: Leveraging the Best in Database Security, Security Event Management and Change Management to Achieve Transparency LogLogic, Inc 110 Rose Orchard Way, Ste. 200 San Jose, CA 95134 United States US Toll Free: 888 347 3883 Tel: +1 408 215 5900 Fax: +1 408 321 8717 LogLogic, Inc. 5 Penn Plaza, 23rd Floor New York, NY 10001 Tel: +1 212 896 3816 LogLogic EMEA Albany House Market Street Maidenhead, Berkshire SL6 8BE United Kingdom Tel: +44 870 351 7594 Fax: +44 870 351 7595 LogLogic Japan Shibuya Mark City W 22F 1-12-1 Dogenzaka, Shibuya-ku Tokyo 150-0043, Japan Tel: +81 3 4360 5350 Fax: +81 3 4360 5301 loglogic.com blog.loglogic.com info@loglogic.com
Log Management and Security Information and Event Management (SIEM) are terms that are often used interchangeably but are they really the same thing? SIEM solutions focus on reviewing specific log data in order to detect external security attacks on the network and distinguish between real threats and false positives. But Log Management in combination with a variety of log-powered business applications goes well beyond this limited scope, helping customers not only identify security events, but also achieve regulatory compliance, protect valuable information, improve IT efficiencies and gain unparalleled transparency and visibility into the enterprise. Speaking on a panel at the 2009 RSA conference, John Kindervag, senior analyst with Forrester Research, mentioned that he considered traditional SIEM to be more of a reporting and compliance product than a security product. He suggested (only partly in jest) that a new, more appropriate acronym was needed SIRS, or security information reporting system. 1 True Log Management doesn t stop at simply reporting on events, and aims to provide organizations with a closed loop system to provide comprehensive transparency into systems as a whole. A good Log Management solution encompasses in-depth monitoring for databases and applications, compliance and incident management, as well as guided remediation and automated blocking capabilities. By incorporating management into the equation, log management and log-powered systems allow users to configure or re-configure their systems in ways that have historically only been available in Security Change and Configuration Management solutions. On the path to total Log Management, SIEM works in conjunction with a number of complementary solutions, including compliance management, database activity monitoring and security change and configuration management, to help organizations answer three fundamental questions critical to achieving transparency across the enterprise: What is happening in my environment? What is important right now? What to do about it? (and then Do something!) Each of these disciplines and frameworks has its own benefits, but by integrating these specialized capabilities around a central open log management platform, companies gain the ability to analyze system information in context and achieve higher levels of transparency, while simultaneously reducing the time and resources required to integrate these disparate solutions. The Birth of SIEM SIEM was born out of the frustration companies were experiencing as they spent too much time and money on intrusion detection systems (IDS) and intrusion prevention systems (IPS) for their networks. Though these systems were helpful in detecting and alerting on external attacks, their reliance on signaturebased engines prevented them from accurately distinguishing false alarms from real attacks, and many early IDS/IPS technologies generated a large number of false positives. First generation SIEM technology was designed to reduce this signal-to-noise ratio and help bring only the most critical external threats to the surface. By using rule-based correlation to help IT and network administrators detect real attacks, companies implemented SIEM to analyze a subset of events from firewalls and IDS/IPS, and to alert against policy violations. Though these SIEM solutions have been expensive and time-intensive to maintain and tune, they solve the big headache of sorting through excessive false alerts and effectively protect companies from external threats. Today SIEM vendors have fine-tuned their solutions to solve the real-time threat detection and alerting requirements required by many of the regulations. 1. http://searchsecurity.imix.co.za/?q=node/74152
