In the world of crime, to name just one of the many walks of life that they facilitate, CCTV cameras play a vital role. In the United Kingdom for example, statistics show that cameras have made a phenomenal contribution to detective and police work, using ‘evidence collected’ to help resolve almost 65% of the cases, where they were available.
In the field of cybersecurity, Log Management (LM), like CCTV or the maritime logs of a seafarer, also provides solutions to cyber incidents that have taken place. In that sense, they are not dissimilar. Yet, for reasons that we will see, LM goes way beyond what CCTV and similar conventional logs can offer. This however happens only when LM is combined with Security Information and Event Management (SIEM).
Basics first
No discussion on Log Management would be relevant without first understanding that Log Management is at its best an automated or digital collection of events in an operating network, requiring ‘handling’ by a user or a system. By itself, its utility – in the context of analysis, improved security and response, etc that it ultimately provides – is limited. It is only when teamed with, or working as a part of SIEM (3), that it metamorphoses into a game-changer, thanks to the latter’s versatility in transforming it into a robust tool to improve the organization’s security posture. Welp Magazine’s article (4) on the synergy, inter-dependence, and difference between the two, makes for interesting reading.
This blog therefore attempts to present the features and benefits of Log Management, when associated with its parent SIEM. Readers will need to remember, that Log Management referred to hereafter is presented as, and needs to be understood as, a SIEM solution.
Conventional Logs versus Log Management
The fundamental difference between LM in cybersecurity and the conventional logs provided by CCTV or similar logs lies in its purpose. Though both are invariably tasked with maintaining order and smooth functioning of their respective areas, CCTV contributes mainly in the area of detection after the incident has occurred by using the evidence recorded. LM however goes beyond such detection, helping prevent the recurrence of the incident as well as possible new incidents, by offering insights into the evidence recorded.
Conventional logs like CCTV are also largely static by nature, with the upgradation of the hardware involved or the method of recording undergoing occasional improvement. LM, on the other hand, involves numerous real-time dynamic processes and is accessed on an ongoing basis, so both already-recorded and imminent threats on exposed assets (6) (PLS PUT LINK OF EXPOSURE MANAGEMENT BLOG) are also monitored (and prevented).
What it is
An operating system is a host to an endless stream of activity – log-ins, messages, data transfers, file requests, storage, transactions, errors, intrusions, alerts, firewall activity, reports, etc. Each of these activities represents a log entry. A number of these log entries constitute a log file, which, therefore, is a time-stamped electronic database of activity within an operating system. LM is the management of an organization’s logs. Crowdstrike (1) calls it ‘the practice of continuously gathering, storing, processing, synthesizing and analyzing data (in log files) from disparate programs and applications in order to optimize system performance, identify technical issues, better manage resources, strengthen security and improve compliance.’
LM aims to improve the security posture of an organization through its processes and policies for managing logs. To do this, LM relies in part on the audit trail that is provided in the log files, and the inferences that can be drawn from them using its set of threat-hunting tools.
Typical activities involved would include:
- Collection, collation, monitoring, and indexing of data from various endpoints, servers, and applications in the operating system
- Analysis of data collected so as to identify vulnerabilities, security threats that have materialized, and possible future attack paths
- Reporting on the analysis made to evaluate operational performance, resource allocation, security, and regulatory compliance.
- Housekeeping of the log files in terms of storing key events and benchmark cases, and trashing unproductive information/events
The benefits involved
Log Management confers many benefits to organizations, making it a must-have for organizations from innumerable standpoints. Some of the more remarkable benefits are:
- Real-time threat monitoring, robust threat hunting, shrunken attack surfaces, improved response times, and remediation of cyber incidents
- Monitoring network activity on an ongoing basis including suspicious/unusual activity
- Highlighting organizational and policy violations
- Improved network visibility and insights into system health and possible new attack paths on ‘exposed’ digital assets
- Ensuring organizational compliance with established standards and laws
- Enhanced user experience as a consequence of centralized log data and predictive detection modeling
- Confidence instilled in SOCs due to the robustness of the system, especially if the process is automated or supported by AI and ML
Challenges in implementing
Despite the many advantages that it offers, organizations will experience challenges in implementing or initiating a system. These may include:
- Standardization of the format used to collect data from various sources in their operating network, due to the manner in which these sources are organized
- Periodic upgradation of the system may prove a challenge due to modifications necessary in the source code
- High volumes are inherent in LM. Scalability concerns and system design of the logs to take high data loads are to be addressed to ensure performance goals like timely reports and alerts are achieved
- Classification of key events and correlation of events/results on an ongoing basis may prove a challenge
- High volumes can often also result in extensive reports, considerable housekeeping, and repetitive efforts which in turn can trigger tedium and fatigue (2) on the part of the SOC
- Log Management is typically time-consuming to implement and monitor, and costly to implement
- Confidentiality issues with information may arise when sensitive events are being investigated
- Delays in alerts or reports may have to be accepted as logs in the pipeline get sequentially cleared by the LM process
Final words
Chronicling or recording events goes back to the start of mankind. From cave drawings to historians (like the Greek Herodotus in 400 BC who was credited with investigating historical events, earning him the sobriquet ‘The Father of History’), much emphasis was placed on this. Over time, it became the done thing to record proceedings. So much so, that in cybersecurity circles, it is foolhardy to even imagine that an organization can exist without Log Management. Organizations that fail to gather, manage, and analyze system events leave themselves open to attack, financial debacles, and loss of investor/market confidence. Lawmakers and compliance certification bodies (5) consequently have made it mandatory for organizations to implement.
From the benefits it confers to the statutory mandates that are associated with it, CISOs and SOCs know better than to disregard or discount the importance of Log Management. Doing so would only serve as ‘evidence’ of their clear need to evolve as cybersecurity professionals.
References:
- What is Log Management? 4 Best Practices & More – CrowdStrike
- The Looming Threat of Fatigue, Stress and Burnout in Cybersecurity – Aurora Systems Consulting Inc. (aurorait.com)
- SIEM: Your Go-To Cybersecurity Solution of Choice – Aurora Systems Consulting Inc. (aurorait.com)
- Log Management VS SIEM Solutions: What’s the Difference – Welp Magazine
- Security log management and logging best practices | TechTarget
- Mastering Cybersecurity with Exposure Management Systems