Nobody doubts logs are useful things. They’re useful for diagnosis; they can be used to improve the quality and security of your network. Should the worst happen and you get compromised, logs can also be used as evidence in forensic cleanup and prosecution.
But do you have too much of a good thing? With the number of security devices required in medium to large enterprises these days, it’s not a surprise that most companies do not have a process for examining logs and proactively looking for problems. In addition, log sizes can get uncontrollably large, with the typical process of allowing logs to scroll off after 30, 60 or 90 days.
The problem with logs is that there are too many normal events, and insignificant security events. Most IP addresses not even assigned a DNS name will get scanned and probed dozens of times per day. A popular website could have ineffective attack attempts on it thousands of times a day. No company can afford to pay attention to these attacks… But for some companies with high security requirements, they can’t afford to ignore them either.
Security Information and Event Management software, or SIEM, can be a particularly effective way of managing the immense amount of information generated. That information can then be processed by the SIEM software to be useful. Is that John Smith making multiple login attempts on the Web Server? Now the Web Server is trying to connect to the Firewall as “Root” – that’s not normal, let’s flag an incident. The value of SIEM can be very different, depending on who you engage to develop one for you. If all you want is a log repository – perhaps just to pass legislative or regulatory requirements, then just engage any old party that will sell you one at the lowest cost. However, if you actually want a SIEM system that understands normal network behavior, and can fit in with your information security management system and risk management plans, then ISCS can help you.