Maksim Kabakou - Fotolia

Security Think Tank: Making the most of logs with SIEMs

How can log management be used to bolster information security and improve incident response without infringing end user privacy?

Most of our hardware and software generates logs which can be used for review in an information security context. But as we know all too well, the extent of technology sprawl in a business presents a whole raft of challenges, which extends to log management as well. 

There is not just one log to deal with, there are hundreds – maybe thousands – that we may be interested in reviewing; everything from Windows to firewalls to servers generates them, which makes collecting and studying the vast amounts of data in logs incredibly difficult, especially when insights are needed quickly. 

Currently, many logs are generated and then ignored, as resources (or skills perhaps) to review and analyse them in a timely and useful manner are lacking.

Event management tools

This sounds like a big data problem, and it is. How can we make sense of all this data and put it to good use? How can we know what data to collect, and what aspects to focus on? This is where security information and event management (SIEM) tools come in. These tools offer an automated way to tie together all the log data generated by the network and its security tools, then condense it into something manageable.

SIEM tools are a practical way to enable security teams to detect, respond to and prevent incidents in a fast-moving, data-heavy environment. They provide a way to detect anomalies and attacks on a network by comparing current traffic to the average in real-time. Notifications can then be sent to security personnel to respond and rectify.

This functionality can be extended to automate actions – if the SIEM detects an abnormally high amount of traffic going out of a PC (a symptom of exfiltration attacks), it can learn this pattern of traffic and automatically stop it if the issue is detected again in the future. This process can be completed much quicker than a human and is an improvement to the overall security programme.

The privacy debate

Log management and SIEM tools have huge potential to make the lives of security staff easier, but they also make an inevitable impact on user privacy. All devices that generate logs will have an IP address or MAC address that is traceable to a user depending on the IAM system. Security departments have the ability to go extremely deep into the data, so the practicalities must be balanced with privacy.

Ultimately, if your are monitoring your networks for security purposes, the best thing you can do is tell all your users in any agreements they sign that you are collecting data relative to their activity for security purposes. You may wish to remind users via pop-ups when they connect to the internet, access business apps and use collaboration tools that you are monitoring and collecting data. We have to be able to analyse and use log data and associated user data o have sophisticated security tools that can sit on the frontline of a business’s defences; otherwise there is no point.

Logs can play a useful role in information security, and the advent of big data and automated analysis tools has increased their utility. The key is to set out what log management will deliver for the function, then plan for that delivery to happen, whilst ensuring that privacy considerations are addressed.  

Adrian Davis is managing director for Europe at (ISC)2.

Read more on IT risk management