5 Factors in Good Log Management: An Enterprise Guide

5 Factors in Good Log Management: An Enterprise Guide

Your business needs good log management to keep up in the cybersecurity battle. Full stop.

Why? Simply put, log management serves as one of the most critical cybersecurity capabilities and solutions in the InfoSec arsenal.

In fact, you could consider Security Information and Event Management—SIEM—an evolution of traditional log management solutions; after all, it uses the data logs generated to identify potential security events and create security alerts. We’ve discussed in previous articles the importance of deploying SIEM in your cybersecurity platform. Now we face a new set of questions.

What makes good log management? What capabilities should your enterprise look for in good log management, both as part of a SIEM solution and as its own solution?

We break down what good log management truly means below.

Good Log Management: A Definition

Before we can truly dive into the key factors of good log management, we must first establish a definition for log management.

Every component of your IT environment generates data, sometimes in huge volumes. This data contains valuable information such as user activity, data traffic flow records, and autonomous functions. Log management enables your enterprise to collect this information automatically; trying to collect the data manually would result in an overstressed security team and little progress.

In a security context, log management helps you identify trends and correlated events contained within the data. With this information, you can determine whether there are potential threats lurking on your network and thus take the proper steps.

With that firmly established…

5 Factors in Good Log Management

For the sake of readability, we curtailed this list of the key capabilities in good log management.  Therefore, your business shouldn’t take this as an end-all, be-all guide. Instead, we hope it helps you direct your thinking: whether you select a new solution, upgrade an existing one, or take steps to reconfigure your entire cybersecurity platform.

Reach/Visibility/Observability

This capability comes with many potential names. However, it works toward a singular goal: turning on the lights so hackers have no dark places to hide.

Good log management— as well as good SIEM and good cybersecurity overall—begins with IT environment visibility. Your enterprise’s network scales at rates you may not fathom until you try to determine its extent. Every new connected device, user, database, third-party, application, or cloud database adds another component to the environment.

Additionally, it also creates new attack vectors, targets, and entry points for hackers and insider threats.

So many components connecting to your business’ IT environment often results in parts becoming “dark;” in other words, vanishing from oversight and traditional monitoring capabilities. Hackers can and will exploit these dark places to their advantage. As just a few examples, they could use dark areas to penetrate your network undetected, plant a dwelling threat, or move undetected to their real target.

Good log management helps uncover the dark parts of your network by collecting relevant data from throughout the entire network. Often, good log management serves as a centralized portal through which you can extend your visibility. It can even find databases your IT security team didn’t know existed (this happens with alarming frequency).

Data Normalization

Even after you begin collecting log data from every vulnerable part of the network, you still need to address another challenge; namely, how to understand the intelligence it provides.

Every application, database, and device generates data differently. Moreover, each formats their data via different mediums and programs. If they do generate similar logs, the information may still appear as incomprehensible jargon.

Neither your team or AI can determine whether a security event occurred if they can’t make sense of the data. How can you solve this problem?  

Good log management automatically normalizes the collected data into a format which allows security event correlation tools to parse it. Ideally, it should also offer the data in a format your IT security team can read and investigate.

Machine learning tools can detect potential threats which human intelligence may miss. However, by the same logic, human intelligence can also see what algorithms can’t. Make sure you have a log management solution which can facilitate both.

Speaking of which…

Search Capabilities

After data normalization, your enterprise may still struggle with finding the relevant data for cybersecurity. For example, say you need the logs from a particular application. In a legacy log solution, you may have to sift through digital piles of documents, folders, and plaintext to even find the application in question. Of course, then you would have to dig through its full data.

Good log management should organize the data in an accessible and comprehensible manner. Further, it should allow for easy navigation of the logged data; it should provide your team with the option to input search queries for smooth investigations and vulnerability follow-ups.

Secure File and Collection Rules

Every good log management tool helps you collect data. However, you may have good reasons not to collect certain information.

Any data traffic generates a certain amount of risk. The same holds true for storing data; if you store it somewhere outside of normal parameters, you invite threat actors to try and steal it.

Your enterprise should already have a clear idea of what data you need to protect. Ideally, you shouldn’t begin the cybersecurity conversation without this self-assessment. Once done, you should use a good solution to impose rules on your event data. With rules, you can label the sensitive data the solution should never log management. Additionally, if you must collect the sensitive data in question, you can authorize encryption and set scrubbing time frames.

Good log management should never put your enterprise in more risk.

Data Storage and Compliance

Technically, our number five entry consists of two capabilities. However, data storage and compliance are so intertwined in their functions they essentially serve as one.

Of course, every log management solution generates the same problems for enterprises. What should your enterprise actually do with all the data it collected? Where does it go? How long should it stay in your IT environment before being deleted?

A good solution should provide your enterprise with data storage options to suit your particular use-case. These data storage capabilities should allow for preservation, compression, encryption, and archiving to ensure the record’s safety and easy retrieval.

Speaking of easy retrieval, good log management should also facilitate governmental or industrial compliance mandates. Many come with out-of-the-box templates for major compliance initiatives; all you need to do is set up the rules for automatic input and you can devote more energy to pressing cybersecurity problems.

If you want to learn more about good log management and its connection to SIEM, be sure to check out our 2019 Buyer’s Guide! We compiled the top vendors in the market, analyze their key capabilities, and provide our Bottom Line for each!

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner