Three years ago, PCI auditors came to Peter Boergermann and asked
him what his IT organization was doing with its log data.
 | | | | | We weren't doing a lot with logs.
After listening to their questions we decided to start reviewing
our options.
Peter Boergermann
MIS technical support manager and IT security officerCitizens &
Northern Bank |
| | | | | |
| |
|
Network devices, servers, PCs, applications, firewalls and most
other devices and software in a corporate system retain a log of
every information transaction conducted on that machine. The log
data is a virtual fingerprint of activity that takes place on a
company's system. But gathering and making use of that data can be
a challenge.
Boergermann, associate vice president, MIS technical support
manager and IT security officer at $1.1 billion Citizens &
Northern Bank in Wellsboro, Pa., said the PCI auditors had just
gone through training on the importance of log data to
compliance.
"They asked, 'What are you doing with your logs? Who's looking
at them? How do you react to them? What changes do you make based
on your reactions?'" Boergermann said of the auditors, who are
charged with checking a company's compliance with the
Payment Card Industry's (PCI) security standards. "We weren't
doing a lot with logs. After listening to their questions, we
decided to start reviewing our options."
An organization that must comply with government and industry
regulations can use log data to demonstrate compliance. The logs
can provide an immutable record of what's happening in a company's
systems.
"Compliance is a big driver" for adoption of log management and
intelligence technology, said Paul Stamp, principal analyst at
Cambridge, Mass.-based Forrester Research Inc. The technology helps
organizations gather, store and analyze log data.
But compliance isn't the only driver for log management. A new
study from Bethesda, Md.-based The SANS
Institute found that 62% of organizations use log management
technology to assess IT incidents and minimize downtime. And 46%
said they use log management for automatic detection and
analysis of security and performance incidents. Compliance was
cited as a driver for adoption by 43% of organizations. The
study, which was sponsored by LogLogic Inc., a log management
and intelligence vendor in San Jose, Calif., surveyed 650 IT
professionals.
Prior to the PCI auditors' questions, log data in Boergermann's
organization was self-contained on individual devices. There was no
central repository.
"You basically had to log into each one of those devices
yourself and look at the information stored there," Boergermann
said. "It would take hours to gather the data. And the quality --
it was in raw format. We got a ridiculous amount of paper. Who has
time to look at this stuff? It wasn't getting reviewed as well as
it should have."
The SANS Institute study found that 63% of those polled who said
they used log data-tracking technology were dissatisfied with
it.
"For the most part, there are three things that seem to drive
people crazy," said Alan Paller, director of research at The SANS
Institute. "One is speed: It takes too long. Two is getting data
into the system when it is not standard, and the conflicts that
generates with system administrators. And three is the
reporting."
It's also a question of support -- who will do it?
"It's time-consuming," Boergermann said. "And reviewing logs is
something you can't turn over to a PC technician or help desk
person. You need someone at the engineering level, so now you're
tying someone up at a higher pay grade. And the sheer volume of
information is overwhelming."
Homegrown systems dubious
The SANS Institute study found that 27% of organizations still
rely on manual searches of log data, which is extremely time
consuming. Homegrown log management systems can also be a
challenge.
"I looked at open source software," Boergermann said. "And there
are some pretty cool syslog servers out there. I got it installed
and it worked, but there's no reporting, no alerting, and no pretty
interface to go look at this stuff."
Boergermann did find another open source product that would
query that data and go try and set it up and run reports. But after
awhile he decided he was spending a lot of time trying to piece
together a solution and wanted something easier to use.
"There's still a lot of manual stuff going on out there," Stamp
said. "There's a lot of custom tools that people have already
invested time and money into."
Stamp said buying an off-the-shelf log management and
intelligence system is often the best choice for an organization
facing a new mandate to manage logs.
"Generally it's someone who has perhaps outgrown their methods
of doing this or somebody is telling them to do this and they're
not doing it already," Stamp said.
But Stamp said it's not as simple as just buying new technology
and plugging it in. CIOs need to identify which systems are
important to track. They need to know what kinds of reports they
want to create. They need to determine what processes they are
going to use to query the log data.
"What we did was we identified critical systems first, and what
kind of log data we can get out of them and what do we do with it,"
Boergermann said. "We looked at solutions where you can
automatically pipe data into an offline repository, because
Security 101 says get your server logs off your server as soon as
possible because if someone takes over that box, the first thing
they do is delete the logs."
Boergermann eventually selected LogLogic as a vendor. He said
one important factor was LogLogic is an appliance-based product --
he didn't want to manage an operating system for a software-based
product. And he has a heterogeneous environment with Microsoft
Windows and SUSE Linux servers, so he wanted a solution that could
handle that.
Now Boergermann's organization runs daily reports on its log
data, and stores them for 60 days. Not only has the product
satisfied the auditors, but it has also improved the bank's
responses to incidents.
"We have alerting set up," he said. "If anybody goes into
configuration mode on any of our firewalls, we get an email alert.
So we don't have to go into the logs to see if anybody is changing
something."
Let us know what you think about the story; email:
Shamus McGillicuddy,
News Writer