With each high-profile data breach or new regulation, security attitudes seem to shift. Instead of the traditional “keep bad guys out” mentality, IT security concerns are increasingly focused on a more complex question: “What is going on here?” Organizations are turning to log files to provide a continuous trail of everything that happens with their IT systems—and more importantly—to their data.
Log data collection is generally considered a security industry best practice. Not only that, a number of regulations actually mandate the collection, storage, maintenance, and review of logs. Some of these regulations rely on National Institute of Standards and Technology (NIST) recommendations for detailed logging requirements. In addition, frameworks such as Control Objectives for Information and related Technology (COBIT), which provide guidance about best practices, recommend regular review of log files.
Cleaning up after a security breach can drain precious IT resources and adversely affect employee productivity. Routine log review and analysis can help identify and minimize security incidents, policy violations, fraudulent activity, and operational problems. Indeed, insufficient logging, along with inadequate policies and procedures, are the two most common reasons that companies fail to deal with data breaches effectively. Organizations must be prepared by logging all activity; otherwise, they can have a hard time tracking down the culprit. That delay often results in continued breaches and significant losses.
Keeping Compliant
Monitoring event and audit logs is integral to complying with a variety of regulations including:
- The Gramm-Leach-Bliley Act (GLBA)
- The Sarbanes-Oxley Act (SOX)
- The Health Insurance Portability and Accountability Act (HIPAA)
- The Federal Information Security Management Act (FISMA)
In addition, as of October 2007, 37 states have instituted security breach notification laws that require businesses to monitor and protect specific sets of consumer data.
Besides federal and state laws, log monitoring is also a requirement of some widely used business standards, including Requirement 10 of the Payment Card Industry (PCI) Data Security Standard (DSS). DSS Requirement 10.7 specifies that merchants must retain audit log data for a year, and have it available online for three months.
This last rule presents a particular challenge because retaining a log for that long on every system that stores a log can be problematic. For one thing, many such devices have only a limited capacity for storing logs. Also, anyone with administrative rights to that machine could alter the log at any time, making it difficult to prove that the audit trail has not been altered.
How a SIM can help
Using a security information manager (SIM) allows organizations to be more flexible and responsive in meeting regulatory requirements and business standards—including mandates to review logs—allowing IT to quickly identify, prioritize, investigate, and respond to security threats. And integrating a SIM usually requires only minimal changes to production servers on a PCI network.
In addition to helping you stay compliant, a SIM can provide both log management and real-time monitoring, automating internal controls that would otherwise need to be done manually. Monitoring logs can help you identify whether controls are broken or implemented incorrectly, such as misconfigured firewalls. And perhaps most importantly, a SIM can let you know exactly what users are doing on the network.
In today’s world, simply shutting out intruders is no longer enough. Neither is simply keeping raw log data. To be informed about what’s happening on your network, and to stay compliant, managing and monitoring detailed logs is a necessity. Using a SIM can help IT cope with this daunting task.