2 Log Management: 5 Steps to Success LogLogic, Inc Worldwide Headquarters 110 Rose Orchard Way, Ste. 200 San Jose, CA United States US Toll Free: Tel: Fax: New York Tel: LogLogic EMEA Tel: Fax: LogLogic France Tel: +33 (0) Fax: +33 (0) LogLogic GmbH Tel: Fax: LogLogic Japan Tel: Fax: LogLogic Hong Kong Tel: Fax: loglogic.com blog.loglogic.com
3 Since 2005, SANS has conducted an annual spring survey of the log management industry in order to determine overall satisfaction with the industry and discover best practices for developing successful log management initiatives. The 2009 survey polled a mix of IT management/ security and IT staff/security positions from a wide variety of companies, asking respondents to rank satisfaction levels with their current log file analysis solution. In this year s survey 58 percent were somewhat satisfied, 70 percent were satisfied, and 12 were percent fully satisfied with their current solution. In 2008, the question included only options for satisfied and not satisfied, with 36 percent indicating satisfaction. Among the satisfied group of this year s survey, a number of common traits became evident. As companies begin to use logs in more complex ways throughout their organizations, it becomes essential to establish best practices. By incorporating the traits outlined in this paper into their log management systems, companies can ensure that they make the most of the logs they are collecting and achieve their operational, regulatory, and security goals. According to the 2009 SANS Log Management Survey, 70% of respondents are satisfied with their current log management solution and 12% are fully satisfied up from a satisfaction rate of 36% in 2008.
4 1. Establish a Log Management Program As recently as 2007, many companies did not see log management and analysis as a critical task, with just 56% of SANS survey respondents collecting logs. In 2009 that number has grown to 87%, with an additional 12% of respondents indicating that they plan to implement a log management solution in the future. These collected logs are now being used for a wide variety of purposes, including: event detection (91% of respondents), tracking suspicious behavior and user activity monitoring (74%), day-to-day IT operations (67%), regulatory compliance (53%), and information leak prevention (28%). It s clear that companies now see the importance of collecting and analyzing logs and now want to know how to use them most effectively. Do you collect logs in your organization? Yes 86.6% No We don't collect logs, but have that in our plans. No We don't collect logs and don't plan to. 11.9% 1.5% Make Log Analysis a Priority Establishing log analysis as a company priority proved to be a key differentiator between fully satisfied respondents and the survey respondents as a whole. The satisfied group actively and consistently spent time on log analysis and had integrated log analysis into the organization s overall workflow. The survey also indicated that the fully satisfied users knew how much time they were spending on log management an average of between a few hours a day and a few days a week, according to this year s survey. Some of the least satisfied users spent little to no time on log analysis or spent a great deal of time on log analysis but did not achieve the results they desired. On average, most companies continue to spend about the same amount of time analyzing log data as they did in 2008 (45 percent of 2008 respondents indicated they spent a few man-hours per week on log management). Companies that were fully satisfied also know how much time they spend on log management. Though 10 percent of the total respondents didn t know how much time they spent on log management, none of the fully satisfied group chose that response. Of the fully satisfied group, 32 percent indicated that log management was integrated into the company s workflow, while this was true of just 16 percent of the remainder of the respondents. This pattern continued with the frequency of reports being generated by the log management system. Of the fully satisfied respondents, 43 percent generated weekly and daily reports, while only 29 percent of the remainder generated routine reports. These results suggest that simply establishing a log management system is not enough to achieve success, and that companies that are satisfied with their log management system actively tend their log management system and have made it a regular and integral part of their operations.
