Compliance mandates took log management out of the bowels of the information security organization and flung it...
onto the executive table. And now the security information and event management technology often used for log management is increasingly serving other purposes, such as business process efficiency, risk management and business intelligence, according to log management experts.
A.J. Wright, chief technology officer and chief information security officer at the University of Tennessee, has been growing the capability of his log management solution since he installed it four years ago to comply with the Health Information Portability and Protection Act and the Payment Card Industry (PCI) Data Security Standard.
In 2009, probably the biggest payoff from the ArcSight Inc. tool was efficiency. For example, members of the development team no longer have to petition IT administrators every time they want to review their server logs. "We can push the data to ArcSight, so people can read it there," he said. This visibility saves time. "I don't have to talk to the guys who run the PCI servers to see what attacks are going on."
The ability of security information and event management (SIEM) tools to look at multiple systems at the same time offers opportunities that go well beyond saving staff time, he added. "We're always brainstorming about what we can do with the data. Failure of imagination, more than anything else, is the limiting factor."
Log management for business process efficiency
Diana Kelley, founding partner of independent consulting firm SecurityCurve in Amherst, N.H., and an early believer in the business potential of log management tools, said she's not surprised by Wright's take. She has recently heard the same from users of security information management and security event management tools.
"Companies were telling me, 'I put this in for compliance, but look at all the amazing things I can do,'" Kelley said. "Once these folks do the work for compliance -- have all the sensors and collectors in place -- they are realizing that, essentially, SIEM is like shining a spotlight on areas of the network and on business process."
Log management solutions have evolved from the overpriced and immature log aggregation tools of a decade ago, Kelley said. Log management/SIEM tools are more user friendly and "compliance aware." As companies have asked for more functionality, vendors have responded with deeper compliance intelligence and reporting, better visualization, improved incident response and integration of identity awareness.
Many companies, for example, use SIEM tools to monitor logins to sensitive servers or applications to ensure that only approved users access the sensitive information, Kelley said. This compliance/security function can lead to insights that quickly escalate up the business ranks, as it did at a retail company she worked with.
On the advice of an auditor, this retailer had put in a tough new password policy with a short time-to-live of two weeks. Even with single sign-on, the new rule proved too much for users to remember, prompting a rash of lockouts and help desk calls. While help desk records would eventually have pinpointed the problem, the SIEM flagged the bottleneck within two days, prompting a business assessment of whether the tough password policy was costing the retailer more in lost time and support than it was worth.
"It's an interesting challenge for the people running the SIEM -- now that they've got this data, what can they do with it," Kelley said.
To make SIEM/log management valuable to the business, organizations must first "get comfortable" with the tool. Learn what it can do and what the data correlations mean, she said. "A correlation is not causality," she stressed. Her clients often start by using the log management tool for a small portion of their network, such as high-priority business servers.
We're always brainstorming about what we can do with the
A. J. Wright, CTO/CISO, University of Tennessee
"After they have gotten their logs together, normalized them, written their rules for alerting and for reporting, at that point, they say, 'Let's see what else we're learning from this information and how we can use it for some of these cooler business process things,'" she said.
SIEM log management will change security workflow
That rings true for the University of Tennessee's Wright. Answer the basic questions first. "Our biggest mistake was not knowing what we wanted going in," he said. "ArcSight is like Excel or, better yet, a screwdriver. You can build whatever you want with it, but you have to figure out what you want to build before you pick it up."
Security organizations need to decide up front such log management basics as whether they want "to just dump events into a location so they can look at them later," he said, or if they want real-time flow. They need to know who is going to respond to the many more security events that will come up. Log management tools -- no matter how you use them -- change the way your organization responds to security events, Wright said.
"It will give you a whole new set of things to think about, and you need to figure out how to absorb that workflow," he said.
Let us know what you think about the story; email Linda Tucci, Senior News Writer.