Log Management: 5 Steps to Success

Transcription

1

2 Log Management: 5 Steps to Success LogLogic, Inc Worldwide Headquarters 110 Rose Orchard Way, Ste. 200 San Jose, CA United States US Toll Free: Tel: Fax: New York Tel: LogLogic EMEA Tel: Fax: LogLogic France Tel: +33 (0) Fax: +33 (0) LogLogic GmbH Tel: Fax: LogLogic Japan Tel: Fax: LogLogic Hong Kong Tel: Fax: loglogic.com blog.loglogic.com [email protected]

3 Since 2005, SANS has conducted an annual spring survey of the log management industry in order to determine overall satisfaction with the industry and discover best practices for developing successful log management initiatives. The 2009 survey polled a mix of IT management/ security and IT staff/security positions from a wide variety of companies, asking respondents to rank satisfaction levels with their current log file analysis solution. In this year s survey 58 percent were somewhat satisfied, 70 percent were satisfied, and 12 were percent fully satisfied with their current solution. In 2008, the question included only options for satisfied and not satisfied, with 36 percent indicating satisfaction. Among the satisfied group of this year s survey, a number of common traits became evident. As companies begin to use logs in more complex ways throughout their organizations, it becomes essential to establish best practices. By incorporating the traits outlined in this paper into their log management systems, companies can ensure that they make the most of the logs they are collecting and achieve their operational, regulatory, and security goals. According to the 2009 SANS Log Management Survey, 70% of respondents are satisfied with their current log management solution and 12% are fully satisfied up from a satisfaction rate of 36% in 2008.

4 1. Establish a Log Management Program As recently as 2007, many companies did not see log management and analysis as a critical task, with just 56% of SANS survey respondents collecting logs. In 2009 that number has grown to 87%, with an additional 12% of respondents indicating that they plan to implement a log management solution in the future. These collected logs are now being used for a wide variety of purposes, including: event detection (91% of respondents), tracking suspicious behavior and user activity monitoring (74%), day-to-day IT operations (67%), regulatory compliance (53%), and information leak prevention (28%). It s clear that companies now see the importance of collecting and analyzing logs and now want to know how to use them most effectively. Do you collect logs in your organization? Yes 86.6% No We don't collect logs, but have that in our plans. No We don't collect logs and don't plan to. 11.9% 1.5% Make Log Analysis a Priority Establishing log analysis as a company priority proved to be a key differentiator between fully satisfied respondents and the survey respondents as a whole. The satisfied group actively and consistently spent time on log analysis and had integrated log analysis into the organization s overall workflow. The survey also indicated that the fully satisfied users knew how much time they were spending on log management an average of between a few hours a day and a few days a week, according to this year s survey. Some of the least satisfied users spent little to no time on log analysis or spent a great deal of time on log analysis but did not achieve the results they desired. On average, most companies continue to spend about the same amount of time analyzing log data as they did in 2008 (45 percent of 2008 respondents indicated they spent a few man-hours per week on log management). Companies that were fully satisfied also know how much time they spend on log management. Though 10 percent of the total respondents didn t know how much time they spent on log management, none of the fully satisfied group chose that response. Of the fully satisfied group, 32 percent indicated that log management was integrated into the company s workflow, while this was true of just 16 percent of the remainder of the respondents. This pattern continued with the frequency of reports being generated by the log management system. Of the fully satisfied respondents, 43 percent generated weekly and daily reports, while only 29 percent of the remainder generated routine reports. These results suggest that simply establishing a log management system is not enough to achieve success, and that companies that are satisfied with their log management system actively tend their log management system and have made it a regular and integral part of their operations.

