Maksim Kabakou - Fotolia

Security Think Tank: Guidelines to enable security to get the most out of log management

How can log management be used to bolster information security and improve incident response without infringing end user privacy?

Organisations collect a mountain of logs each day. This includes logs from servers, firewalls and intrusion detection systems, events from network infrastructure devices, such as routers and access gateways, and from various software and hosted services. Information is often scattered across systems, as departments set up their own log management tools, creating many different hiding places where they store log data.

The need for compliance means IT administrators are required to manage their log management systems in a co-ordinated manner to enable spotting any unauthorised activity. For example, the PCI Data Security Standard (PCI DSS) specifically calls out for the need of a log review and the importance of tying identity to activity.

Ensure whatever log management tool you use is installed and managed correctly so it monitors events and data that matter to the organisation, meaning the reports actually have value to your organisation. Use log data to work out what has happened during an “outage”. 

All of the information necessary to work out what is happening, or has just happened, can be found in the log files. Systems that allow staff to write and run reports in real time, based on outage information, deliver the facts needed by response teams to understand what is happening on the network.

If we can use software to collect this information and display it in a meaningful way, analysts can make informed decisions as to the seriousness of a log event in a matter of seconds, and their ability to detect and respond to harmful events improves dramatically. 

Knowing the identity of individuals who access unauthorised data is really important, but only if the information you receive is correctly organised and correlated to avoid falsely accusing an individual of illegally accessing sensitive information. Privacy and log management is a difficult subject, but a balance needs to be struck between the need to collect data, which will benefit the business, and infringing users’ rights.

Log management also needs to be part of the overall network security infrastructure to protect against “blended threats” to your organisation. The way to successfully manage log data will lie in the ability to look for user behaviour or attitude changes, plus the ability to monitor activity and report on segregation of duties, dual controls and access violations. 

Log management needs to be at the core of your company’s incident response plan – ensure the system is monitored 24/7 and you are notified about serious problems in seconds, rather than the morning after. Hackers, after all, only need a few minutes on your network to find the valuable data they want, so the speed of your response is absolutely key. The good news is we are getting the tools that are beginning to make this practical.

Tim Holman is an international board director at the Information Systems Security Association and CEO at 2-sec.

Read more from Computer Weekly's Security Think Tank about security and log management

Read more on Hackers and cybercrime prevention