Where Should You Collect Your Logs for SIEM During COVID?

TWhere Should You Collect Your Logs for SIEM During COVID?

One of the perpetual challenges of business SIEM involves where you should collect your logs. This question becomes amplified in the shift to remote work mandated by COVID-19. 

Here are the basics of the problem: SIEM collects logs from across the IT environment and aggregates them. This forms the cornerstone of SIEM as a cybersecurity solution; these logs become normalized and analyzed to discover security events and generate alerts. 

ALERT: Our Buyer’s Guide for SIEM helps you evaluate the best solutions for your business use case and features profiles of the leading profiles, as well as a category overview of the marketplace and Bottom Line Analysis.

However, trying to draw logs from everywhere in the IT environment all at once can create more problems than it solves. First, trying to draw from everywhere at once can actually cause configuration rule issues and data pile-up; this can overwhelm the solution. Second, too many logs can cause more false-positive alerts, which lead to burnout and buried legitimate leads. 

On the surface, this might seem like an easy problem to solve. All you need to do, in theory, is to be more selective about the digital locations you draw logs from and keep a close eye on those configuration rules. Yet the COVID-19 pandemic, and the shift to remote work en masse, has thrown that calculation out of balance. 

In other words, where do you collect logs from during COVID when the entire business exists remotely? 

Here are a few pointers. Use user and entity behavior analysis (UEBA) starting with the most privileged users; their behaviors and credentials have the largest impact on your network, so you should keep a closer eye on them. Also, make sure your sensitive data stays centralized so you can monitor it closely; use Data Loss Prevention capabilities (DLP) to prevent users from uploading data to unauthorized locations such as public cloud databases. That way, even though users work remotely, your silos stay centralized for log management. 

Finally, make sure your configuration rules for security events detected by the solution recognize the current circumstances. Logging in remotely, for example, might trigger an alert prior to COVID, but now must be recognized as a normal part of the business day.

You can learn more in our SIEM Buyer’s Guide

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner