Event log monitoring—or keeping an eye on your system logs for security and compliance purposes—can be a challenge. Here at ControlScan we see businesses and their IT teams struggling with its implementation and/or maintenance just about every day.
Some implement a log monitoring process, keep up with it for a while, and then abandon efforts when they realize the level of attention it requires. Others merely “turn on” logging for their systems and declare victory. Then there are those who immediately throw log monitoring on the “too hard” pile and move on to other pressing assignments on their IT task list.
The Hurdles to Effective, Long-Term Log Monitoring
What makes event log monitoring so difficult? First, its implementation requires some fairly extensive planning and strategy. Where are the critical systems that need to be monitored? What kind of logs do they produce? And what constitutes the “event of interest” or “security event” that should set off alarm bells?
If logging is successfully implemented, organizations run into the next hurdle: Mobile devices, the Internet of Things, and proliferating web applications have all contributed to the exponential growth in logging message and machine data volume. Historically, Security and Information Event Management (SIEM) platforms have earned their reputation for generating an unmanageable volume of messages, events and alerts to review. Without constant attention and tuning, any important indicators quickly get lost in the noise—noise that increases as more and more systems are brought on line, contributing to the onslaught.
The Business Reasons for Log Monitoring
The Payment Card Industry Data Security Standard (PCI DSS) has long required the review of system logs on at least a daily basis. And while it's true that log monitoring has become increasingly difficult, a recently-released document from the PCI Security Standards Council (SSC) reinforces the various reasons why investing time and effort in this activity is business critical.
“Effective Daily Log Monitoring” reasons that as attackers and their methods evolve, they eventually defeat most defensive measures. Effective log monitoring, then, is essential to successfully detecting these attacks, taking countermeasures and strengthening weaknesses in your defenses.
The majority of today's breaches are discovered by an external party and not by the breached business itself. As a result, the time between system compromise and detection is averaging weeks and months, when it should be hours and days. This allows attackers to steal more data over time, costing the breached business considerably more than if the compromise had been internally discovered and quickly dealt with.
Making Monitoring Manageable
So how do you bridge the gap between the complexity and investment required for successful monitoring and the value of early breach detection?
The latest generation of SIEM technology provides more flexible tools, improved data visualization, extensive reporting and broad integrations to more easily plug into your existing IT environment. As a result, you can more easily cut through the river of system logs and machine data and get to the good stuff—that is, the events that need investigation, validation and (potentially) remediation.
To further simplify the process, event log monitoring is now available in “Security as a Service” form, delivered by a Managed Security Service Provider (MSSP) with expertise in the implementation and ongoing administration of log monitoring solutions.
The right MSSP will serve as your partner in intrusion detection, taking on the burden of initial implementation, ongoing monitoring, and validation and alerting around events. Further, they’ll have the technical staff to continually tune and enhance the solution in order to create greater accuracy and deliver usable information.
As the PCI SSC Log Management Guidance points out, “effective log monitoring is not a tool or a technology, but rather a process that requires continuous improvement.” Click here to learn more about the importance of event log monitoring and how you can avoid the temptation to put this critical activity on your "too hard" pile.
Stay informed. Be sure to subscribe to this blog for additional tips and webinar announcements.