Most companies are required to keep a log of the IT infrastructure and the policies. This is required for a lot of purposes ranging from security to maintenance to even compliance under different data retention laws. The log data collection and monitoring is normally referred to as SIEM (Security Information and Event Management) and it is not just for the requirements of the current scenario, but even a precautionary measure to protect from unknown cyber threats and network security compromises that can allow hackers to perpetuate and create havoc.
There are special purpose platforms built to correlate, integrate and analyze the logs collected from different sources in an IT environment so that this raw data gets added intelligence and the IT admins can make better decisions in light of having all of them centralized at one single location. These solutions help accelerate and simplify the implementation of compliance management, provide real time security to the IT infrastructure and even have more advanced features to help IT departments. Besides log management is also required because of legal requirements and complying with rules like PCI, HIPAA/HITECH, FISMA, GLBA and COBit.
Security is one big aspect for log data management. When there are no breaches or disruptions, having a log data monitoring and log analyzing tool helps to ascertain everything is working as intended and the network security isn’t compromised. And in the event of a security breach, the time spent for intrusion detection and prevention of the damage caused by such breach becomes vital. Log Data will be the first point of reference to gain insights as to what is the exact root cause of the network failure. There are several factors which affect log data collection and the 2016 Trustwave Global Security Report has given enough evidence that there is an immense need to improve the security aspect of networks as the mean time between intrusion and detection in 2015 was 80.5 days
There can be following attributes to the log data which is collected and analyzed so as to obtain a better understanding of the security issues.
The log data collected can be from a network made up of 10 nodes or a several hundred of them. The more the machines connected to a network the wider scale of the log. Furthermore, the relevant data out of the logs has to be filtered out for events, applications, network flow, SIEM, and other several security management tools. Unless these metrics are all collected at a unified source, there has to be some mechanism to distinguish the useful information from the petabytes of data that may be collected each day.
Context is important to determine the usefulness of the log data. Contextual information helps define the “who, what and where” for the data and helps determine the relationship of the cause and effect to come to a decision sooner. Not all the log data collected is important or relevant for an event. Correlation of log data has to be established to make it useful in anomaly detection.
The timing of information is critical in IT log management. If timely information is not available (most probably in real time) then the information is no longer useful. In order to proactively address any security concerns contextual information has to be processed in real time to be useful. This mean it has to be correlated, integrated and analyzed so as to understand the nature of the incident and find solutions to the issue.
Security Analysis is critical for the modern day IT infrastructure. Yet the network security is compromised because the number of events generated daily and in all this noise the most relevant information is lost. In spite of the marketing efforts of the companies about contextual learning, artificial intelligence and machine learning, the solutions available today don’t do much without human intervention.
In order to address the security issues, log data can provide a starting point but this data has to be contextual, relevant, time bound and should be ready for action after analysis. Predictive information analysis and machine learning should be made more common to help log data enhance IT security because otherwise the scale and the complexity of the information will make the log data redundant in helping solve IT issues.
To summarize the log data is a great starting point but it has to be filtered through and made useful with some post processing to achieve the goal of IT security.