When it comes to discussing Log Management with IT Professionals, feelings of angst, denial, and general despair tend to surface. Most just don’t think it’s necessary or claim to have logging turned on “just in case.” Sadly, I sometimes hear that they are doing “log review manually.”
Let’s face it, log management and the associated review that goes along with it is daunting, but it’s a very important aspect of your information security program that shouldn’t be overlooked. In fact, it’s so important some standards and regulatory agencies require it. I work heavily in the financial services industry and here is what the banking regulatory council, the FFIEC, says regulators must check for each bank:
“Determine whether management has an effective log management process that involves a central logging repository, timely transmission of log files, and effective log analysis.”
Further, the FFIEC says the following in the Log Management Section of their Information Security Booklet:
“Management should develop processes to collect, aggregate, analyze, and correlate security information.”
As you can imagine, these seemingly simple statements have major operational implications for IT and Information security operations. To complicate matters further, the FFIEC feels so strongly about log management they also provide these suggestions:
- Encrypt log files that contain sensitive data or that are transmitted over the network
- Ensure adequate storage capacity to avoid gaps in data gathering
- Secure backup and disposal of log files
- Log the data to a separate, isolated computer
- Log the data to read-only media
- Set logging parameters to disallow any modification to previously written data
- Restrict access to log files to a limited number of authorized users
After considering the above information, we need to assemble a policy to cover what we are going to do, or not going to do, and why. We will also need to tap into our asset inventory (we do have one, right?) to determine what devices we should be capturing logs from and whether the logging function is turned on and configured properly. We will have to work through some tough questions too, such as: Is there going to be a centralized logging repository or will it be consolidated? How will we achieve the correlation requirements suggested above?
No wonder log management causes heart burn in even the most seasoned IT professionals!
To add insult to injury, many banks express a desire to do everything in-house, but is this really feasible or cost effective?
Consider partnering with a Managed Security Service Provider (MSSP). Your logs will be aggregated, analyzed and correlated. Professionals dedicated to reviewing logs and reports will be able to interpret the information and alert your team to potential problems. You will also be able to sufficiently check that compliance box. Also, don’t forget to get some help with creating a policy around log management to compliment what you are doing.
If you find yourself telling someone you are doing “manual log review,” think about what that is really saying. Doing it right will give you peace of mind and will further mature your information security program.
If you want to learn more about log management or for a review of your current security program, contact us at firstname.lastname@example.org. We are happy to help!