1 WHITE PAPER Demand More from Your Log Management Solution Key Criteria for Maximizing Value and Reducing Risk Author: Mark Bouchard 2009 AimPoint Group, LLC. All rights reserved.
2 Introduction Every IT department needs log management at least that s what you re being told. And the truth is you do. The days of haphazardly gathering and reviewing log data primarily for ad hoc troubleshooting purposes are fading fast. A more formal, comprehensive, and automated solution that supports other objectives as well, especially compliance management, is definitely in order given the complexity of today s computing environments. But is log management really enough? Moreover, how can organizations reduce the risk involved given the substantial investment required to purchase, implement, and operate what is often an expensive and relatively complicated product? This paper answers these and many other pertinent questions by crystallizing the criteria that organizations should use when evaluating log and security event management solutions. The Log Management Conundrum Not surprisingly, IT departments have no problem recognizing the need for a solution to better address two of their most pressing challenges: compliance management and the need to enhance their security defenses to stay ahead of mounting threats. Unless their heads are buried in the sand, today s CIOs and CSOs are also aware that log management is being touted as the solution du jour, and, further, that the level of attention it is receiving is not unwarranted. Besides being explicitly required by some IT privacy and security regulations, log management can in fact help organizations accelerate the process of demonstrating compliance. It can also help them improve IT operations and, at least to some extent, reduce risk for example by providing activity baselines, audit trails, and supporting forensic investigations. However, when it comes to purchasing a log management solution, many IT decision makers still have reservations because: They are uncertain about the specific features, capabilities, and characteristics to look for in a solution. And even if they are certain, then it s not easy to distinguish one solution from the next they all seem pretty much the same. Log management products are fairly complex and it looks as if they ll probably require substantial commitment of time and effort before meaningful results and returns will be achieved. Log management products are relatively expensive to purchase, implement, and operate. This raises the risk level associated with investing in one. A poor outcome means a weaker security and compliance posture because scarce resources will be taken away from other, potentially helpful solutions. And let s face it, for those personnel most heavily involved with the project, their credibility and potentially their jobs will be on the line. This set of concerns, of course, is applicable to organizations of all types and size. But it is especially relevant for those without large security staffs, dedicated security operations centers (SOCs), and sevenfigure security budgets. Although they share many of the same needs with regard to enterprise security and 2009 AimPoint Group, LLC. All rights reserved. 2
3 compliance, unlike their larger, well-funded counterparts such organizations can ill afford a misstep when it comes to how they spend their time and money. Even a single mistake could be enough to cause terminal damage. The good news is that although log and security management is often complex and expensive, it doesn t need to be that way. Indeed, some solutions are better than others at lowering the barriers to entry and ensuring ongoing success. What savvy decision makers need to look for is a solution that provides greater functionality, reduces the time and effort required to "operationalize" associated capabilities, and minimizes the risk of making the investment in the first place. Technical Criteria: What Have You Done for Me Lately? The value of any solution, including log management, can be gauged at least in part by the problems that it helps solve. Log Management is a Strong Foundation Fundamentally, log management entails the collection, processing, utilization, and storage of log data from an organization s computing and information infrastructure. The IT functions it typically enables include: Health monitoring to help uncover inefficiencies and improve performance. Routine troubleshooting to establish and remedy the cause of identified problems. Analy nalysis of data for forensics or business intelligence which is essentially about conducting detailed investigations in support of legal proceedings or to uncover hidden opportunities for top line growth and/or bottom line savings. Establishing compliance with regulatory requirements both by automating the ability to demonstrate adherence to stated policies and by preserving the integrity of activity and audit trails. Not surprisingly, the criteria that define an appropriate solution map back to both the underlying mechanics of log management as well as the higher-order functions they support. In this regard, specific features, capabilities, and characteristics IT managers should evaluate include the following: Collection the ability to obtain log data from virtually any device, preferably without the need for agents. Processing intelligent filtering, parsing and normalization functionality to establish an understanding of and common format or framework for collected log data, such that it has meaning and is made more usable for both automated and manual applications AimPoint Group, LLC. All rights reserved. 3
