Leveraging Log Management to provide business value

Leveraging Log Management to provide business value The importance of consolidation, correlation, and detection Enterprise Series

White Paper 8815 Centre Park Drive Published: August 17, 2009 Columbia MD 21045

877.333.1433

Abstract

Despite the obvious benefits of Log Management and its increasing recognition as a critical necessity by the IT organization, Log Management is still viewed by Executives and Senior Management as a tactical effort, an item on a checklist that addresses a specific set of requirements, typically related to compliance or security. However by taking a broader approach, Log Management becomes not only the foundation for complying with multiple requirements and improving enterprise security, but also provides significant business value in the form of increased business agility, smoother IT operations and business processes, enhanced communication and collaboration between teams, and reduced costs

The information contained in this document represents the current view of Prism Microsystems Inc. (Prism) on the issues discussed as of the date of publication. Because Prism Microsystems must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism. Prism cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. Prism MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided. Prism may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. © 2009 Prism Microsystems Inc. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Leveraging Log Management to provide business value

The Log Management Challenge In a typical enterprise, millions of logs are generated by systems, applications and devices every single day. These logs contain a record of all activity that takes place in a network and provide a wellspring of information to help improve security, enable compliance and optimize IT operations. However, gaining any actionable intelligence from this data depends on how well you can collect, consolidate, store and decipher the information that event logs contain, which is no easy task to do manually given the following constraints:

Collection As a result of regulatory requirements, companies have to, at a bare minimum, collect and archive all log data from a number of devices and device types ranging from network and security devices to operating systems, databases, applications and web logs. Considering that in most companies the number of devices that generate event logs are in the hundreds or thousands, and that each device can generate millions of logs every single day, simply keeping up with the staggering volume can be a challenge. There is also the challenge of establishing reliability for audit purposes; to demonstrate that logs were collected in a secure manner.

Storage In order to facilitate review, many compliance mandates require log data to be stored securely for on-demand retrieval and historical analysis.

• The NIST guide for HIPAA requires that logs be maintained for 6 years at a minimum

• Section 103 of Sarbanes Oxley requires that “information related to any audit report, in sufficient detail to support the conclusions reached in such report” be maintained for 7 years.

• Section 10.7 of The PCI data security standard requires covered entities to retains audit trail data for at leat one year with a minimum of 3 months online availability.

• In addition, the Graham-Leach-Bliley Act, the SANS Institute and various other best practices recommend that logs and documentation be kept for a varying number of years.

Normally, a single Windows server can generate over 100,000 events every day without using the auditing feature. With the audit feature in operation, Windows servers, like many

Prism Microsystems, Inc. 3


UNIX systems, SNMP devices and firewalls, can produce over one million events per day. It is not unusual for even a small organization to generate well over 20 million events every day. This information needs to be securely archived for IT controls and compliance. One hundred Windows servers with an average number of 100,000 events each, means a total of 10 million events per day – and that is without auditing! If these events are kept for 90 days, it is necessary to manage and store 900 million events. Retained for 1 year, the archive would contain over 3.5 billion separate event records. This can translate into a significant storage burden, keeping in mind that one million events can take up to 5GB of space in a traditional database.

Analysis Analysis remains the third major challenge. The fact is that different devices generate logs in a distinct, inconsistent and often cryptic format that is difficult to analyze without in-depth system specific expertise. Also, many of the conditions that indicate issues can only be detected when events are correlated or associated with events happening on other systems and devices. If caught in time, these signs can alert personnel to take necessary actions before security is compromised. Moreover, this analysis needs to be done in real-time for immediate insight into unusual and suspicious user/network activity – a task that is impossible to do manually, unless of course, a company has an army of IT experts at its disposal 24/7.



The case for automated Log Management It is no wonder that IT managers who grasp the importance of event log data still find the entire task of event log management a difficult challenge. That’s where SIEM (Security Information and Event Management) or Log Management solutions come in. An automated solution will address the challenges outlined in the previous section and help organizations cost effectively collect, archive, correlate and analyze enterprise-wide log data for security investigation and compliance reporting. .

Traditional drivers: Compliance and Security

A Log Management solution is typically implemented for one or more of the following reasons: a) To comply and prove compliance Log management is typically considered a security best practice, however, a number of regulations such as SOX, HIPAA, PCI, GLBA and FISM specifically call for the collection, storage, regular review and analysis of log data. Log Management solutions help companies wade through the often vague guidelines of compliance requirements with predefined reports mapped to specific regulatory requirements. A comprehensive Log Management solution helps you:

• Automate the entire compliance process from securing your environment, establishing baselines, tracking user activity, alerting to potential violations to creating audit-ready reports

• Demonstrate to auditors that periodic reviews are being conducted in compliance with internal and external policies

• Comply with a variety of regulatory standards spanning multiple verticals b) To detect and prevent and security breaches Event logs from firewalls, routers, systems and applications provide valuable clues about the state of a company’s overall security posture. The really important clues, however, are often very hard to detect and sometimes can only be extracted after viewing series of events on



multiple systems in context. Log Management solutions come with powerful correlation capabilities that look for patterns of events taking place across the entire enterprise to detect abnormal activity that may be indicative of an attack in progress. These solutions help you:

• Detect and prevent damage from Zero-Day and other new forms of attack vectors

• Monitor user activity and USB device usage for unauthorized internal access to sensitive data

• Monitor networks for suspicious activity that often precedes a security breach • Create customized correlation rules to detect common and critical security

conditions in real-time. • React quickly and early to suspicious activity with instant alerts and automatic

remediation for proactive prevention c) To conduct forensic investigations on security incidents Log Management solutions support forensic investigations by providing a complete audit trail of forensically clean data leading up to an attack. Logs can be used to establish a timeline of events, which can be used to piece together what went wrong, giving a detailed perspective of what happened, so that steps can be taken to ensure that it does not happen again.

Leveraging Log Management beyond the security organization

Beyond security and compliance, Log Management can be applied across the IT organization to increase the efficiency of IT operations, primarily through increased visibility into enterprise-wide activity. Log Management solutions not only help in maintaining the IT infrastructure in optimal shape but also enable planning for future requirements by monitoring disk space trends, CPU usage trends and service downtime. By alerting on trends that indicate resource issues such as low disk space, runaway processes, high-memory usage, etc. an event log management solution significantly improves IT availability by reducing unplanned outages, while at the same time reducing the total cost of ownership of the IT infrastructure. Log Management solutions:

• Automate routine tasks and decrease dependence on existing resources • Enable IT staff to quickly diagnose issues before they escalate into costly

disruptions • Accelerate troubleshooting times • Free up personnel to do more productive tasks



Generating business value from Log Management From the applications of Log Management detailed above, the business value that Log Management solutions provide is apparent. Automation of regulatory processes, improved efficiency of forensic investigations, increased troubleshooting turnaround times and a better security posture are some of the most important benefits that an organization gains with the proper implementation of a log management solution. There are also several lesser known benefits of Log Management that can provide tremendous business value by addressing critical management areas:

Increased agility In these tough economic times, the margin for business error is very slim. When services are IT dependent, unexpected performance issues and security breaches can severely impact a company’s competitiveness. In addition, lost business and revenue opportunities can result if, for instance, an order taking system goes down, or if customers are unable to contact you. An effective log management solution increases your business and IT agility by allowing you to quickly respond to unexpected situations and problems before performance is affected or revenue is lost.

Business process improvement Considering that logs are records of what a system does minute by minute, the right log management solution can provide a detailed understanding of most aspects of a business, from how consumers use systems to purchase goods, to identifying operational bottlenecks, to tracking resource utilizations. The insight that log data provides into business operations, can help you measure and optimize critical processes.



Business risk mitigation A security breach can cause long-term damage to corporate reputation. The negative press resulting from loss of sensitive customer data such as credit card information or social security numbers can not only create customer distrust and subsequently impact sales and revenue, but also hinder business relationships and partnerships. On the other hand, the direct costs associated with clean-up activities after a security incident can also be substantial. Large fines as a result of non-compliance, identity protection services offered to affected customers, litigation fees, and civil lawsuits can all add up to a significant chunk of money. Log Management solutions substantially reduce the risks and costs associated with security breaches by proactively detecting patterns indicative of a breach and enabling personnel to perform remediation activities before costly damage is caused.

Enhanced team communication and collaboration

IT typically operates through specialized teams to manage security threats, optimize network performance and enable compliance. These groups deploy point products within each of their areas to meet their independent requirements, and while this approach is beneficial for addressing department-specific objectives, it creates silos of data that hinder cross-departmental collaboration and decision making. Log Management solutions enable cross-functional communication and information sharing by seamlessly weaving together information on all IT assets into an integrated framework that provides intelligence and insight into enterprise-wide activity for effective decision making.

Increased management visibility Executive Management benefits from dashboards and reports that provide visibility into cross-departmental activities such as operational and security metrics, corporate governance, and regulatory initiatives. Summary reports and analysis capabilities allow them to make a quick assessment of progress and get an overview of the overall IT posture.



