Posts tagged: 'log data'
The following posts are associated with the tag you have selected. You may subscribe to the RSS feed for this tag to receive future updates relevant to the topic(s) of your interest.
http://blog.logrhythm.com/tags/log-data/feed
Automating Details with Log Management and SIEM
Last week I mentioned that some of us at LogRhythm were getting a new home and on Monday we moved in. I also wrote that we are about to roll out a new release with some pretty significant new features. Which is great, but part of that process involved updating a very large percentage of our marketing and sales documentation – from datasheets and PowerPoint presentations to our website. So we have been spending a lot of time doing a detailed review and rewrite of a lot of material.
That brings me back to the move. It got me thinking about how nice it is to have someone take care of the details for you. Basically all we had to do was throw a sticker that had our new office (sounds better than cube) number on anything we wanted moved. When we showed up at the office on Monday, everything was magically in the right place. Of course, that is because the back-end processes were taken care of by somebody else. From the architectural and office layout planning to the new VOIP phone system, a dedicated internal team made the entire process seamless for the rest of us, start to finish.
A comprehensive log management and SIEM solution such as LogRhythm operates in the same way. Tell it what information you need to collect from where, whether it’s for compliance, operations and/or security, and the solution should take care of the heavy lifting for you. While that sounds simple enough, there are also a myriad of details that go on behind the scenes to make the solution truly valuable.
Transportation of log data from one location to the next is one thing that is frequently overlooked. How is it done and what is the reliability? Is something validating that the delivery took place – securely and without sucking up all of the available bandwidth? Making the data readable is another process that can be automated as well. Every log type has its own taxonomy, meaning the relevant detail can vary wildly from one source to the next. And sifting through millions of individual logs for important information can be a bit like looking for a specific grain of sand in the middle of the beach. So you need a tool that will read, translate and catalogue the data so that when you need specific information, it’s easy to find.
Of course there are a lot of other things that the right solution will do to automate tasks that are at best tedious when they aren’t straight-up impossible. Like daily reviews of your log data (that could be millions). Or highlighting a suspicious pattern of otherwise unremarkable behavior – one that slowly unfolds over several months – and having the right tool for zeroing in on the important details. In some organizations you may be required to generate a large number of regularly scheduled reports for specific compliance regulations. Who wouldn’t jump at the chance to make these things happen automatically? These are just some of the things that LogRhythm does.
So you can actually get someone to automate a lot of the heavy lifting tasks when it comes to IT management and security. Unfortunately, outside of the occasional “Replace All” and an “AutoCorrect” feature that compensates for my ham-handed typing, this 5.1 material isn’t going to write itself.
Enjoy the weekend.
Tags: log data, log management, logrhythm, siem
The IT Toolbox – Using Log Management to Enable AND Control your Major Projects
In a past life I ran IT for a retail organization. During that time I managed a major technology upgrade and migration from the Point-of-Sale (POS) systems deployed at each of our stores, all the way to the accounting system at our corporate headquarters. It seemed like a massive undertaking just to generate an accurate Profit & Loss statement.
Like most mid- to large-sized retailers, our systems were heterogeneous in nature but interconnected to the point where it was like one gigantic digital ecosystem. The fuel Multi-Dispenser Pump (MDP) talked to the POS, which in turn communicated with the fuel inventory system, the credit card processor, and the manager’s workstation. And the fuel inventory system talked in turn to the corporate fuel reconciliation engine, while the credit card processor did as well, and the manager’s workstation was engaged with the suppliers ordering engine, the back office accounting system, and the corporate payroll system, and the corporate reconciliation engine and payroll systems were both engaged with the corporate accounting system… I’m sure I missed something along the way but I think you get the idea – it was complex.
We were a small IT group, so we had to be smart in the way we operated. Because of its scope, for this project we went out and retained the appropriate consulting talent from each of the respective vendors. We spent a lot of time proving the rollout in a test environment, but eventually we were ready for the big day – migration and roll-out. Boy was I a nervous wreck. I had spent years lobbying for a seven-figure project and there we were – do or die time.
I won’t bore you with all of the gory details, but in the end the project was a success, with a few bumps and bruises along the way that you would expect for any project of this scope. And it’s my understanding that profitability is still up as a result of the reduced operating costs realized from the migration to new technology. However, I think there was one area where I could have really improved the process – access control.