4 Utilization robust indexing and search functionality, plus a combination of packaged (e.g., for specific regulations) and fully customizable reports, as well as associated scheduling, sharing, and notification capabilities. Retention the ability to store processed data to support historical analysis, along with the capability to store raw data while maintaining proof of integrity. Products that meet or exceed these requirements will deliver a strong foundation for achieving better IT, security, and compliance management. But why stop with these gains when there s a clear opportunity to extract even more value from the data that s being collected? Log Management is Not Enough Traditional log management solutions are relatively passive and fall short in other ways too when it comes to helping today s organizations address the second challenge noted above, namely staying ahead of mounting threats. Available tools typically offer little in the way of support for cutting through the deluge of security events being generated and focusing the activities of security operations personnel, all in a timely manner. Neither are they well suited to identifying malware and attacks that elude an organization s defenses once again, in a timely and even proactive or automated manner, if at all possible. This is exactly why organizations require security event management (SEM) capabilities too. SEM not only accounts for these additional threat management related problems, but does so in a way that uses many of the same underlying mechanisms and, for that matter, much of the same data as log management a characteristic that we ll come back to shortly. In the meanwhile, recognizing the key areas where SEM is in fact different than log management is also important. It extends collection capabilities to incorporate other sources of data such as configuration settings, the results of vulnerability scans, and asset values to provide context for otherwise discrete, isolated events. It extends both collection and processing capabilities to ensure that data is available in real time. It extends the utilization capabilities associated with log management by adding: o o o monitoring, to enable real-time visibility into what s happening; correlation, to help prioritize staff efforts and identify unknown threats; and, incident response, to stop active threats, prevent their recurrence, and help repair/restore affected systems. SEM also delivers another layer of value when it comes to achieving regulatory compliance by fulfilling the ever-present requirement for an over-arching security monitoring capability AimPoint Group, LLC. All rights reserved. 4
5 Once again, it s not surprising that the criteria IT organizations should evaluate map back to the aforementioned capabilities. Given the preceding discussion, some of these are rather obvious, such as having support for a broad array of supplemental data sources and meeting the objectives for real-time processing and presentation. Other essential components characteristic of a leading a solution include: A highly flexible rules engine for specifying, customizing, and automating many of the details that control how events are collected, processed, utilized, and retained. Advanced correlation and analysis capabilities based on an extensive set of packaged rules and algorithms, plus the ability to easily extend and customize them. This area is the key to achieving maximum gains, and is also one where solutions are likely to exhibit significant differences. Thus, particular attention should be paid to accuracy and overall usefulness of these capabilities something that s hard to accomplish without a relatively long period of evaluation, ideally in a production environment. Robust response and remediation functionality for manually and, optionally, automatically stopping active threats and pursuing the restoration of affected systems using native mechanisms and/or integration with 3 rd party tools. A high performance, high scalability architecture. The value of a log and security management solution is directly related to the scope of collected data and the extent and accuracy of the correlation and analysis that is possible all of which is dependent, in turn, on having sufficient performance and scalability to perform the requisite functions, in many cases in real time. Unfortunately, this is another area that is difficult to evaluate. Support for hierarchical implementations and claims of unprecedented, high-speed database technology or super-optimized processing routines are certainly interesting, but their true worth can only be established by a longterm evaluation under real-world conditions. Just like log management is not sufficient to meet all of an organization s needs, neither are technical capabilities alone. Consideration must also be given to operational criteria which, rather than defining what a specific solution can do, focus on how easy it is to use. Operational Criteria: More Gain with Less Pain Another measure of a solution s value is the ease and speed with which its technical functionality can be implemented and operationalized. One major consideration in this regard is how the solution is packaged and delivered. Given that organizations need both log and security event management, and given that the latter essentially builds on the former, it makes considerable sense to obtain both sets of functions within a single product and not just as integrated capabilities spread across a series of function-specific boxes, but all together on a single appliance. Such an arrangement certainly has the greatest potential for reducing costs and infrastructure complexity, and should be feasible for a majority of scenarios, including ones with high performance and scalability requirements. With a properly architected solution, the only real exception 2009 AimPoint Group, LLC. All rights reserved. 5