Reduced costs Log Management solutions accelerate the time to identifying critical security and performance issues to significantly reduce costs associated with service disruptions, security breaches and non-compliance. With the automation of compliance processes and predefined reports, the costs associated with preparing for audits and remaining in compliance are also significantly reduced. In addition, Log Management solutions help increase service levels without increasing staff and reduce burdens on existing resources by automating routine tasks. In times of tightening budgets and staff cuts, Log Management helps companies do more with less by addressing multiple requirements across departments.



Conclusion Log Management solutions although typically deployed to meet very specific requirements, have benefits that extend far beyond department level objectives. With the insight that log data provides into enterprise-wide IT, a growing number of constituents can benefit from a solution that automates the collection, consolidation and analysis of this data – these range from audit and compliance groups, security teams, IT operations and Helpdesk teams to legal teams (for forensic investigation), senior management and CIO’s.



About EventTracker EventTracker is a scalable, enterprise-class Security Information and Event Management (SIEM) solution for Windows systems, Syslog/Syslog NG (UNIX and many networking devices), SNMP V1/2, legacy systems, applications and databases. EventTracker enables “defense in depth”, where log data is automatically collected, correlated and analyzed from the perimeter security devices down to the applications and databases. To prevent security breaches, Event Log data becomes most useful when interpreted in near real time and in context. Context is vitally important because often the critical indications of impending problems and security violations can only be learned by watching patterns of events across multiple systems. Complex rules can be run on the event stream to detect signs of such a breach. EventTracker also provides real-time alerting capability in the form of an email, page or SNMP message to proactively alert security personnel to an impending security breach.

The original log data is also securely stored in a highly compressed event repository for compliance purposes and later forensic analysis. For compliance, EventTracker provides a powerful reporting interface, scheduled or on-demand report generation, automated compliance workflows that prove to auditors that reports are being reviewed and many other features. With pre-built auditor grade reports included for most of the compliance standards (FISMA, HIPAA, SOX, GLBA, PCI, and more); EventTracker represents a compliance solution that is second to none. EventTracker also provides advanced forensic capability where all the stored logs can be quickly searched through a powerful Google-like search interface to perform quick problem determination.

EventTracker lets users completely meet the logging requirements specified in NIST SP 800-92 Guide To Computer Security Log Management, and additionally provides Host Based Intrusion Detection , Change Monitoring and USB activity tracking on Windows systems, all in an off the shelf, affordable, software solution.

EventTracker provides the following benefits

• A highly scalable, component-based architecture that consolidates all Windows, SNMP V1/V2, legacy platforms, Syslog received from routers, switches, firewalls, critical UNIX servers (Red Hat Linux, Solaris, AIX etc), Solaris BSM, workstations and various other SYSLOG generating devices.

• Automated archival mechanism that stores activities over an extended period to meet auditing requirements. The complete log is stored in a highly compressed (>90%), secured (Sealed with SHA-1 checksum) archive that is limited only by the amount of available disk storage.

• Real-time monitoring and parsing of all logs to analyze user activities such as logon failures and failed attempts to access restricted information.

• Alerting interface that generates custom alert actions via email, pager, console message, etc.



• Event correlation modules to constantly monitor for malicious hacking activity. In

conjunction with alerts, this is used to inform network security officers and security administrators in real time. This helps minimize the impact of breaches.

• Various types of network activity reports, which can be scheduled or generated as required for any investigation or meeting audit compliances.

• Host-based Intrusion Detection (HIDS).

• Role-based, secure event and reporting console for data analysis.

• Change Monitoring on Windows machines

• USB Tracking, including restricted use, insert/removal recording, and a complete audit trail of all files copied to the removable device.

• Built-in compliance workflows to allow inspection and annotation of the generated reports.



About Prism Microsystems Prism Microsystems, Inc. delivers business-critical solutions to consolidate, correlate and detect changes that could impact the performance, availability and security of your IT infrastructure. With a proven history of innovation and leadership, Prism provides easy-to-deploy products and solutions for integrated Security Management, Change Management and Intrusion Detection. EventTracker, Prism’s market leading enterprise log management solution, enables commercial enterprises, educational institutions and government organizations to increase the security of their environments and reduce risk to their enterprise. Customers span multiple sectors including financial, communications, scientific, healthcare, banking and consulting. Prism Microsystems was formed in 1999 and is a privately held corporation with corporate headquarters in the Baltimore-Washington high tech corridor. Research and development facilities are located in both Maryland and India. These facilities have been independently appraised in accordance with the Software Engineering Institute’s Appraisal Framework, and were deemed to meet the goals of SEI Level 3 for CMM. For additional information, please visit http://www.prismmicrosys.com/.


Leveraging Log Management to provide business value

Documents

Transcript of Leveraging Log Management to provide business value