Log Management for SecurityPer the Center for Internet Security (CIS), the collection, storage and analysis of logs is a Critical Security Control. The CIS explains the relevance of log management for security quite succinctly in its description of CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs. As quoted on its website:
Deficiencies in security logging and analysis allow attackers to hide their location, malicious software, and activities on victim machines. Even if the victims know that their systems have been compromised, without protected and complete logging records they are blind to the details of the attack and to subsequent actions taken by the attackers. Without solid audit logs, an attack may go unnoticed indefinitely and the particular damages done may be irreversible.Very simply, if you’re not collecting, storing and analyzing log data for every asset in your organization, you have significant gaps in your security visibility of your network. Log management, therefore, plays a key role in your digital security strategy. Having complete visibility into what events have occurred and are occurring on your network is a must. You need this information to focus on network events of interest. With this type of visibility, you can then take timely and appropriate measures to address potential threats before you balloon into full-fledged security incidents. The visibility granted by log management thereby enhances the overall productivity of security teams across the organization.
Log Management for ComplianceLog management can also be driven by compliance requirements. A failed audit often has consequences that may be more important than less immediate security needs. For example, requirement 10 in the Payment Card Industry Data Security Standard (PCI DSS) says as follows:
Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.Given the above quotation, merchants and other in-scope vendors need to maintain compliance with PCI DSS by keeping and managing their logs. If you don’t, the PCI Security Council could find you in non-compliance with their standard. The body could then punish you with a fine potentially amounting to tens of thousands of dollars.
The Characteristics of a Good Log Management SolutionNow that you know that log management comes with its unique security and compliance benefits, it’s time to find a good log management solution. You should be aware that this type of tool usually distinguishes itself via five primary characteristics. These traits are as follows:
- Be able to provide evidence. Collected data is meant to be used. Not only that, but crucial information needs to be readily available at all times. Details gathered by your log management solution could make the difference between stopping digital attackers in their tracks and not learning about a security issue before it’s too late.
- Identify and respond to events of interest. As noted above, a log management solution should provide actionable intelligence that you can use to improve your digital security. There’s no point in having it if you can’t derive some benefit from it.
- Out-of-the-box support for major and more relevant platforms and devices. A log management solution needs to support its customers as soon as it is deployed. With that said, customers should have the option to configure the solution accordingly so that they can use it to achieve visibility across a variety of platforms and devices.
- Automated configuration and user tasks. In a similar spirit to the previous point, users should be able to focus on working with the data collected by the log management solution and not with unnecessarily fiddling of the system's configuration.
- Integration with third-party systems. Modern software should not live in isolation and should be able to interact with existing enterprise applications to further enrich available information. By integrating with vulnerability management tools and other security solutions, in particular, log management solutions will yield even more accurate and pertinent threat data.