The term security information management (SIM) refers to the discipline of collecting and analyzing security events to detect or investigate malicious activities. Essential to this process are the individuals who review the gathered data and decide whether the events constitute an incident and should be escalated. Information security logs that are not regularly reviewed are hardly useful and can be a liability to an organization.
Sometimes reviewing security logs can be fun. Don't get me wrong -- sifting through mounds of data to identify the notable events is not always my favorite pastime. However, the pursuit of correlating seemingly unrelated events, determining the cause of an unusual alert or detecting an intrusion at its onset can be pretty rewarding.
Even though the review of security logs is critical to the success of a SIM program, doing so regularly and comprehensively is not easy. Here are a few recommendations for establishing a process to ensure that important events don't go unnoticed:
- Schedule a regular time for reviewing logs. Creatures of habit, most of us find it harder to forget chores that we conduct according to a predictable schedule. Decide on a time that will allow you to devote attention to log-reviewing duties and stick with that schedule. Mark that time slot as "busy" in your calendar to prevent unwanted meetings or other interruptions.
- Automate repetitive log-processing tasks. Manually reviewing every entry in the log is monotonous, time-consuming and important alerts will be missed as a result. Make use of the log-processing tool's ability to group similar records together, prioritize events, and filter entries that are not currently relevant. Automating such tasks speeds up the reviewing process and improves its accuracy.
- Alternate log-reviewing responsibilities. There are several advantages to varying who is responsible for reviewing the logs. It helps prevent the fatigue of performing repetitive tasks. It also exposes data to another individual's fresh perspective. Consider alternating the responsibilities on weekly or monthly basis among qualified members of your team.
- Track the problems addressed by reviewing logs. Routine tasks are easy to take for granted. Keep track of the problems, such as service downtime or a network intrusion, that were prevented or remediated as a result of reviewing security logs. This practice will gather metrics for assessing the usefulness of reviewing the logs, which is particularly helpful during budget or bonus allocation times.
A practical routine for reviewing security logs is regularly scheduled, partially automated, alternated among team members, and linked to problem resolution. Not only will such processes bring vigilance to the log-reviewing duties, but it will also ensure that an organization gets the most out of the valuable data captured by the its SIM systems.
About the Author:
Lenny Zeltser is the information security practice leader at Gemini Systems LLC, a New York-based IT consulting firm, and an instructor at SANS Institute. More information about his projects and interests is available at www.zeltser.com.