5 3. Use Log Management to Measure Security Effectiveness Though many categories saw similar responses between satisfied and unsatisfied users, the two groups had distinctly divergent responses to a new question about measuring security effectiveness. 37 percent of total respondents said that they measure security effectiveness, while 64 percent of fully satisfied users used their log management solution to measure security effectiveness. 47 percent of those that indicated either full or partial satisfaction with their log management solution used it in this way. Time to respond to incidents ranked highest among satisfied users in gauging security effectiveness. The bulk of the remainder of respondents measured security effectiveness by Incident prevention. The most satisfied users also noted number of incidents by class (disclosure, compliance, malware, etc.), cost and impact to the organization s operations as key measures in rating effectiveness, providing insights for the development of the next generation of log management tools. How does your company measure security effectiveness? Number of incidents Incident prevention Time to respond to incidents Other Fully Satisfied All Companies
6 4. Automate Log Management & Analysis Automation proved to be a key element in log management system user satisfaction. Fully satisfied users indicated that they automated over 90 percent of their log collection and storage, while just 65 percent of the remaining respondents automated these functions. As searching data and creating reports ranked high on degree of difficulty to most respondents, automating these areas proved to be essential in establishing a successful program. About half of fully satisfied respondents noted that search/analysis and correlation are automated, while just 10 percent of the remainder of respondents have automated those functions. Companies that are most satisfied with their log management solutions have automated over 90% of their log collection and storage efforts. Most fully satisfied users use tools to automate and simplify their log processing endeavors, using either a single third-party tool or a combination of third-party tools and homegrown tools. 39 percent of fully satisfied users, and 19 percent of other respondents, use a single third party tool. About one third of respondents use a combination of third-party tools and homegrown tools.
7 5. Scalability for Large-scale Log Management With over half of respondents indicating that they collect logs from over 100 sources throughout their organization, it is clear that having a highly scalable log management solution is essential to a successful log management deployment. From how many sources across your organization do you collect logs? % 101 and over 51% Unknown 5% Additionally, respondents indicated that the most successful deployments are enterprise-wide and collect logs from network and security devices, operating systems and databases to enterprise and homegrown applications. Over half of the respondents indicated that they collected logs from the following sources: operating systems (92.1%), switchers, routers & firewalls (89.9%), intrusion detection systems (73.6%), databases & database activity monitoring (68.2%), and enterprise applications (51.6%). What types of devices do you collect logs from? Please select all that apply. Operating System (O/S) 92.1% Switches, routers, firewalls Intrusion Detection System (IDS)/ Intrusion Prevention System (IPS)/ Anti-Virus (network) Database systems/dam 68.2% 73.6% 89.9% Enterprise applications Virtual machines (of some of above) Homegrown applications 40.5% 51.6% 48.9% NAC/end-point security controls Mainframes Other (please specify) 21.5% 17.5% 6.4%
8 The survey also found that as log management has gained momentum, users are seeing the importance of integrating log management with Security Information Event Management (SIEM) and Database Activity Monitoring (DAM) initiatives. The vast majority of respondents indicated that they think that integrating log management with SIEM or DAM is important. The integration of log management and SIEM is clearly most mature with 58% of respondents using or intending to use both products together. 3.4% of respondents are using or planning to use log management and DAM together. Has your organization allocated a budget for OR is currently using log management in conjunction with automated SIEM (Security Information Event Management) and/or DAM (Database Activity Monitoring)? SIEM 25.7% 32% DAM.7% 2.7% Both 9.3% 9.3% Yes Not yet, but plan to Conclusion With 99 percent of survey respondents indicating that they have established a log management solution or have plans to do so, it is clear that log management has matured. Companies are now ready to take their log management solutions further in order to ensure a successful log management program and make the most of the logs being collected. By integrating the traits of a successful log management program as outlined in this paper establishing a log management program, making that program a priority, using log management to measure security effectiveness, automating log collection and analysis and employing a scalable solution for large-scale log management companies can ensure that they meet their regulatory, security and operational goals. Source: All data from SANS Annual 2009 Log Management Survey, LogLogic, Inc. reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Product Specifications are subject to change without notice LogLogic, Inc. All rights reserved. LogLogic is a trademark of LogLogic, Inc. All other products or services mentioned are the trademarks, service marks, registered trademarks or registered service marks of their respective owners.
