“...organizations that use log management solutions only to produce regulatory reports are wasting a major opportunity for improving security, and also wasting a surprising opportunity to improve the relationship between security and operations managers,” notes

Alan Paller, April, ‘07 Information Security posted on searchsecurity.techtarget.com

Complete Security Log Management

Intellitactics elevates the practice of log management so you can do more with logs and events. Intellitactics’ logging and logging plus event management appliances give the security team a way to demonstrate adherence to policy, to show that controls are functioning properly and provides an audit trail for data access. Event reports and notifications provide vital communication between security and the rest of IT.

Logs are front and center in every organization’s plan to comply with regulatory standards and are used for forensic investigation, eDiscovery and operations. Because of volume and diversity, collecting and storing logs can be problematic.

Intellitactics’ solutions include centralized log collection, log normalization and parsing, easy access to logs and events to research attacks and incidents along with notification and reporting. All this is delivered and packaged as Intellitactics SAFE appliances or as part of a comprehensive security information and event management software solution, Intellitactics Security Manager.

The ability to easily monitor logs and correlate events from any source provides many benefits:

  • Decreased response times for handling incidents and troubleshooting problems
  • Improved collaboration between security and other enterprise IT teams that manage systems, networks, and applications
  • Enhanced, thorough security and compliance reporting that takes more systems and applications into consideration

Do more with your logs when the solution is Intellitactics!

Compliance

Organizations develop processes to select and implement controls to enforce policies to meet regulatory standards or industry standards. Take for example access controls [link to compliance solution] defined by CoBit and ISO 17799 implemented to address HIPAA standards and PCI standards for “who has access to what data when”. Logs track user access to HIPAA and PCI assets and verify whether the controls are effective.

Continuous improvement is just as important to a compliance audit as validating that controls are in place. An example would be assisting in the creation of new network-based access controls to reduce unwanted intrusion attempts, or helping to identify malfunctioning applications that were causing failed login attempts.

Operations

Trouble shooting applications and equipment

Errors show up in log files. Logs may contain very detailed error descriptions and how the error was handled. Centralizing and parsing logs makes is it possible to search only the configuration and error events among them. Event monitoring and correlation allows logs to be matched with similar events and integrated with change management and business continuity functions.

Forensic investigation

Clues to an attack are preserved in some way in one log file or another. In the case of internal investigations, these logs may be from users attempting to authenticate into various systems and applications. Database logs, application-specific logs or VPN and OS logs are used in forensic analysis to discover the electronic footprint left behind from an incident.

Incident response

Logging plus event monitoring are first steps in an effective and efficient incident response program. Incident responders need fast answers to these questions:

  1. “What’s going on?”
  2. “Do we know the cause?”
  3. “Is the problem fixed?”

Speedy retrieval of logs answers these questions. With logging plus event management, the responders are notified to scanning activity and other types of unauthorized access attempts. Logs differ in format and content, centralized aggregation, normalization and parsing are pre-requisites for automatically determining how an attack or malware incident is evolving.

Firewall/IDS tuning and reporting

Tuning is important:

  • Too many alerts cripple effective monitoring and response programs
  • Tuned devices ensure that legitimate traffic isn’t blocked and that malicious activity is blocked and responders are notified

Products with logging plus event management uncover hidden information and isolate events and patterns that are significant.

System status and reporting

Analysts use logging for monitoring the health of the network. Reports can be used to raise awareness and educate other IT functions using risk relevant events. IT operations can use scheduled reports and dashboards to show monthly, weekly, and daily trends of totals of events and patterns of attacks of specific types from various security technologies.

The more visibility and insight security and operations teams have into what is occurring in the environment, the better the organization’s overall security posture will be.