Log management reins in security and network device data
This article can also be found in the Premium Editorial Download "Information Security magazine: Tips from the 2007 Security 7 Awards."
Download it now to read this article plus other related content.
|Three Steps Toward Better Logging|
Despite the complications, there are three simple steps organizations can take to make logs more manageable.
- Separate your logging needs into three functional areas and look at what you need from each. These areas are the log collection process, the data repository where these logs are stored and the business analytics surrounding their use. Often, log management and SIM tools will serve one or two of these functions or perform different kinds of analysis, driving many enterprises toward buying separate products.
- Consider the chain of legal custody when designing a log management scheme, so your log archive can be used as evidence and stand up in court. "There is a lack of controls over the process for accessing logs, and there are serious questions about who should be able to view sensitive data and how to handle the chain of custody when handling log data too," says Nokia manager of corporate IT security services Jay Leek.
Generally, log management tools focus more on preserving a chain of custody than SIMs, which normalize data for correlation and analysis. "You want to have the shortest custody chains possible," says ArcSight's Hugh Njemanze. "We put our log management system in front of our SIM, so it becomes the repository
- of record. This means that the SIM isn't part of the chain of custody."
Chris Pick of NetIQ adds: "You want any event collector to digitally sign the collection to ensure the nonrepudiation of that data source and to make sure your logging events aren't tampered with." For example, NetIQ provides agents that will guarantee the delivery of log information into its repository, and digitally signs this information too.
- Balance costs and benefits with security and compliance needs. "The cost of noncompliance can determine the overall log management requirements for the enterprise," says Pick. "It isn't a one-size–fits-all type of offering."
Also, steer clear of creating homegrown solutions because the support costs can add up over time. "Homegrown log management scripts are expensive and exist in every organization. Generally, only one person knows how these scripts work, and the environment is often constantly changing," says Leek.
This was first published in October 2007