Tech Brief. Choosing the Right Log Management Product. By Michael Pastore

Transcription

1 Choosing the Right Log Management Product By Michael Pastore Tech Brief an

2 Log management is IT s version of the good old fashioned detective work that authorities credit for solving a lot of crimes. It s not as flashy as the highspeed chase, but log management tracks everything that happens across the IT infrastructure and it s where the bad guys leave their footprints. The problem is how long it takes for anyone to notice them. According to the 2009 Verizon Data Breach Report, the time from compromise to discovery in 49 percent of breaches was measured in months. Trustwave s Global Security Report 2010 puts the average time between breach and detection at 156 days. IT organizations need good log management tools because, when done right, log management can reduce those months to minutes. Compliance is a big driver of many log management deployments, especially the Payment Card Industry (PCI) standards designed to prevent credit card fraud and protect cardholders data. For larger organizations, a good log management solution can help compliance with any number of regulations from Sarbanes-Oxley to FISMA, NERC, and even ISO best practices. Smaller organizations in certain industries, or that do business with enterprises bound by compliance regulations, have the same need for solid log management applications. In many cases, compliance is what pays for a log management deployment, but being compliant doesn t mean the infrastructure is secure. Compliance regulations are designed to set standards but they are usually far behind the latest security issues because compliance is driven by legislation. Security breaches can happen to businesses large and small, regardless of whether they are in compliance or even subject to compliance rules. The main difference between a breach at large or small business is the scale not just of the crime, but also the fines and loss of reputation and customer loyalty. An effective log management tool keeps your infrastructure secure and compliant. What to Look for in a Log Management Solution Raw log files contain millions of events, so the first thing to look for in a log management application is a degree of intelligence that makes sense of the events and helps administrators see the big picture. For example, a set of logs might show that a user failed five login attempts before finally logging in. It s possible that this user forgot his or her password. It s also potentially a sign of a brute force attack on a network. So how does an organization filter out the noise in order to find the events of interest that impact security and compliance policies? A new approach is needed one where an organization has visibility beyond the log messages and can also see what changed. Once an organization can see the relationships across both log and change events it s possible to quickly find the events of interest that matter most. Going back to the login 1

3 example: if a user failed logging in five times, then successfully logged in, and then changed a critical file that lowers a policy score, then these events of interest need attention. Out of millions of log and change events that occur on a daily basis, a string of activities like this needs to be investigated immediately. This type of intelligence can require the purchase of an additional product from some vendors, which can, of course, drive up the price. Every IT professional knows to watch out for feature creep when choosing new software, and log management is no exception. Log management is closely tied to security information and event management (SIEM) and security event management (SEM). SIEM capabilities help users see the big picture, but buyers need to watch how adding SIEM capabilities and other add-ons, such as reporting or forensics, can affect the price tag when they aren t included with log management. Many log management products are sold as appliances, which have the potential to drive up infrastructure costs. The same applies to storage, which is important because the log files need to be saved. Some log management products let users take advantage of existing storage on the network, others include it with the product, and some will work with appliances, connections, and consoles certain storage products (or charge a can all play a role in log management fee to connect to others). pricing, depending on the vendor. Some vendors will have easier pricing Once an organization has visibility to understand than others. beyond the log files, it needs to react to potential problems. Good log Five Leading Log Management management products alert security Vendors analysts or administrators to problems and even let them set up rules to Tripwire automatically handle certain situations. This allows them to react much more quickly and helps circumvent attacks Tripwire Log Center combines log or reduce the time from breach to management and security information detection. and event management (SIEM). It captures hundreds of thousands of Finally, IT professionals shopping for events per second from any number log management products need to of devices and then compresses, examine how the vendors charge for encrypts, and stores the logs. The the product. Log management pricing built-in SIEM capabilities in Tripwire can get complicated quickly because Log Center can provide real-time a number of considerations can come alerts about suspicious activity. Users into play. The number of events, users, can compare activity against a set of Every IT professional knows to watch out for feature creep when choosing new software, and log management is no exception. 2

