Q&A: Breaking the Log Barrier
Logs must do more than just record the facts
Logs collect extensive amounts of information that serve as an audit trail and provide detailed information for troubleshooting. However, used proactively, logs can provide far more information, including security alerts. In an age of increasing compliance regulation, it’s more important than ever to get your logs under control.
To explore these issues and others about log management, we turned to Chris Petersen, CTO and founder of LogRhythm, which offers an enterprise-class log management and analysis solution.
Enterprise Strategies: What purpose do logs serve and how are they used?
Chris Petersen: Logs are the surveillance tapes of the digital world. Just as video cameras do in the physical world, logs record who is doing what, when. Like surveillance tapes, people typically only look at them when needed. Just like you might review surveillance tapes following a burglary, you would review log files following a network intrusion or system outage.
However, logs not only provide value after the fact. When harnessed correctly, tremendous intelligence on the day-to-day security, integrity, and operation of the network can be realized. This is because everything in the network generates logs. Whether it’s a firewall, intrusion detection system, operating system, application, database, router, etc., they all generate logs reporting not only who did what and when, but also the general health and security of the system.
Proactive reviews of system and application logs can identify warnings before they become outages. Proactive reviews of audit logs can identify users pushing their boundaries prior to them going rogue and compromising company trade secrets.
What are the limitations of logs?
Logs don’t always contain all the information you would like to have. For this reason, products like LogRhythm enrich collected logs to fill in some of these gaps.
Log files can also be erased or overwritten. In fact, many logging systems are designed to write over earlier log files if the files aren’t rotated manually. In addition, log files are usually the first thing an intruder will try to delete. This is another reason solutions like LogRhythm exist, to ensure log data is immediately captured and safeguarded.
One of the most significant challenges faced when analyzing logs is their cryptic nature and lack of any standardization in terms of log message content and structure. Almost every type of system generates logs based upon the whims of the system developer at the time. This makes uniform analysis and reporting very difficult without a solution designed to make this data more user friendly.
What tools does IT have at its disposal to review logs, and what’s the state of these tools?
IT actually has hundreds of tools at their disposal for reviewing logs. In fact, every device on the network has its own unique tool for analyzing the logs that a particular system generates. In some cases, that tool is Notepad, in others it is a Web form, in others it is a Windows form, and on it goes. The problem is there are too many tools and none of them on their own are very good. Sure, Notepad might be OK for reviewing logs from one server, but how about 1,000 servers simultaneously?
In general, people don’t buy operating systems, applications, and routers for the functionality of their log analysis tool. Therefore, little investment is made by vendors to provide good features in this area.
How frequently should IT review its logs, and how often does it generally do so?
We should floss every day, right? Well, we should also be reviewing our logs daily. However, just like flossing, reviewing logs isn’t all that much fun. In fact, it can be downright painful. It might lead you to realize you have some problems you should deal with, problems in addition to the current list of fires you are working to put out. However, if you had looked at the logs previously, the fire might have never gotten past the spark. Of course, this is easier said than done.
The reality is IT is often understaffed, overworked, and the work itself is fundamentally complex and always changing. Therefore, a daily review of logs often gets superseded by other pressing matters. That being said, the IT floss police have been released by way of regulatory compliance and what once was “should” has become “shall.”
What do log management systems do and how can they be used to get the most out of existing logs?
At a basic level, log management systems provide centralized collection, safeguarding, and analysis of log data. However, most solutions go far beyond these basic needs. More sophisticated systems provide a common taxonomy for the classification and description of log messages in a more readable form. They may include a built-in knowledge base that describes actions to take when specific log messages are observed.
Some systems automate the detection of more sophisticated events by performing statistical and pattern-based analysis of log messages and trends. For instance, a log management system might detect the same user trying but failing to access sensitive files repeatedly over the course of a day, or it might detect a server experiencing a sudden spike in system warnings that could indicate an imminent failure. Most log management systems also have extensive reporting capabilities.
What role does compliance play in the need for log management systems?
Almost all compliance regulations are resoundingly consistent in one area: the requirement to review your logs. Many regulations also require the retention of log data for specific periods of time. Regulations may have requirements to ensure and validate the integrity of the logs when collected and subsequently stored. In midsize companies (50-100 servers), these requirements can be time and resource intensive. In larger enterprises, complexity and costs can increase significantly.
Log management systems automate and dramatically reduce the cost of collecting, centralizing, and safeguarding log data. The cost of analyzing and reporting against log data is also reduced. Sophisticated real-time alerting engines automatically identify critical events. Reporting features prepare and distribute compliance reports. Consistent and powerful analysis tools provide much more efficient and immediate audit investigation support. Any entity subject to SOX, HIPAA, GLBA, FISMA, PCI, etc., either has, is, or should be, evaluating how log management systems can assist in their regulatory compliance efforts.
What features and benefits does LogRhythm’s log management product offer?
LogRhythm fully automates the collection, processing, and archiving of all data, including application and database logs. On top of this data, we provide real-time correlation and alerting on critical events to help IT head off security, compliance, and operational issues. To take the guess work out of extracting meaning from log data, we have developed intelligent IT search capabilities that by go beyond simple indexing and enrich log entries with intuitive classifications, human understandable names, risk modeling and prioritization.
Most recently, we incorporated data protection capabilities into our product, specifically file integrity monitoring and alerting, as well as endpoint monitoring and control for removable media devices. Since these capabilities are integrated with log data, we can link activity to responsible users, establish audit trails, and meet a broader set of regulatory compliance requirements.
Doesn’t collecting all that information add overhead to a system?
Not much, really. In most deployments logs are collected without installing any software on the logging device. LogRhythm either receives a copy of log data already being sent or remotely queries the system for logs. However, LogRhythm does leverage a hybrid collection architecture. By this I mean we also have the ability to install an agent on the log generating devices. This is usually done for high-volume logging devices or remote sites. The advantage of leveraging an agent is that collected log data can be encrypted and compressed when sending across the network. We can also schedule collection and transmission of log data. In our solution at least, we have the flexibility to manage and reduce any overhead that might be introduced via the log collection layer.
Where is log management headed? What features do you see being added in the next 1-2 years?
I really believe analysis is the future of log data. I think we are only seeing the tip of the iceberg in terms of the meaningful intelligence that can be derived from log data. Future analysis capabilities will allow us to detect intrusions and computer crime that organizations are effectively blind to today. These capabilities will be applied to detecting and stopping sophisticated data-theft activities that affect us all as citizens of a digital economy.
The network is everywhere, our data is everywhere. As individuals we each rely on the security and integrity of hundreds of different networks and systems. These networks need to be secure and reliable. The ability to more effectively analyze real-time and historic log data is critical to these efforts.