Firewall, server and application log alerts can be used as real-time intelligence, but these alerts often go ignored. Even if some log alerts are investigated, many organizations often are unaware of the information they retain and how logs may be mined in the event of a data breach. It’s a privacy and security sin, but it is understandable given the vast trove of logs available to most enterprise organizations. So, why should your organization care about log files? Because they are essential warning tools and ultimate evidence in the event of a data breach. Hackers and inside intruders leave their fingerprints all over log files. Piecing together these bits of evidence in real-time can help your organization detect preliminary intrusions and, if the big breach does occur, quickly understand the universe of information available for your IT forensics teams.
In the event of a data breach, law enforcement, regulators, payment card auditors, clients and others will ask about your log file management and your alerting protocols. Don’t be caught unaware.
To develop an appropriate log file management program, companies should: (1) craft written policies for logging, auditing, and handling logs; (2) employ tools to collate, index, and normalize logs for analysis; (3) define and generate alerts and actions for critical events (without overly alerting and desensitizing staff); and (4) set discernable metrics for management review. The goal from this process is to retain sufficient data for the investigatory process in the event of a data security breach, and then to purge stale log file data in accordance with the organization’s data privacy mandates. Understanding your log file program for critical systems, network components and virtualized environments is a must. Then, you must communicate the log file program with key business owners, so they understand any limitations of your existing systems and support technology improvements, if they are necessary. Reed Smith recently hosted a series of meetings on this topic in its Washington, D.C., New York, Pittsburgh and Philadelphia offices with the CISO Executive Network, entitled, “Security Operations with a special focus on Event and Log Management.” Please click here for a recorded video conference of Amy Mushahwar presenting to the Washington, D.C. CISO Executive Network.