right solution will depend on many factors such as cost, complexity and features, but understanding your goals and needs will help guide you in the decision-making process.
As with any IT initiative, support for an effective log management infrastructure must come from the top, so that everyone in the organization understands and supports the goals. This can help avoid log management becoming the afterthought for an overworked IT staff and can help add real value to the organization.
You Can Learn More About the Astaro Internet Security Product Line By Going to www.FirewallShop.com/Astaro.
The original article/video can be found at Making sense of log management