Most of our hardware and software equipment generates logs that can be used in an information security context. But as we know all too well, all the technology deployed in companies brings its share of challenges, and it also affects the management of logs.
There is not only one log to manage, but hundreds, if not thousands, that can be interesting to look at: everything from Windows to firewalls, to servers. This makes it extremely difficult to collect and study vast amounts of data logs, especially when it is necessary to quickly retrieve information.
Event management tools
It sounds like a Big Data problem, and it’s one of them. How to find meaning in all these data and put it to good use? Like knowing what data to collect and which aspects to focus on? This is where the information management tools and security events, the SIEMs, come into play. These tools provide an automated way to gather all log data generated by the network and security tools to condense them into something manageable.
SIEMs enable security teams to detect, respond to and prevent incidents in a rapidly changing environment that generates large amounts of data. These tools provide a way to detect anomalies and attacks on a network by comparing traffic to a standard, in real time. Notifications can then be sent to the security teams in charge of the response.
This feature can be extended to automate certain actions. For example, if the SIEM detects abnormally large traffic from a PC, a symptom of an exfiltration attempt, it can learn from this behavior and stop it when it detects it. This process can be done much faster than the hand and is a significant improvement.
The question of privacy
Log management and SIEM can significantly improve the work of security teams. But they have an inevitable impact on the privacy of users. All devices that generate logs have an IP address or MAC address that can be used to trace back to the user through an IAM system – Identity and Access Management. Security teams can go a long way in analyzing data, so it’s important to find a balance with respect for privacy.
Ultimately, if you monitor your network for security reasons, the best you can do is inform your users that you are collecting data about their business for security purposes. And you can also remind them when they connect to the Internet, access business applications or use collaborative tools. We need to be able to analyze and use log data and user data with sophisticated security tools installed on the front line of the company’s defenses. Otherwise, it is useless.
Logs can play a useful role in information security, and the advent of Big Data and automated scanning increases their use. The key is to determine what log management will do for this purpose, put in place the necessary elements for this, and finally take into account privacy issues.