Establishing a practical routine for reviewing security logs

The term security information management (SIM) refers to the discipline of collecting and analyzing security events to detect or investigate malicious activities. Essential to this process are the individuals

    Requires Free Membership to View

who review the gathered data and decide whether the events constitute an incident and should be escalated. Information security logs that are not regularly reviewed are hardly useful and can be a liability to an organization.

Sometimes reviewing security logs can be fun. Don't get me wrong -- sifting through mounds of data to identify the notable events is not always my favorite pastime. However, the pursuit of correlating seemingly unrelated events, determining the cause of an unusual alert or detecting an intrusion at its onset can be pretty rewarding.

Even though the review of security logs is critical to the success of a SIM program, doing so regularly and comprehensively is not easy. Here are a few recommendations for establishing a process to ensure that important events don't go unnoticed:

  • Schedule a regular time for reviewing logs. Creatures of habit, most of us find it harder to forget chores that we conduct according to a predictable schedule. Decide on a time that will allow you to devote attention to log-reviewing duties and stick with that schedule. Mark that time slot as "busy" in your calendar to prevent unwanted meetings or other interruptions.
  • Automate repetitive log-processing tasks. Manually reviewing every entry in the log is monotonous, time-consuming and important alerts will be missed as a result. Make use of the log-processing tool's ability to group similar records together, prioritize events, and filter entries that are not currently relevant. Automating such tasks speeds up the reviewing process and improves its accuracy.
  • Alternate log-reviewing responsibilities. There are several advantages to varying who is responsible for reviewing the logs. It helps prevent the fatigue of performing repetitive tasks. It also exposes data to another individual's fresh perspective. Consider alternating the responsibilities on weekly or monthly basis among qualified members of your team.
  • Track the problems addressed by reviewing logs. Routine tasks are easy to take for granted. Keep track of the problems, such as service downtime or a network intrusion, that were prevented or remediated as a result of reviewing security logs. This practice will gather metrics for assessing the usefulness of reviewing the logs, which is particularly helpful during budget or bonus allocation times.

A practical routine for reviewing security logs is regularly scheduled, partially automated, alternated among team members, and linked to problem resolution. Not only will such processes bring vigilance to the log-reviewing duties, but it will also ensure that an organization gets the most out of the valuable data captured by the its SIM systems.

About the Author:
Lenny Zeltser is the information security practice leader at Gemini Systems LLC, a New York-based IT consulting firm, and an instructor at SANS Institute. More information about his projects and interests is available at www.zeltser.com.

This was first published in September 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.