6 will be for IT departments where political issues arise, such as those pertaining to organizational structure, ownership, and separation of responsibilities. Other features and characteristics that are instrumental to reducing the time to value and ongoing operational expenses associated with log and security event management include: automatic identification of devices and initiation of log collection; embedded, centralized capabilities for all monitoring, analysis, reporting, and system administration functions; an extensive set of pre-built rules, report templates, and compliance packs; straightforward, powerful tools for mining collected data, such as summary dashboards with multilayer drill down and ad-hoc querying capabilities; embedded workflow, for example to facilitate an organization s incident response and compliance management processes an embedded database/storage, with the option to use separate, dedicated and long-term storage technologies as well; and, automatic updates to incorporate new correlation and analysis routines and for content such as rules and reports. Ideally, there should be minimal need for professional services and support throughout the product lifecycle, and it should also be possible to completely automate the majority of recurring tasks. Financial Criteria: Taking Risk Out of the Equation Obtaining a solution that fulfills most if not all of the technical and operational criteria that have been identified is definitely a big step in the right direction. At the end of the day, however, pursuing a log and security event management solution is still a risky endeavor. This is true in part because of the price tag typically involved, which can easily surpass $50,000 for smaller organizations and $250,000 or more for larger ones. But is also due to the residual uncertainty of whether the solution will really work as promised and expected. Accordingly, savvy decision makers should seek ways to reduce their risk, for example by embracing solutions with pricing models that provide a substantially lower point of entry and features that help preserve an organization s investment over the long run. With regard to the former, consideration should be given to subscription-based pricing like that typically used for software-as-a-service (SaaS) and other managed service offerings. The advantages of such an approach include that it: 2009 AimPoint Group, LLC. All rights reserved. 6
7 Reduces the initial investment to the point that it represents a very manageable, if not trivial, amount of risk. Simplifies and speeds the process of approving log and security event management initiatives. Enables an extended proof of concept since organizations can essentially afford to evaluate as they go. In addition, they are not limited to the partial functionality of a demo box, they are not limited to having only a handful of users gain exposure to the product, and they have plenty of time to fully assess claimed capabilities to establish whether the solution is truly a good fit for their needs. Increases flexibility by allowing the organization to easily and affordably make a switch to an alternate solution, such as one that is SaaS-based, at any time. To help preserve the organization s investment, any subscription-based model should also include a rent-toown option, where a substantial percentage of each monthly payment is credited against the purchase price in the event the organization ultimately decides to own the solution outright. Two additional items to look for in terms of preserving value are extensibility of the solution and its capacity for integration. Adding new capabilities over time should not require additional boxes, or a forklift upgrade. It should also be possible to configure the solution to feed into both peer and higher-level management systems alike to continue to support the organization as its security, compliance, and broader IT needs evolve. Conclusion Today s organizations do indeed require a solution for log management. Among the other benefits it can provide, log management is the surest and possibly most efficient way to demonstrate compliance with the prevailing set of IT privacy, security, and governance-related regulations. However, the same technological foundation that underlies log management is also appropriate for security event management a solution that provides the real-time monitoring, analysis, response and remediation capabilities needed to help organizations stay ahead of mounting threats. In most cases, therefore, it makes considerable sense to obtain both sets of functionality in the form of a single, unified product, as opposed to having multiple, physically separate, function-specific components. Furthermore, when obtaining such a solution, IT decision makers should not focus on technical criteria alone. Attention should also be paid to operationally oriented features and characteristics that are instrumental to reducing time to value and ongoing expenses, as well as to financial aspects such as innovative pricing models which help minimize the risk of making an investment in log and security event management in the first place. About the Author Mark Bouchard, CISSP, is the founder of AimPoint Group, an IT research and advisory services company specializing in information security, compliance management, application delivery, and infrastructure optimization strategies. A former META Group analyst, Mark has assessed and projected the business and 2009 AimPoint Group, LLC. All rights reserved. 7
8 technology trends pertaining to a wide range of information security and networking topics for more than 13 years. During this time, he has assisted hundreds of organizations worldwide with strategic and tactical initiatives alike, from the development of multi-year strategies and high-level architectures to the justification, selection, and deployment of their security and networking solutions. A veteran of the U.S. Navy, Mark is passionate about helping enterprises address their IT challenges AimPoint Group, LLC. All rights reserved. 8