Nobody doubts logs are useful things. They’re useful for diagnosis; they can be used to improve the quality and security of your network. Should the worst happen and you get compromised, logs can also be used as evidence in forensic cleanup and prosecution.
But do you have too much of a good thing? With the number of
security devices required in medium to large enterprises these days,
it’s not a surprise that most companies do not have a process for
examining logs and proactively looking for problems. In addition, log
sizes can get uncontrollably large, with the typical process of
allowing logs to scroll off after 30, 60 or 90 days.
The problem with logs is that there are too many normal events,
and insignificant security events. Most IP addresses not even assigned a
DNS name will get scanned and probed dozens of times per day. A
popular website could have ineffective attack attempts on it thousands
of times a day. No company can afford to pay attention to these
attacks… But for some companies with high security requirements, they
can’t afford to ignore them either.
Security Information and Event Management software, or SIEM, can
be a particularly effective way of managing the immense amount of
information generated. That information can then be processed by the
SIEM software to be useful. Is that John Smith making multiple login
attempts on the Web Server? Now the Web Server is trying to connect to
the Firewall as “Root” – that’s not normal, let’s flag an incident. The
value of SIEM can be very different, depending on who you engage to
develop one for you. If all you want is a log repository – perhaps just
to pass legislative or regulatory requirements, then just engage any
old party that will sell you one at the lowest cost. However, if you
actually want a SIEM system that understands normal network behavior,
and can fit in with your information security management system and
risk management plans, then ISCS can help you.