whitepaper Build vs. Buy: Pros and Cons of Four Log Management Strategies

Transcription

1 Build vs. Buy: and of Four Log Management Strategies

2 Table of Contents 3 Background: Logs Are Not an Option 3 The Log Management Process 4 Log Management Strategies 6 iderations for Choosing a Log Management Solution 7 Conclusion

3 Build vs. Buy: and of Four Log Management Strategies Background: Logs Are Not an Option Logs are essential for threat protection, intrusion discovery, incident response, forensics, litigation support, and regulatory compliance, as well as to check and enforce internal policies and procedures and measure IT performance. And they re invaluable to IT staff when troubleshooting network, system, and application issues, as well as for getting a handle on big data. What is the best way to collect, store, manage, analyze, and report on your log data? You have several choices: a Build a solution, possibly using open-source components b Outsource log collection and management to a log management service provider c Buy an appliance or software solution from a vendor d Combine two of these options Each of these choices has pros and cons. This paper examines considerations for choosing a log management solution for your organization. But first, the log management process, what you need your solution to do: The Log Management Process A solid log management and intelligence solution is the only efficient way to create audit trails of network and system activity. Here s the process. 1 Gather and store logs securely in a centralized location for reporting and searching so they cannot be altered so you can trust that they will show what happened. 2 Monitor and apply real-time analysis and response when action is needed. The ability to send alerts to key personnel when an event occurs is critical. The ability to quickly search through large amounts of log data for investigative purposes is invaluable for incident response. 3 Create reports on collected log data to satisfy compliance. Both real-time dashboard views and longer-term historical reports are needed. 4 Share logs securely among security, IT, and management personnel because compliance and incident response are typically multi-team efforts. Fine-grained access control may be needed for your organization. 3

4 w h i t e pa p e r While searching for an appropriate log management solution LAVEGO AG evaluated both free open source applications and commercial solutions from specialized vendors. The result even with in-house software development specialists and comparatively few IT network components, it was too complex and costly to use a free open software solution. Though the open source applications cost nothing, the resources needed to customize and maintain the solutions proved too great. Using LogLogic we achieved a return on investment in under six months, something that would have been impossible using an open source solution. But the rewards didn t stop there once we had the LogLogic appliance installed, we noticed that we could see details of our network processes never before possible, significantly improving our awareness of security issues and enabling us to respond accordingly. Florian Gohlke, chairman of LAVEGO AG Business Policies and IT Controls: Key log management activities. Log Management Strategies Build It Many companies, especially smaller ones, choose to build their own log management solutions. You can attempt to build exactly the solution you need, with the platform, tools, and methods you prefer, and aside from labor, there s no up-front monetary cost. IT professionals may even relish the challenges of creating a solution and tackling the log beast. Maintenance costs (due to an ever changing sea of log formats), log types, and log sources can grow to overwhelming proportions and the project often ends up killed. Because the solution is highly specialized, you will need highly specialized staff to add, change, or repair it. Further, homegrown solutions are usually not scalable, so as the company grows and more data floods the network, changes, updates, and more frequent overhauls become necessary, leading to even more labor and maintenance costs. During updates and overhauls, downtime can occur, costing you even more time and money. In most cases, internally developed log solutions will fall short of meeting organizational needs; However, if you do decide to embark on this journey, a number of open-source tools perform some of the essential functions for effective log management: Log collection: Syslog-ng, kiwi, Snare, Project LASSO, and many others Secure log centralization: stunnel, ssh, or other encryption tools Storage: MySQL, or you can design your own file storage Analysis: SEC, OSSEC, OSSIM, Swatch, logwatch, logsentry, and many other small scripts to solve one specific log-related problem Open source projects such as OSSEC and OSSIM also provide larger building blocks for your system by combining functionality. 4

5 Time and time again, government agencies and their contractors do not track network assets, for a number of reasons, and if you can t track your assets you really can t do logging because you don t know what to log. You don t know where your logs are being housed, or where they re being generated, or how they re being processed. Though the home-grown solution always appears to be the cheapest, when you start getting into development costs and labor and maintenance over the solution s life cycle, it s not such a bargain after all. lvis Moreland, enterprise level security architect, Executive Office of the President Electronic Records Archive, United States National Archives and Records Administration Outsource It Outsourcing log management is a low-cost way to get started. For many organizations, especially those challenged by hiring and retaining IT staff and security professionals, the advantages are compelling. Most likely, you won t have to manage any equipment in-house, and you won t have to hire additional staff to run and maintain it. You re basically paying someone else to worry about your problems. Regardless of who you hire, the log management system will still be your responsibility because no one is going to worry about it as much as you, especially when regulatory compliance is at issue. Any possible compliance violations will likely still fall to you. You might find that a service provider isn t as careful about meeting your requirements for IT policies and industry regulations. There are also risks of SLAs slipping and even of losing control of your data. Log volume and access challenges can arise when data collection and storage is outsourced to a service that is not attuned to your fluctuating business needs. Before choosing an outsourced solution, determine what portion of your logs will be managed by the service. Know how you will gain access to your logs so you can show them to auditors. Buy It Buying a log management tool is fast becoming the most popular option. Tools like TIBCO LogLogic Log Management Intelligence systems, have matured in capabilities, ease of deployment, and operation. Vendors typically guarantee support for the log sources you need, thereby mitigating the biggest risk and challenge of homegrown solutions: their constant updates. A vendor will also typically expand support for new and changed logs and add new cutting-edge log analysis methods. You pay a set price and get a turn-key solution for log aggregation and analysis. Plus, if anything goes wrong, you have a support person to delegate to. As with other approaches, there are also risks. Sometimes skilled staff is needed to get value out of a purchased product, which still needs to be installed, run, and maintained. Vendor longevity can also be a problem who do you turn to if your vendor goes out of business? Choosing a company with experience will assure both vendor longevity and a stream of ongoing improvements. 5

6 Although we were already doing some basic log management, the PCI DSS directive really made us look at the process in more detail. We realized it was an ideal time to find a solution that would not only help us meet compliance requirements and achieve the security we needed in our complex IT environment now, but also to build a system that could take us into the future. It s difficult to quantify the time we ve saved, other than to say we simply couldn t do what we re doing now without LogLogic there just aren t enough man hours available. Andrew Whitton, assistant manager of system security at Skipton Building Society Combine Approaches Because each strategy has its benefits and drawbacks, a combined strategy can be the best option. For example, you can purchase a solution, then enhance it with internal custom development. Or you can combine commercial vendor tools with open-source tools. You can also buy a tool, then outsource some of its management to an external provider. Partial outsourcing allows you to maintain more control and reduce the workload on your IT staff. A buy-and-customize approach is often the most effective strategy for meeting specific and evolving business requirements. If you pick a vendor with a rich set of APIs that let you build onto a commercially tested platform, you get: On-going support, upgrades, and patches from the solution provider Reliable performance Flexibility to build the analysis tools you want Flexibility to outsource the routine log management tasks and only take on those you want Combining solutions helps mitigate some of the risks of individual solutions, but it comes at a cost. Sometimes, you might even need to pay twice. iderations for Choosing a Log Management Solution Before you decide on a log management solution, you have a lot to consider. Trillions of log messages and hundreds of terabytes of data must be handled. Here are some questions you can ask yourself as you begin your quest for the best possible solution: Are you collecting and aggregating all log data from all data sources on the network? Are your logs transported and stored securely? Are there packaged reports that suit your needs? Can you create reports to organize collected log data quickly? Can you set alerts on anything in the logs? Are you looking at log data on a daily basis? Can you prove that you are? Can you perform fast, targeted searches for specific data? Can you contextualize log data (comparing device, application, and network logs) when undertaking forensics and other operational tasks? Can you readily prove that security, change management, and access control policies are in use and up to date? Can you securely share log data with other applications and users? 6

7 Because of my past experience using LogLogic, I knew that it would improve visibility and allow me to go the next step with a SIEM solution. When you have a disruption in an enterprise environment, you want the investigation and resolution to be as quick as possible. I knew LogLogic would provide us with that level of performance. Conclusion Assess the role of log data in meeting compliance requirements, mitigating security risks, enabling audits, and improving availability, then implement the log management strategy that suits your business. We suggest avoiding a build-only approach because it generally limits scalability and ends up costing more than it s worth. If you have to build, build on top of a robust log management platform from a stable and experienced vendor. To learn more about log management, visit Richard Popson, manager of information security, large pediatric medical center TIBCO Software Inc. (NASDAQ: TIBX) is a provider of infrastructure software for companies to use on-premise or as part of cloud computing environments. Whether it s efficient claims or trade processing, cross-selling products based on real-time customer behavior, or averting a crisis before it happens, TIBCO provides companies the two-second advantage the ability to capture the right information, at the right time and act on it preemptively for a competitive advantage. More than 4,000 customers worldwide rely on TIBCO to manage information, decisions, processes and applications in real time. Learn more at Global Headquarters 3307 Hillview Avenue Palo Alto, CA Tel: Fax: , TIBCO Software, Inc. all rights reserved. TIBCO, the TICO logo, TIBCO Software, and TIBCO LogLogic are trademarks or registered trademarks of TIBCO Software Inc. in the United States and/or other countries. All other product and company names and marks in this document are the property of their respective owners and mentioned for identification purposes only. 7 exported12jul2013