System event logs can be a fertile and useful source of information for security professionals, but trawling through logs by hand is a slow and laborious task. Some organisations find the job so difficult that they choose to ignore the logs, or in some cases, even turn them off altogether, arguing that it saves disk space.
But avoiding system log management is becoming harder to justify as several security standards now mandate the keeping of logs as part of good practice.
Steve Norwood, systems security officer at Surrey Heath Borough Council, knows the problem too well. For the last two years he has been working hard to achieve compliance with the government's Code of Connection (CoCo), which defines minimum security standards and processes for connecting to GCSx, the Government Connect Secure Extranet.
GCSx is a private wide-area network designed to allow secure interaction between central government, local authorities and other organisations, such as the police and NHS. To be able to connect to GCSx, local councils have to meet a detailed set of communications and security standards, and one of these is the retention of system logs.
Primarily to help with CoCo compliance, Norwood decided to look for a tool that would ease the task of system log management and analysis. Initially, he examined some open source products but found they did not meet the requirements of CoCo, and were very complex to install.
He also considered the EventsManager product from GFI Software Ltd. before opting for a system log management appliance from LogRhythm Inc., a company whose European headquarters are located in Maidenhead, England.
"The GFI and LogRhythm products were similar in price, but LogRhythm gave me the granularity I needed, and it came highly recommended by a number of resellers I spoke to," he said. In addition, the LogRhythm system came preconfigured with specific reporting mechanisms for Code of Correction and for other security standards, such as ISO 27002, which Surrey Heath is also working to achieve.
The LogRhythm appliance was installed in March of this year, and Norwood said he is already seeing the benefits. Before that, he needed to go through logs by hand to tackle problems. "Doing that manually was hard," he said. "For IDS, we use McAfee's IntruShield, which [has not been too] bad, but for the firewalls, it was a question of going through lots of logs, which is very time consuming. Now we can get to the point straight away."
The main advantage of having a log analysis system is that it brings all the log information into one place and provides a single picture of what is happening across the network. With policies and thresholds configured into the LogRhythm system, it means any exceptional activity will immediately appear, either through a flag on a screen, an email alert or even a text message. "We get immediate notification if there is a problem with the network. It is also very granular -- we can drill down and see what is going on at a detailed level if we need to," he said.
So far, Norwood is taking log data from the domain controllers, the IDS and firewalls. But with CoCo compliance now achieved, he is currently turning his attention to extending the scope of the system to include logs from the council's SQL and Oracle databases.
Some of those files hold credit card and bank details of residents, and so the system could potentially also help the council achieve compliance with the PCI DSS Security Standard.
In addition, the council is working towards accreditation for the ISO 27002 information security standard, where log management is also a requirement. "The new system covers those standards very well for us. It is extremely useful," said Norwood.
Beyond that, he said the system could also help track down benefit fraud or identity theft by highlighting any unusual traffic patterns or network activity.