Every organization, regardless of size, needs secure IT and company budgets usually evidence awareness of that need. While working with firewalls and intrusion detection systems often makes good business sense, sometimes companies miss a fundamental step: log file management.
Log file availability
Servers, firewalls, and other IT equipment keep log files that record important events and transactions. This information can provide important clues about hostile activity affecting your network from within and without. Log data can also provide information for identifying and troubleshooting equipment problems including configuration problems and hardware failure.
Unless turned off or specially configured, logs usually contain a record of all transactions, not just exceptions, amounting to a lot of information. The sheer volume of most log files makes prompt analysis difficult, if not impossible.
Log manager tools
Because of the voluminous content of most IT log files, IT personnel need to use log manager tools. These specialized software applications read, interpret and respond to information contained in equipment log files. In many cases companies using these tools can have real-time information about network users, equipment status, and miscellaneous threats.
Organizations with large IT departments often require centralized log management that uses a server to collect log data from various devices. This management system records the information to a database for future review.
Log managers can also access workstation logs that can reveal details about employee activity. This capability contributes to the IT security effort by alerting managers when workers attempt to use company computers for unauthorized purposes or attempt to steal company information by using portable storage.
Log analysis benefits
Log analysis software can automate the seemingly impossible process of reading logs and responding to their information. Managers usually use log analysis to become aware of security events that can affect the entire organization.
Many tools available for log analysis can often either perform or facilitate remediation of threats. To do this, administrators must define rules that govern how servers respond to various threats. In many cases, a remedial action might include deleting user accounts, blocking IP addresses, disabling USB storage capabilities, and shutting down machines.
Law enforcement and attorneys often become interested in IT equipment logs while conducting criminal or civil investigations. Computer forensics investigators can use equipment log files and reports from log management software to track down everything from crimes to adultery. Of course, equipment records belong to the organization, so government agencies and attorneys need warrants to access the information they contain.
The ability to automate the detection and remediation of threats gives organizations critical tools that save on labor while improving security performance. Thanks to automation, a single IT staffer can monitor logs from dozens of machines, without detracting from their routine duties.
Going deeper
The Institute of Standards and Technology publishes a Guide to Computer Security Log Management that gives organizations specific guidelines for creating a systematic log management policy. This government-affiliated report helps organizations understand the need for the management of IT equipment log files, assesses challenges to the ongoing security effort and provides a standardized approach to dealing with the security issues that threaten modern organizations. NIST guidelines encourage a structured approach to security that can become an integral part of organizational culture.
The evolving world of IT security demands organizations to have the infrastructure and expertise in place to recognize and combat threats. As new challenges to IT systems continue to emerge, organizations should have a corresponding plan in place to deal with those threats. Regardless of the nature of present and future security risks, log files will play a fundamental part in the ongoing security effort.
