Talk to security professionals about log management, and they will likely speak of the proliferation of sources of information generating logs, which their company does not have the resources to review, digest and correlate to identify security incidents and anomalous behavior. Then there’s the matter of understanding the value of the information itself and figuring out what is important from a security perspective about a particular log event – more importantly, what a series of log events from different sources means about the scope and impact of an attack.
What they will likely all agree on is that visibility is one of the fundamental building blocks of cybersecurity, and robust log management is central to that. Effective log management provides security, operational visibility, and brings organizations into compliance with cybersecurity regulations. The old adage that an organization cannot protect what it cannot see stands true. Logs paint a picture of an organization’s environment – its systems, applications, everything. This makes them an invaluable tool in tracking down fraudulent or malicious activity. By examining logs in real-time, intrusions can be detected as soon as they happen.
Logs are essential
When a security event takes place, that picture can be used to reconstruct not only what happened, but also what the environment looked like prior to the incident. Visibility into logs provides application-specific data for incident investigation. Using logs, organizations can pinpoint the how, why, and when of an attack.
From a compliance perspective, logging is a critical requirement of regulations such as HIPAA, GDPR, PCI DSS and others. For example, PCI DSS Requirement 10.7 stipulates that audit trail history should be retained “for at least one year, with a minimum of three months immediately available for analysis.” HIPAA has three requirements that apply to logging and log monitoring, and requires organizations keep logs on each of its systems for a total of six years.
As organizations embrace the cloud, logging is no less important than it is on-premises. Logging should be performed across three broad areas: containers/hosts, applications, and Platform-as-a-Service/Function-as-a-Service (PaaS/FaaS). As the amount of services, applications and devices connecting to business networks continue to grow, the importance of logging – and drawing value from those logs – is only growing more paramount.
Log management services
Getting the most from an organization’s logs, however, requires having the technology and expertise to coordinate and analyze log data for suspicious activity. Companies need to have deep security expertise in their development and operations teams to be able to architect a log solution correctly on their own, which prompts many organizations to consider third-party service providers such as Armor to aid organizations that do not have the cybersecurity staffing or budget to fully address log management service needs internally.
Using the Spartan threat prevention platform, Armor Log Management correlates events to minimize “noise” and increase the fidelity of detection and alerting. In addition to natively supporting logs coming from Armor’s core security services (FIM, Malware Prevention, IDS, etc.), the solution also takes AWS CloudTrail logs as well as device logs from network appliances, web application firewalls, application logs and more.
Done the right way, log management can empower a business by improving operations and strengthening security and compliance.