The Birth of Log Management In 2004, compliance requirements such as the Sarbanes-Oxley Act of 2002 (SOX) and the Payment Card Industry Data Security Standard (PCI DSS) kicked into high gear. The Public Company Accounting Oversight Board (PCAOB) released its Audit Standard No. 2, and Payment Card Industry Security Standard Council was formed and released the first version of PCI DSS. Both of these mandates require strict internal IT control and assessment. And the compliance mandates don t stop there compliance standards are increasingly important across a number of industries, including energy (NERC) and healthcare (HIPAA). To satisfy these mandates, organizations are required to collect, analyze, report on, and archive all logs monitoring activities inside their IT infrastructures. Organizations not only need to detect external threats, but also provide periodic reports of user activities and create forensics reports surrounding a given incident. Though SIEM technologies already collect logs, they process and analyze only a small subset of information that is directly related to external security breaches. SIEM solutions were not designed to handle the massive volume of log data generated from all IT components, such as applications, switches, routers, databases, firewalls, operating systems, IDS/IPS, and web proxies. With a strong emphasis on monitoring user activities as opposed to external threats, log management technology entered the market with an architecture that could handle much larger volumes of data and could scale to meet the demands of the largest enterprises. SIEM & Log Management: The Convergence As companies implement log management and SIEM solutions to satisfy various business and regulatory requirements, they are finding that these two technologies complement one another beautifully. Log management solutions are designed to collect, report on and archive a large volume and breadth of log data in IT organizations, whereas SIEM solutions are designed to correlate a subset of this data in order to identify only the most critical security events. A strong enterprise IT arsenal requires both capabilities. When a company implements collection and parsing capabilities, log management solutions often assume the role of a log data warehouse that filters and forwards the necessary log data to SIEM solutions for correlation. This combination helps optimize a company s return on investment while also reducing the cost of implementing a SIEM solution. The primary driver for both log management and SIEM solutions continues to be regulatory compliance. As companies dig deeper into their pockets to find IT dollars during the current recession, they want their log management and SIEM technologies to work together more closely in order to reduce overlapping functionalities and control costs.
Corporations are increasingly being held accountable to do the right thing by the government, customers, employees and shareholders alike. CIOs must also stay accountable to the organization by protecting the IT infrastructure and sensitive customer and corporate data, and by complying with rules and regulations as defined by government and industry. Regulatory compliance is here to stay, and under the Obama administration compliance measures and corporate accountability requirements are likely to grow. Log management and SIEM correlation technologies can work together to help companies satisfy these regulatory compliance requirements, make their IT and business processes more efficient and to reduce management and technology costs. Figure 1: Combining Log Management and Security Information and Event Management The Future: An Open Log Management Platform Companies are moving away from using disparate systems and frameworks that deal with discrete security challenges towards a vision of total transparency across the enterprise. This change brings previously disparate point solutions together SIEM, compliance management, DAM, security change and configuration management and more, centered around a central log management system giving companies a comprehensive view of their systems and helping them answer three fundamental security questions: What is happening in my network environment? What is important right now? What to do about it? (and then Do something!)
