Mining enterprise SIM logs for relevant security event data

Security information management systems, or SIMs for short, are effective platforms for the collection, analysis and storage of events from a broad range of systems and devices within the IT infrastructure. Many enterprises are overwhelmed by the myriad of choices and types of data a SIM can provide. For example, any given application might produce an access log, an event log, a transaction log and an audit log, each used for a slightly different purpose and containing slightly different information. Taking some time to understand the difference and selecting just the information you need helps produce better reports and reduce resource overhead. In this tip, we will explore efficient ways to get the most relevant data from enterprise security information management systems.

Understand the regulations
With storage costs incredibly low, many organizations manage compliance by taking the path of least resistance. Rather than evaluate the regulatory requirements for data retention -- like what data needs to be kept and for how long -- many IT professionals will simply turn logging and auditing functions on and collect every available event. In turn, the record retrieval, analysis and reporting process becomes overwhelming, taking days instead of minutes.

Many regulations, however, don't actually require long-term storage. As an example, many have treated the amended rules for the Federal Rules of Civil Procedure (FRCP) as a requirement to store audit trails for an extended period. But a review of the Electronic Discovery Rule Amendments actually reveals that an organization has the ability to define "electronic data which is reasonably accessible." It is perfectly acceptable for an organization to dictate what is appropriate

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

Collect the right data
I often see companies collecting system logs in their entirety or turning on audit features for their application platforms and incurring a great deal of overhead when all they wanted was a report detailing failed logons. What could have been done with simple network monitoring with no performance cost to the application instead generated gigabytes of log files and reduced overall application throughout. Even so, as some of the applications didn't view failed logins as an application-level event, most access control-related failures were not recorded by design, and service-level interruptions were missing altogether.

As many data collection methods have overlapping information, and each method has an associated cost in terms of performance and quantity of data -- not to mention quality of data -- spend some time ensuring that the data being collected is appropriate for the type of problem being addressed. Sometimes a simple adjustment in this area leads to much more accurate reports.

Assess your efficiency
As SIM is not a new technology platform, there are many companies that have had the technology for several years but are less than happy with the performance and value of the platform. A lot has changed in the last couple of years, however, with new methods of data collection, new ways of analyzing data, and new ways of solving IT problems. Enterprises that implemented a SIM product a few years ago should re-examine their assumptions and deployment choices now that the platforms have evolved and become more efficient. Your SIM may offer a new method of data collection, like network packet collection, which can provide a more efficient method of collecting activity. Or you may have implemented virtualization, which can affect the data that is collected. Most company networks undergo constant change, and vendors are improving their products, so periodic review is recommended.

Know the value of normalized data
When collecting data from hundreds or thousands of disparate devices and systems, normalization helps to provide a unified view of the events. Normalization for SIM means automatically pulling common data items from each event (like who, what, when and where) and storing this subset into a common format. In essence, SIM normalization is making dissimilar data all look the same. This process makes cross-system analytics feasible. And since all events share a common format, reporting and analysis is far easier as well.

But in many cases, the data that is kept in this normalized form is insufficient to really understand if there is a problem and what steps are necessary to remediate it. If a SIM platform identifies a failed or illegal transaction -- for example, if someone uses an unapproved application to make an ad-hoc adjustment to the general ledger -- a normalized event record will not include enough information. Identifiers like transaction ID, customer name, dollar amount, or any of the contents of the transaction needed to identify the transaction is missing. In order to fix review and fix the questionable entry, it will most likely be necessary to manually sift through hundreds or even thousands of legitimate changes.

Normalized records are a great way to reduce data volume and provide aggregation and correlation report, but to provide value from a security or audit standpoint, normalized event detection is not enough. Make sure to store enough of the original record, or better yet, have "drill down" capabilities, to cross reference the normalized record with the original record.

SIM platforms are both powerful and flexible. They provide a fast and efficient way to gather data, and a lot of options on how to process and analyze this data. What you collect and how you process it affects your ability to meet business drivers and compliance requirements, so take the time up front to understand your options and how best to achieve your goals; it will save you time and money in the long run.

About the author:
Adrian Lane is a senior security strategist with Securosis LLC, an independent security consulting practice. He has 22 years of industry experience, specializing in database architecture and data security. Prior to joining Securosis, Lane was the CTO at the database security firm IPLocks, and he has also served as the vice president of engineering at Touchpoint, three years as the CIO of the brokerage CPMi, and two years as the CTO of the security and digital rights management firm Transactor/Brodia.