Thanks to evolving technology, even small businesses collect vast amounts of data these days. This includes the systems logs that are constantly being generated by servers, apps and other network systems.
“Let’s take a bank as an example. At the backend, all the transactions that are taking place at the bank on any given day are recorded in a log file in the form of hundreds of thousands, perhaps even millions of lines of what appears to be nothing more than a bunch of gibberish,” explains Jayson O’Reilly, director: Sales and Innovation at security solutions provider DRS.
“But hidden among those seemingly incomprehensible lines, are some really useful information which the bank might later have to use for compliance, business or security purposes.”
Sifting through this data in order to parse, analyse, organise, normalise, store it and make it easily accessible and searchable can be an overwhelming task. This is where universal log management comes in.
Log management, as defined by the National Institute for Standards and Technology (NIST) is “the process for generating, transmitting, storing, analysing, and disposing of computer security log data”.
“Security is indeed a crucial part of log management,” O’Reilly says. “While anti-virus and anti-malware software are good for preventing security breaches, they can’t always detect breaches that have already taken place. A log management system analysing data can help companies to not only detect breaches on their networks, but also to investigate them.”
According to the 2013 Verizon Data Breach Investigations Report, more than two-thirds of attackers and cybercriminals manage to exfiltrate business data within mere hours, but it reportedly takes several months for almost two-thirds of companies to detect the breach.
In seven out of 10 cases, the breach is not detected by the company itself, but by an outsider. The report also states that, in many instances, law enforcement or other agents responding to a breach cannot identify the attacker due to inefficient log data.
These findings are echoed in findings from another survey which was conducted by research and education organisation, the SANS Institute. In its eighth annual Log and Event Management Survey, the organisation says that many companies find it difficult to separate normal log data from actionable events.
“More than 600 respondents report that detecting and tracking suspicious behaviour, supporting forensic analysis and meeting and proving regulatory compliance are the most important and problematic issues they are dealing with in using their logs.
“As attacks against networks become more sophisticated, IT and security practitioners are identifying what they must do to not just keep up, but also to get proactive about their security practices.”
The SANS survey reveals that an increasing amount of companies are turning to log management, with 58% of the responding organisations saying that they are using a log manager to collect and analyse their logs.
“Setting up your own log management system can be time consuming and tricky,” O’Reilly says.
“Especially now that so many companies have adopted BYOD policies, which means that there is an increasing volume of log data from an increasing amount of sources to deal with and make sense of. BYOD also increases the risk of security breaches.”
O’Reilly advises using a comprehensive log management tool.
“HP’s ArcSight Logger is the first Universal Log Management solution that unifies searching, reporting, alerting and analysis across any type of enterprise log data. It has the ability to collect, analyse and store massive amounts of data generated by modern networks and can be deployed as an appliance and as software.”
O’Reilly explains that the version of ArcSight which is available from DRS allows users to collect and index up to 750Mb of logs per day, store and search up to 50Gb of compressed logs.
“With this version, all users will be able to try all the enterprise features for one full year. South African users can download a free version,” O’Reilly says. “This will allow you to try it out to see if it will be the best log management system for your needs.”
