Log management push has its roots in compliance

By Marcia Savage, Features Editor, Information Security magazine 20 Jun 2007 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Auditors are prodding companies to think about centralized log management in order to ensure control over scattered data, said Trent Henry, senior analyst at Burton Group: "So we have one place that can keep the information and have proper IT controls over the data to make sure it's not tampered with or lost or accessed by people who shouldn't, and that those policies are enforced."

No one compliance requirement is driving interest in log management, Henry said. A couple years ago, SOX was the top concern since it spurred most new audit efforts but now log data is important for demonstrating an organization's controls for a variety of regulations, he added.

But Dave Shackleford, vice president at the nonprofit Center for Internet Security and a SANS instructor, said the PCI Data Security Standard in particular is helping to make log management a hot topic in the enterprise.

Companies are figuring out that "they already have a lot of the information that they need to get a good bit of the way towards [PCI] compliance, they just don't have the tools to take that information and do anything with it," he said.

Log management tools can help organizations drill down and look for specific data strings such as full track data from credit cards; PCI prohibits storage of such information, so companies can then take corrective action.

The log management market includes tools from LogLogic, LogRhythm, Splunk, syslog-focused products such as Kiwi Enterprises' Syslog Daemon and freeware like Unix's syslog daemon. Also, security information management (SIM) vendors have begun tailoring their product lines to meet the demand for log management by offering options that focus on providing more storage capacity than correlation capability.

For more information See more of our special news coverage of Burton Group's Catalyst Conference 2007. A bit part of security information management involves making use of the pile of logs that network and security pros collect, but rarely examine. Join us Wednesday, June 27th for our special webcast with Joel Snyder on the importance of SIMs.

At the Burton Group Catalyst Conference, Jay Leek -- manager of corporate IT security services at Nokia -- plans to talk about practical considerations for log management and how a centralized system can improve compliance, incident response and troubleshooting while also saving time and money.

"Whether people want to acknowledge it or not, we're generating a significant amount of log data in any enterprise environment and there's a lot of cost associated with generation, collection and storage of log data," Leek said.

Without any control over what's being logged, companies can spend a great deal of time and effort searching through log data during an incident investigation or when trying to troubleshoot an IT problem, he said. Inconsistent logging formats and relying on homegrown scripts for analyzing and managing logs contribute to the difficulty.

Not having control over what's logged, stored and who has access to it can also create problems for a company that does business internationally because retention and privacy laws differ from one country to another, Leek said. For example, in France, log data containing personally identifiable information can be retained for a maximum six months while Russia requires some log data be kept for five years.

Deploying a log management system can streamline compliance and reduce the amount of resources needed to respond to numerous IT, security and audit requests for log data, Leek said. It provides the segregation of duties needed for various compliance purposes and also can guarantee chain of custody for forensics investigations. In addition to manpower savings, a centralized system reduces hardware and support costs.

Solid, enterprise-class tools for log management have come into the market in the past couple of years, he said. In particular, some tools provide for centralized management without storing log data in one place, which allows companies to comply with individual country laws.

Shackleford said a company looking to buy a log management solution should first consider their current volume of log data: "That could make or break a technology decision because some of the players don't have support for big-time storage."

Another consideration is the platform diversity in their environment; homegrown and legacy applications may not fit into standard logging formats, he said. While log management vendors say they parse any data, some make it easier than others.

Other factors to weigh when making a purchase are scalability and a vendor's viability, Shackleford added.

Tags: Security Event Management,  PCI Data Security Standard,  Sarbanes-Oxley Act,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Event Management Network traffic collection, analysis helps prevent data breaches Best Security Information and Event Management Products Understanding PCI DSS compliance requirements for log management Data breach notification legislation: What info must be released? How to prevent a denial-of-service (DoS) attack Mature SIMs do more than log aggregation and correlation The top 5 network security practices SIMs tools and tactics for business intelligence SIEM: Not for small business, nor the faint of heart Should IDS and SIM/SEM/SIEM be used for network intrusion monitoring? PCI Data Security Standard PCI DSS compliance help: Using frameworks, technology to aid efforts Chip and PIN adoption Chip and PIN adoption serves lesson for U.S. payment industry Heartland CIO is critical of First Data's credit card tokenization plan Heartland CIO on end-to-end encryption, credit card tokenization Heartland CIO on PCI, E3 project Wireless network guidelines for PCI DSS compliance Visa probes tokens, encryption for PCI card data protection Feds push cybersecurity jobs, PCI DSS changes ahead. Voltage, RSA spar over tokenization, data protection Sarbanes-Oxley Act SOX compliance burdens midmarket security teams Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management Information security book excerpts and reviews Internal audits for Sarbanes Oxley and internal IT support Internal auditors and CISOs mitigate similar risks Implement security and compliance in a risk management context Does password sharing in international branches violate SOX? Consensus Controls project aims to set benchmarks for compliance Security visualization helps make log files work The Little Black Book of Computer Security, 2nd Edition Sarbanes-Oxley Act Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary security information management (SIM)  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary