Log Management: 5 Steps to Success



Similar documents
How To Manage Log Management

Log Management and the Smart Grid

Virtual Compliance In The VMware Automated Data Center

Log Management Solution for IT Big Data

Discover Security That s Highly Intelligent.

IBM QRadar Security Intelligence April 2013

Security Operations Metrics Definitions for Management and Operations Teams

Protect Your Universe with ArcSight

The dramatic growth in mobile device malware. continues to escalate at an ever-accelerating. pace. These threats continue to become more

whitepaper Ten Essential Steps for Achieving Continuous Compliance: A Complete Strategy for Compliance

Verve Security Center

Information Technology Policy

LogRhythm and HIPAA Compliance

Case Study: Financial Credit Union

The Sophos Security Heartbeat:

QRadar SIEM 6.3 Datasheet

INCIDENT RESPONSE CHECKLIST

IBM Security QRadar Risk Manager

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Boosting enterprise security with integrated log management

SELECTING THE RIGHT HOST INTRUSION PREVENTION SYSTEM:

IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems

WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance

Zone Labs Integrity Smarter Enterprise Security

IBM Security QRadar Risk Manager

Compliance Guide: PCI DSS

LogLogic Cisco IPS Log Configuration Guide

Scalability in Log Management

JP1 Version 11: Example Configurations

Increase Simplicity and Improve Reliability with VPLS on the MX Series Routers

How To Buy Nitro Security

IBM Security IBM Corporation IBM Corporation

Extreme Networks Security Analytics G2 Risk Manager

Clavister InSight TM. Protecting Values

WHITEPAPER. Addressing Them with Adaptive Network Security. Executive Summary... An Evolving Network Environment Adaptive Network Security...

Teradata and Protegrity High-Value Protection for High-Value Data

How To Achieve Pca Compliance With Redhat Enterprise Linux

How To Protect Your Endpoints From Attack

LogLogic Trend Micro OfficeScan Log Configuration Guide

nfx Cinxi One SIEM Partner Guide Revision: H2CY10

Tivoli Security Information and Event Manager V1.0

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

LogLogic General Database Collector for Microsoft SQL Server Log Configuration Guide

IAM can utilize SIEM event data to drive user and role life cycle management and automate remediation of exception conditions.

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

LogLogic Cisco NetFlow Log Configuration Guide

BlackStratus for Managed Service Providers

SIEM and IAM Technology Integration

CA Service Desk Manager

Sybase Solutions for Healthcare Adapting to an Evolving Business and Regulatory Environment

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

nfx One for Managed Service Providers

SoLuTIoN guide. CLoud CoMPuTINg ANd ThE CLoud-rEAdy data CENTEr NETWork

TIBCO Cyber Security Platform. Atif Chaughtai

Find the needle in the security haystack

Trend Micro. Advanced Security Built for the Cloud

Benefits. Product Overview. There is nothing more important than our customers. DATASHEET

Payment Card Industry Data Security Standard

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

NEXPOSE ENTERPRISE METASPLOIT PRO. Effective Vulnerability Management and validation. March 2015

NetIQ FISMA Compliance & Risk Management Solutions

End-user Security Analytics Strengthens Protection with ArcSight

How To Connect Log Files To A Log File On A Network With A Network Device (Network) On A Computer Or Network (Network Or Network) On Your Network (For A Network)

The Symantec Approach to Defeating Advanced Threats

WHITEPAPER. Addressing Them with Secure Network Access Control. Executive Summary... An Evolving Network Environment... 2

Pragmatic Business Service Management

The Benefits of an Integrated Approach to Security in the Cloud

Worldwide Security and Vulnerability Management Forecast and 2008 Vendor Shares

Symantec Consulting Services

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

SANS Top 20 Critical Controls for Effective Cyber Defense

VMware Solutions for Small and Midsize Business

Network Configuration Manager

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Campus. Impact. UC Riversidee Security Tools. Security Tools. of systems

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Network Instruments white paper

SIEM FOR BEGINNERS. Or: Everything You Wanted to Know About Log Management But were Afraid to Ask

DCIM Software and IT Service Management - Perfect Together DCIM: The Physical Heart of ITSM

Benefits. Product Overview. There is nothing more important than our customers. DATASHEET

The SIEM Evaluator s Guide

Managed Hosting is a managed service provided by MN.IT. It is structured to help customers meet:

Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

Frank Andrus WHITEPAPER. CTO, Bradford Networks. Evolve your network strategy to meet new threats and achieve expanded business imperatives

Transcription:

Log Management: 5 Steps to Success LogLogic, Inc Worldwide Headquarters 110 Rose Orchard Way, Ste. 200 San Jose, CA 95134 United States US Toll Free: 888 347 3883 Tel: +1 408 215 5900 Fax: +1 408 321 8717 New York Tel: +1 212 896 3816 LogLogic EMEA Tel: +44 870 351 7594 Fax: +44 870 351 7595 LogLogic France Tel: +33 (0) 1 55 68 11 88 Fax: +33 (0) 1 55 68 10 00 LogLogic GmbH Tel: +49 89 9040 5464 Fax: +49 89 904 050 66 LogLogic Japan Tel: +81 3 4360 5350 Fax: +81 3 4360 5301 LogLogic Hong Kong Tel: +852 3965 3037 Fax: +852 3965 3222 loglogic.com blog.loglogic.com info@loglogic.com

Since 2005, SANS has conducted an annual spring survey of the log management industry in order to determine overall satisfaction with the industry and discover best practices for developing successful log management initiatives. The 2009 survey polled a mix of IT management/ security and IT staff/security positions from a wide variety of companies, asking respondents to rank satisfaction levels with their current log file analysis solution. In this year s survey 58 percent were somewhat satisfied, 70 percent were satisfied, and 12 were percent fully satisfied with their current solution. In 2008, the question included only options for satisfied and not satisfied, with 36 percent indicating satisfaction. Among the satisfied group of this year s survey, a number of common traits became evident. As companies begin to use logs in more complex ways throughout their organizations, it becomes essential to establish best practices. By incorporating the traits outlined in this paper into their log management systems, companies can ensure that they make the most of the logs they are collecting and achieve their operational, regulatory, and security goals. According to the 2009 SANS Log Management Survey, 70% of respondents are satisfied with their current log management solution and 12% are fully satisfied up from a satisfaction rate of 36% in 2008.

1. Establish a Log Management Program As recently as 2007, many companies did not see log management and analysis as a critical task, with just 56% of SANS survey respondents collecting logs. In 2009 that number has grown to 87%, with an additional 12% of respondents indicating that they plan to implement a log management solution in the future. These collected logs are now being used for a wide variety of purposes, including: event detection (91% of respondents), tracking suspicious behavior and user activity monitoring (74%), day-to-day IT operations (67%), regulatory compliance (53%), and information leak prevention (28%). It s clear that companies now see the importance of collecting and analyzing logs and now want to know how to use them most effectively. Do you collect logs in your organization? Yes 86.6% No We don't collect logs, but have that in our plans. No We don't collect logs and don't plan to. 11.9% 1.5% 0 20 40 60 80 100 2. Make Log Analysis a Priority Establishing log analysis as a company priority proved to be a key differentiator between fully satisfied respondents and the survey respondents as a whole. The satisfied group actively and consistently spent time on log analysis and had integrated log analysis into the organization s overall workflow. The survey also indicated that the fully satisfied users knew how much time they were spending on log management an average of between a few hours a day and a few days a week, according to this year s survey. Some of the least satisfied users spent little to no time on log analysis or spent a great deal of time on log analysis but did not achieve the results they desired. On average, most companies continue to spend about the same amount of time analyzing log data as they did in 2008 (45 percent of 2008 respondents indicated they spent a few man-hours per week on log management). Companies that were fully satisfied also know how much time they spend on log management. Though 10 percent of the total respondents didn t know how much time they spent on log management, none of the fully satisfied group chose that response. Of the fully satisfied group, 32 percent indicated that log management was integrated into the company s workflow, while this was true of just 16 percent of the remainder of the respondents. This pattern continued with the frequency of reports being generated by the log management system. Of the fully satisfied respondents, 43 percent generated weekly and daily reports, while only 29 percent of the remainder generated routine reports. These results suggest that simply establishing a log management system is not enough to achieve success, and that companies that are satisfied with their log management system actively tend their log management system and have made it a regular and integral part of their operations.

3. Use Log Management to Measure Security Effectiveness Though many categories saw similar responses between satisfied and unsatisfied users, the two groups had distinctly divergent responses to a new question about measuring security effectiveness. 37 percent of total respondents said that they measure security effectiveness, while 64 percent of fully satisfied users used their log management solution to measure security effectiveness. 47 percent of those that indicated either full or partial satisfaction with their log management solution used it in this way. Time to respond to incidents ranked highest among satisfied users in gauging security effectiveness. The bulk of the remainder of respondents measured security effectiveness by Incident prevention. The most satisfied users also noted number of incidents by class (disclosure, compliance, malware, etc.), cost and impact to the organization s operations as key measures in rating effectiveness, providing insights for the development of the next generation of log management tools. How does your company measure security effectiveness? Number of incidents Incident prevention Time to respond to incidents Other 0 20 40 60 80 100 Fully Satisfied All Companies

4. Automate Log Management & Analysis Automation proved to be a key element in log management system user satisfaction. Fully satisfied users indicated that they automated over 90 percent of their log collection and storage, while just 65 percent of the remaining respondents automated these functions. As searching data and creating reports ranked high on degree of difficulty to most respondents, automating these areas proved to be essential in establishing a successful program. About half of fully satisfied respondents noted that search/analysis and correlation are automated, while just 10 percent of the remainder of respondents have automated those functions. Companies that are most satisfied with their log management solutions have automated over 90% of their log collection and storage efforts. Most fully satisfied users use tools to automate and simplify their log processing endeavors, using either a single third-party tool or a combination of third-party tools and homegrown tools. 39 percent of fully satisfied users, and 19 percent of other respondents, use a single third party tool. About one third of respondents use a combination of third-party tools and homegrown tools.

5. Scalability for Large-scale Log Management With over half of respondents indicating that they collect logs from over 100 sources throughout their organization, it is clear that having a highly scalable log management solution is essential to a successful log management deployment. From how many sources across your organization do you collect logs? 0-100 44% 101 and over 51% Unknown 5% 0 10 20 30 40 50 60 Additionally, respondents indicated that the most successful deployments are enterprise-wide and collect logs from network and security devices, operating systems and databases to enterprise and homegrown applications. Over half of the respondents indicated that they collected logs from the following sources: operating systems (92.1%), switchers, routers & firewalls (89.9%), intrusion detection systems (73.6%), databases & database activity monitoring (68.2%), and enterprise applications (51.6%). What types of devices do you collect logs from? Please select all that apply. Operating System (O/S) 92.1% Switches, routers, firewalls Intrusion Detection System (IDS)/ Intrusion Prevention System (IPS)/ Anti-Virus (network) Database systems/dam 68.2% 73.6% 89.9% Enterprise applications Virtual machines (of some of above) Homegrown applications 40.5% 51.6% 48.9% NAC/end-point security controls Mainframes Other (please specify) 21.5% 17.5% 6.4% 0 20 40 60 80 100

The survey also found that as log management has gained momentum, users are seeing the importance of integrating log management with Security Information Event Management (SIEM) and Database Activity Monitoring (DAM) initiatives. The vast majority of respondents indicated that they think that integrating log management with SIEM or DAM is important. The integration of log management and SIEM is clearly most mature with 58% of respondents using or intending to use both products together. 3.4% of respondents are using or planning to use log management and DAM together. Has your organization allocated a budget for OR is currently using log management in conjunction with automated SIEM (Security Information Event Management) and/or DAM (Database Activity Monitoring)? SIEM 25.7% 32% DAM.7% 2.7% Both 9.3% 9.3% 0 5 10 15 20 25 30 35 Yes Not yet, but plan to Conclusion With 99 percent of survey respondents indicating that they have established a log management solution or have plans to do so, it is clear that log management has matured. Companies are now ready to take their log management solutions further in order to ensure a successful log management program and make the most of the logs being collected. By integrating the traits of a successful log management program as outlined in this paper establishing a log management program, making that program a priority, using log management to measure security effectiveness, automating log collection and analysis and employing a scalable solution for large-scale log management companies can ensure that they meet their regulatory, security and operational goals. Source: All data from SANS Annual 2009 Log Management Survey, http://www.sans.org/ LogLogic, Inc. reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Product Specifications are subject to change without notice. 2009 LogLogic, Inc. All rights reserved. LogLogic is a trademark of LogLogic, Inc. All other products or services mentioned are the trademarks, service marks, registered trademarks or registered service marks of their respective owners.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information