4 pre-defined policies and thresholds and receive alerts when a threshold is breached. Customizable dashboards can show users where there is suspicious activity in real time. The data collected by Tripwire Log Center is indexed so users can complete fast, complex searches using plain keywords. Tripwire s offering is unique in that it provides visibility into log and change events by integrating outof-the-box with Tripwire Enterprise, which provides in-depth file integrity monitoring on files and configurations throughout the infrastructure. The end result is visibility of events and changes across the network. Tripwire Log Center is available as software only, and it will work with standard local and remote storage mediums to store the data. Tripwire offers tiered pricing based on the number of events per second. TriGeo TriGeo SIM is a security information management (SIM) appliance built for mid-market businesses. Using a combination of proprietary agent technology and backbone integration, it captures and correlates data from existing network security products and operating systems in real-time. It then aggregates, correlates, and filters the data into a central control console. Using what TriGeo calls Intelligent Correlation it conducts real-time analysis and automated remediation. An event normalization engine correlates multiple events into one intelligible line of data that TriGeo can respond to in real-time with automatic notification and/or active response, depending on a set of rules that administrators define. Additional products from TriGeo can help fill in your analysis needs. Trigeo ndepth is a network security appliance designed to blend real-time event correlation, deep forensic analysis, and point-and-click response. Trigeo nsight is a business intelligence product for network management and security that discovers the unknown, unpredictable, and unforeseen relationships in your network data. LogLogic The LogLogic Open Log Management platform solution is offered as an appliance or as a managed service by LogLogic and its partners. One or more LogLogic ST appliances can handle log collection, search, and archival. Adding LogLogic LX appliances to the mix lets users deploy remote collectors or provide advanced log analysis and reporting. The LogLogic LX appliance is also available as a standalone log analysis appliance and scales up to enterprise or telco-grade editions. Not to be left behind, mid-sized businesses have a LogLogic appliance tailored for their log management needs: LogLogic MX. To round out the LogLogic offering, the LogLogic Compliance Manager helps businesses meet the log and security management mandates established by specific regulatory mandates. Pre-packaged compliance suites with out-of-the-box reports and alerts are available for PCI and SOX. LogLogic Security Event Manager integrates with the LogLogic Open Log Management platform for archival, search, and forensic analysis. LogLogic Database Security Manager protects sensitive information in databases through monitoring and real-time blocking. RSA RSA envision is the security information and event management solution from RSA, a household name in enterprise security that is now part of EMC. EMC, of course, made its name in storage, so when RSA says its envision product is capable of collecting and analyzing large amounts of data in real-time, from any event source and in computing environments of any size, you can be reasonably assured it knows what it s talking about. RSA envision comes in ES Series and LS Series appliances and there s external direct-attached storage, based on EMC s storage offerings, available for enterprises with vast amounts of data to store. RSA envision uses its LogSmart Internet Protocol Database (IPDB) for 3

5 collecting all of an organization s raw logs for use in real-time monitoring, proving compliance, and forensic analysis. The IPDB has significant log data compression (up to 75 percent, according to RSA) to help minimize storage costs and maximize access to and analysis of the data. ArcSight ArcSight Logger, like RSA envision, is another enterprise player in the log management space. It supports collection of raw or unstructured logs from syslog or file-based log sources. It also uses ArcSight Connectors that collect data from nearly 300 distinct log-generating sources. ArcSight Connectors take that data and put it in a common format, which makes reporting and analysis easier. ArcSight Connectors can be deployed as software or as appliances in data centers and regional or branch offices. The ArcSight Connectors are also designed to offer bandwidth controls, log traffic prioritization, local caching, and other measures designed to minimize data loss or the impact on business-critical traffic. ArcSight Logger uses role-based or personalized dashboards that combine relevant reports into a single console. Users then drill into specific reports and simulate audit workflow. It features RAID-enabled onboard storage, and it can also leverage an existing SAN as the log data store. In addition, ArcSight PCI Logger is the company s all-in-one log collection, storage, and analysis appliance for automating PCI audits and protecting cardholder data. 4