Remember the consultants I mentioned? They had their hands in everything! OK, that might be a slight exaggeration but they did need some level of visibility into all production components relating to their respective technologies. Each consultant had a common tool in their arsenal – log data. And they were all using it to troubleshoot problems or make configuration recommendations. That’s where centralized log and event management enters the picture. Had I know then what I know now…
If we had the appropriate centralized logging tool in place I would have been able to give each consultant restricted visibility into log data being generated from the platform(s) they were responsible for. Looking back, the benefits are obvious. Not only would it have delivered tighter access control but it would have made the migration process more efficient. The need to tap myself or one of my resources for information would have been removed from the process. Not to mention what it would have done to manage my stress… Issues would have been identified faster, allowing for faster MTTR – the list goes on.
The benefits of centralized log and event management go far beyond what became obvious to me after this experience. Think it through. I’ll bet you can think of two uses for centralized log and event management in an operational capacity before you finish reading this sentence.
Tags: access control, log and event management, log data, point of sale systems
Do You Know Who is Doing What in Your Environments?
As I type this I’m surfing the cumulus on a plane destined for Boston, with a true 30,000 foot view of the city beneath me, packed in like a sardine and trying to type in a space unfit for normal size laptops, let alone humans. The subject on my mind today: User Activity Monitoring.
The challenge increasingly being voiced by customers and prospects throughout my travels in IT security circles is the need to understand, or at least have access to understand, ‘Who is doing what in our environments?” In general our demand is to be empowered to quickly and easily tie an Identity to an Event. Given the continued complexity of our IT infrastructures and the increasing number of disparate applications used to access tools and resources — all geared to support our business needs — how are we able to effectively get our arms around events of interest to alert, investigate, and report on user activity? To get a picture of user activity do we need to manually review these records of activity across the environment in a bunch of individual data silos? Hopefully not, particularly when time and resources are limited and the risk may be high.
The 30,000 foot view analogy is fitting for the value provided by deploying an enterprise log management and SIEM solution. It is critical to be able to holistically view activity that spans across our business eco-system to effectively understand the ‘What’ and the ‘Who’ from a single pane of glass. The ability to do that begins with log data normalization. Normalized log data across disparate systems provides immediate visibility into user activity, allowing an analyst to quickly and efficiently zero in on potentially significant events of interest such as any ‘user added to group’, ‘account locked out’, ‘account created’, ‘document printed’, and ‘data copied to a usb drive’, regardless of the monitored device (Active Directory, Database Audit Records, VPN devices, Proxies, *Nix Systems, DLP devices, etc.).
Question: Okay, so now what does this information get me? Answer: Knowledge.
Let’s take a real world use case. Caleb’s a privileged user in your enterprise, he suddenly walks out the door, and has no intention of returning. With a couple of simple, forward-thinking moves he could easily re-gain access to my environment. He knows we will lock down his access to our corporate environment immediately after his departure. So prior to leaving, he creates a new backdoor user account, gives that account privilege access, attaches VPN capabilities to the new account and voila, Caleb has unfettered access back into your network…all with no hacking required. To proactively catch this, Log and SIEM vendors working with normalized log data should be able to alert you anytime users are added to privileged user groups. Moreover, as a due diligence measure, you should be empowered to quickly understand the past behavior of a privileged user during the termination process to understand what activity that user did prior to departing the company, including what accounts he created, what he printed, copied, deleted, accessed, created, etc., across the entire heterogeneous environment…
…and this is just the tip of the iceberg. Normalizing log data across the enterprise places a tremendous amount of immediate visibility into the hands of the security engineer, but additional data enrichment can provide invaluable context surrounding events. The next question is “How can log management and SIEM help you move from that 30,000 foot macro view across the enterprise to a 1″ micro-level view with fluidity?” I’ll have to save that for another topic – right now it’s time to shut down all portable electronics and laptops in preparation for landing…
Tags: log data, security, siem, user activity monitoring
Welcome to “The Dialog”
At LogRhythm, our mantra is “We Make Log Data Useful.” Similarly, our objective for our new blog, “The Dialog,” is to provide useful information that can help you more effectively comply with regulations, secure your networks, and optimize your IT operations. “The Dialog” is a vehicle we’re using to collect and disseminate ideas, use cases and insights regarding the application of log management and SIEM 2.0 technology.
Through this blog, we will present not only our ideas and perspectives, but also real-world applications of log management and SIEM 2.0 from our customers, as well as independent experts who are there in the trenches with you. They are a critical and highly-valued source of our inspiration and help drive continued innovation and development at LogRhythm.
We invite you to not only take advantage of the information within the individual entries, but to contribute as well. Please use the comments section to ask questions or challenge our ideas. Or, contact us directly if there is something that you would like to see addressed in a future article. We can’t guarantee that we’ll get to everything, but we’ll certainly do our best!
Tags: log data, logrhythm, siem 2.0
LogRhythm wins "Innovator of the Year" from SC Magazine. "This is not your father's log manager."