: Leveraging the Best in Database Security, Security Event Management and Change Management to Achieve Transparency LogLogic, Inc 110 Rose Orchard Way, Ste. 200 San Jose, CA 95134 United States US Toll
Organizations See PCI as a Benefit, Not a Burden White Paper Top 10 Takeaways from the Cisco PCI Survey 1. Most organizations have taken significant steps to achieve PCI compliance and believe their current
Sponsored by LogLogic Sorting Through the Noise SANS Eighth Annual 2012 Log and Event Management Survey Results May 2012 A SANS Whitepaper Written by: Jerry Shenk Advisors: Dave Shackleford & Barbara Filkins
2014 SIEM Efficiency Survey Report Hunting out IT changes with SIEM 74% OF USERS ADMITTED THAT DEPLOYING A SIEM SOLUTION DIDN T PREVENT SECURITY BREACHES FROM HAPPENING Contents Introduction 4 Survey Highlights
Sponsored by SolarWinds SANS Security Analytics Survey September 2013 A SANS Whitepaper Written by Dave Shackleford About the Respondents Page 2 Big Data and Security Analytics Page 4 Survey Results: Risks
y Comparing Leading Email and SharePoint Security Solutions An Osterman Research White Paper Published January 2009 SPONSORED BY onsored by sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond,
Sponsored by HIMSS Security Survey sponsored by Symantec NOVEMBER 3, HIMSS Security Survey Sponsored by Symantec Final Report November 3, Now in its second year, the HIMSS Security Survey, sponsored by
IBM Financial Services Dispelling the vapor around cloud computing in the financial services industry Executive summary There are marked differences between the workloads that the financial services industry
2014 State of IT Changes Survey Results Results In 2014, change is the only constant. Changes to critical IT systems are a daily part of any IT organization s ability to meet the constant barrage of requests
The State of Big Data Infrastructure: Benchmarking global Big Data users to drive future performance April 2015 Contents Key findings 3 Big Data projects have arrived 4 Level of adoption 4 Complexity of
WHITE PAPER BUSINESS INTELLIGENCE MATURITY AND THE QUEST FOR BETTER PERFORMANCE Why most organizations aren t realizing the full potential of BI and what successful organizations do differently Research
Five predictive imperatives for maximizing customer value Applying predictive analytics to enhance customer relationship management Contents: 1 Introduction 4 The five predictive imperatives 13 Products
Examining Cloud Usage within the Investment Management Industry Presented by Eze Castle Integration Table of Contents Introduction..... 3 Survey Methodology & Respondent Profile...... 4 Current Cloud Usage.....
2014 State of Customer Acquisition New acquisition survey findings by Trendline Interactive Research study commissioned by CertainSource an ewaydirect Company INTRODUCTION There is a bit of a schism amongst
Executive Brief Five Predictive Imperatives for Maximizing Customer Value Applying Predictive Analytics to enhance customer relationship management Table of contents Executive summary...2 The five predictive
White Paper Transitioning to a Dynamic Data Center The Keys for Successfully Migrating Your Business By Bob Laliberte and Jeff Hine September, 2010 This ESG White Paper was commissioned by HDS and is distributed
Sponsored by ArcSight SANS Seventh Annual Log Management Survey Report A SANS Whitepaper April 2011 Written by Jerry Shenk Survey Sample Why Companies Collect Log Data Users Want Better Log Data (and More
Achieving Control: The Four Critical Success Factors of Change Management Technology Concepts & Business Considerations T e c h n i c a l W H I T E P A P E R Table of Contents Executive Summary...........................................................
2015 Report on the Current State of Enterprise Risk Oversight: Update on Trends and Opportunities 6 th Edition February 2015 Mark Beasley Deloitte Professor of ERM Director, ERM Initiative Bruce Branson
Best Practices in Enterprise Mobility Management An ENTERPRISE MANAGEMENT ASSOCIATES (EMA ) White Paper Prepared for FrontRange October 2013 IT & DATA MANAGEMENT RESEARCH, INDUSTRY ANALYSIS & CONSULTING
Project Quant Patch Management Survey Summary and Analysis of Results The survey continues! Help further refine our findings by taking the survey at: http://www.surveymonkey.com/s.aspx?sm=sjehgbial3mr_2b1gaumibqw_3d_3d
Prepared for January 2009 Strategies To Improve IT Efficiency: Using Predictive Analysis To Do More With Less Table Of Contents Executive Summary...3 Business Expectations...4 Defining IT Efficiency...5
IBM Smart Business Thought Leadership White Paper January 2010 Dispelling the vapor around cloud computing Drivers, barriers and considerations for public and private cloud adoption 2 Dispelling the vapor
The State of Dynamic Data Center and Cloud Security in the Modern Enterprise A SANS Survey Written by Dave Shackleford October 2015 Sponsored by Illumio 2015 SANS Institute Executive Summary Key Findings
WHITE PAPER Meeting PCI Data Security Standards with Juniper Networks STRM Series Security Threat Response Managers When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs Copyright
BEST PRACTICES WHITE PAPER Asset Management, ITIL, and the CMDB: Connecting the Dots between IT Operations and the Bottom Line Table of Contents INTRODUCTION... 1 SECTION 1 Wading Through Terminology...2