5 3. Use Log Management to Measure Security Effectiveness Though many categories saw similar responses between satisfied and unsatisfied users, the two groups had distinctly divergent responses to a new question about measuring security effectiveness. 37 percent of total respondents said that they measure security effectiveness, while 64 percent of fully satisfied users used their log management solution to measure security effectiveness. 47 percent of those that indicated either full or partial satisfaction with their log management solution used it in this way. Time to respond to incidents ranked highest among satisfied users in gauging security effectiveness. The bulk of the remainder of respondents measured security effectiveness by Incident prevention. The most satisfied users also noted number of incidents by class (disclosure, compliance, malware, etc.), cost and impact to the organization s operations as key measures in rating effectiveness, providing insights for the development of the next generation of log management tools. How does your company measure security effectiveness? Number of incidents Incident prevention Time to respond to incidents Other Fully Satisfied All Companies

6 4. Automate Log Management & Analysis Automation proved to be a key element in log management system user satisfaction. Fully satisfied users indicated that they automated over 90 percent of their log collection and storage, while just 65 percent of the remaining respondents automated these functions. As searching data and creating reports ranked high on degree of difficulty to most respondents, automating these areas proved to be essential in establishing a successful program. About half of fully satisfied respondents noted that search/analysis and correlation are automated, while just 10 percent of the remainder of respondents have automated those functions. Companies that are most satisfied with their log management solutions have automated over 90% of their log collection and storage efforts. Most fully satisfied users use tools to automate and simplify their log processing endeavors, using either a single third-party tool or a combination of third-party tools and homegrown tools. 39 percent of fully satisfied users, and 19 percent of other respondents, use a single third party tool. About one third of respondents use a combination of third-party tools and homegrown tools.

7 5. Scalability for Large-scale Log Management With over half of respondents indicating that they collect logs from over 100 sources throughout their organization, it is clear that having a highly scalable log management solution is essential to a successful log management deployment. From how many sources across your organization do you collect logs? % 101 and over 51% Unknown 5% Additionally, respondents indicated that the most successful deployments are enterprise-wide and collect logs from network and security devices, operating systems and databases to enterprise and homegrown applications. Over half of the respondents indicated that they collected logs from the following sources: operating systems (92.1%), switchers, routers & firewalls (89.9%), intrusion detection systems (73.6%), databases & database activity monitoring (68.2%), and enterprise applications (51.6%). What types of devices do you collect logs from? Please select all that apply. Operating System (O/S) 92.1% Switches, routers, firewalls Intrusion Detection System (IDS)/ Intrusion Prevention System (IPS)/ Anti-Virus (network) Database systems/dam 68.2% 73.6% 89.9% Enterprise applications Virtual machines (of some of above) Homegrown applications 40.5% 51.6% 48.9% NAC/end-point security controls Mainframes Other (please specify) 21.5% 17.5% 6.4%

8 The survey also found that as log management has gained momentum, users are seeing the importance of integrating log management with Security Information Event Management (SIEM) and Database Activity Monitoring (DAM) initiatives. The vast majority of respondents indicated that they think that integrating log management with SIEM or DAM is important. The integration of log management and SIEM is clearly most mature with 58% of respondents using or intending to use both products together. 3.4% of respondents are using or planning to use log management and DAM together. Has your organization allocated a budget for OR is currently using log management in conjunction with automated SIEM (Security Information Event Management) and/or DAM (Database Activity Monitoring)? SIEM 25.7% 32% DAM.7% 2.7% Both 9.3% 9.3% Yes Not yet, but plan to Conclusion With 99 percent of survey respondents indicating that they have established a log management solution or have plans to do so, it is clear that log management has matured. Companies are now ready to take their log management solutions further in order to ensure a successful log management program and make the most of the logs being collected. By integrating the traits of a successful log management program as outlined in this paper establishing a log management program, making that program a priority, using log management to measure security effectiveness, automating log collection and analysis and employing a scalable solution for large-scale log management companies can ensure that they meet their regulatory, security and operational goals. Source: All data from SANS Annual 2009 Log Management Survey, LogLogic, Inc. reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Product Specifications are subject to change without notice LogLogic, Inc. All rights reserved. LogLogic is a trademark of LogLogic, Inc. All other products or services mentioned are the trademarks, service marks, registered trademarks or registered service marks of their respective owners.