Figure 2 Closing the Log Management Loop 1. What is happening? Log Management and Database Activity Monitoring. It s difficult to secure or manage what can t be seen. By building a central repository of user and system activity, IT managers gain a birds eye view of everything going on across the network. This begins and ends with log data. Log data lets IT staff know who is accessing the network and systems, and even who is seeing, changing or moving individual information objects. Per the 2009 SANS survey 2,99 percent of customers are collecting or planning to collect log data, but for many it remains a work in progress. Virtually all companies collect network data ( who is accessing my network? ) and most collect system-level data ( who is accessing my systems? ), but most companies are not yet collecting a complete activity record. Leading-edge organizations are now turning their attention to understanding activities surrounding business applications and transactions, and monitoring access to specific sensitive information objects. This is particularly true of the structured information in databases. Databases are a one-stop shop for valuable data, and organized criminals are targeting sensitive data in databases to sell for $300 per record. Fortunately for organizations, since the data is structured and it s known where it resides, it becomes easy to monitor access to these specific records. Database activity monitoring can best be achieved through a specialized database sensor that views native logs, including activities that are triggered by stored procedures, obfuscated queries, etc. Database activity monitoring is great as a standalone product, but at the end of the day, database activity should be analyzed in context with all other activity data. By combining log management and database activity monitoring, companies have the ability to see and analyze all activity data simultaneously and in context. Figure 3: Moving towards fine grain monitoring 2. http://www.loglogic.com/news/news-releases/2009/04/sans-survey-reveals-log-management-nolonger-obscure-tool/
2. What is important? Compliance management and security event management. Once data centralization has been achieved, organizations need a way to look at this information and to identify what data is important to them. Few organizations are proactive about this. Yet those that proactively view and analyze their log data are the most satisfied log management users in the industry. 3 Ideally organizations proactively review privileged user activity, and many compliance mandates specifically require companies to proactively review user activities. In order to achieve this, companies first need to work with their external or internal auditor to determine who looks at what information how often. Then either manually or through automated solutions, companies must enforce the workflow and ensure that the information actually gets looked at. Technology can help enforce this workflow and bring the most important log data to the surface. Security event management technology, with its focus on reducing the noise level is ideally suited to this task. For example, access to a HR database followed by a large e-mail sent could be suspicious and would be flagged immediate investigation. Many techniques are available to prioritize important events across the enterprise, including comparing log messages to each other (such as in the example above) or comparing events to an asset management database and assigning higher priority to events related to high-priority assets, a technique called contextual analysis. The future will see companies applying increasingly smart behavioral and self-learning algorithms to log data in order to unearth unusual and suspicious behavior. Figure 4: Moving towards actionable intelligence 3. SANS Log Management Survey of 2009
3. What to do about it? Change management and database security. Contextual analysis of log data is great and goes a long way toward transforming raw log data into actionable information and recommendations, but even smart monitoring is still monitoring, and it does little to prevent similar incidents from happening in the future. However, software can make automated recommendations and predictions about unusual and suspicious activities and, in some cases, directly prevent bad things from happening in the first place. For example, some database monitoring agents have the ability to block access to sensitive information in real time. Also, change and configuration management technologies can be used to update security policies to prevent specific attacks from happening in the future. As monitoring becomes more precise, and predictions become more accurate, automatic remediation will become a reality. Automatic predictions can also be used to detect, and act on, performance incidents in addition to security incidents. These types of predictions and remediation efforts affect specific pieces of information rather than whole systems, ensuring security while maintaining productivity. By combining actionable intelligence and fine-grained monitoring, companies can achieve the best possible compromise between system and data security and the availability of information. Figure 5: Achieving Transparency through Total Log Management
Conclusion There is still a great deal of work to do to achieve total transparency for compliance, information security and IT operations. But as they move beyond disparate, unconnected systems towards building enterprise transparency on a centralized Log Management foundation, companies of all types and sizes are beginning to see what this future might look like. By centering compliance, security and IT operations efforts on an Open Log Management platform, companies will get the most out of each piece of technology they have invested in, as well as protect information more effectively at a far lower cost. This is particularly good news in today s economic environment, in which few organizations can afford to maintain the IT staff and resources to integrate large numbers of disparate point products. Welcome to the future of Log Management. About LogLogic LogLogic offers the industry s most comprehensive Log Management and Log Powered suite. LogLogic s log-powered applications turn raw log data into actionable information, tailored to specific business problems in compliance, database security and threat management. Over one thousand customers worldwide rely on LogLogic to achieve regulatory compliance, protect valuable customer information and improve IT efficiencies. For more information, please visit www.loglogic.com or our blog at blog.loglogic.com. LogLogic, Inc. reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Product Specifications are subject to change without notice. 2009 LogLogic, Inc. All rights reserved. LogLogic is a trademark of LogLogic, Inc. All other products or services mentioned are the trademarks, service marks, registered trademarks or registered service marks of their respective owners.