Three years ago, PCI auditors came to Peter Boergermann and asked him what his IT organization was doing with its log data.
Boergermann, associate vice president, MIS technical support manager and IT security officer at $1.1 billion Citizens & Northern Bank in Wellsboro, Pa., said the PCI auditors had just gone through training on the importance of log data to compliance.
"They asked, 'What are you doing with your logs? Who's looking at them? How do you react to them? What changes do you make based on your reactions?'" Boergermann said of the auditors, who are charged with checking a company's compliance with the Payment Card Industry's (PCI) security standards. "We weren't doing a lot with logs. After listening to their questions, we decided to start reviewing our options."
An organization that must comply with government and industry regulations can use log data to demonstrate compliance. The logs can provide an immutable record of what's happening in a company's systems.
"Compliance is a big driver" for adoption of log management and intelligence technology, said Paul Stamp, principal analyst at Cambridge, Mass.-based Forrester Research Inc. The technology helps organizations gather, store and analyze log data.
But compliance isn't the only driver for log management. A new study from Bethesda, Md.-based The SANS Institute found that 62% of organizations use log management technology to assess IT incidents and minimize downtime. And 46% said they use log management for automatic detection and analysis of security and performance incidents. Compliance was cited as a driver for adoption by 43% of organizations. The study, which was sponsored by LogLogic Inc., a log management and intelligence vendor in San Jose, Calif., surveyed 650 IT professionals.
Prior to the PCI auditors' questions, log data in Boergermann's organization was self-contained on individual devices. There was no central repository.
"You basically had to log into each one of those devices yourself and look at the information stored there," Boergermann said. "It would take hours to gather the data. And the quality -- it was in raw format. We got a ridiculous amount of paper. Who has time to look at this stuff? It wasn't getting reviewed as well as it should have."
The SANS Institute study found that 63% of those polled who said they used log data-tracking technology were dissatisfied with it.
"For the most part, there are three things that seem to drive people crazy," said Alan Paller, director of research at The SANS Institute. "One is speed: It takes too long. Two is getting data into the system when it is not standard, and the conflicts that generates with system administrators. And three is the reporting."
It's also a question of support -- who will do it?
"It's time-consuming," Boergermann said. "And reviewing logs is something you can't turn over to a PC technician or help desk person. You need someone at the engineering level, so now you're tying someone up at a higher pay grade. And the sheer volume of information is overwhelming."
Homegrown systems dubious
The SANS Institute study found that 27% of organizations still rely on manual searches of log data, which is extremely time consuming. Homegrown log management systems can also be a challenge.
"I looked at open source software," Boergermann said. "And there are some pretty cool syslog servers out there. I got it installed and it worked, but there's no reporting, no alerting, and no pretty interface to go look at this stuff."
Boergermann did find another open source product that would query that data and go try and set it up and run reports. But after awhile he decided he was spending a lot of time trying to piece together a solution and wanted something easier to use.
"There's still a lot of manual stuff going on out there," Stamp said. "There's a lot of custom tools that people have already invested time and money into."
Stamp said buying an off-the-shelf log management and intelligence system is often the best choice for an organization facing a new mandate to manage logs.
"Generally it's someone who has perhaps outgrown their methods of doing this or somebody is telling them to do this and they're not doing it already," Stamp said.
But Stamp said it's not as simple as just buying new technology and plugging it in. CIOs need to identify which systems are important to track. They need to know what kinds of reports they want to create. They need to determine what processes they are going to use to query the log data.
Boergermann eventually selected LogLogic as a vendor. He said one important factor was LogLogic is an appliance-based product -- he didn't want to manage an operating system for a software-based product. And he has a heterogeneous environment with Microsoft Windows and SUSE Linux servers, so he wanted a solution that could handle that.
Now Boergermann's organization runs daily reports on its log data, and stores them for 60 days. Not only has the product satisfied the auditors, but it has also improved the bank's responses to incidents.
"We have alerting set up," he said. "If anybody goes into configuration mode on any of our firewalls, we get an email alert. So we don't have to go into the logs to see if anybody is changing something."
Let us know what you think about the story; email: Shamus McGillicuddy, News Writer