What Is Log Management, and Why Is It Important?
I think we all know what log management is. As discussed in a 2017 article for The State of Security, log management is about systematically orchestrating the system and network logs collected by the organization.
That being said, there’s still some confusion surrounding why an enterprise would want to collect log data in the first place. There are two primary drivers for an enterprise to collect log data. These are security and compliance.
Log Management for Security
Per the Center for Internet Security (CIS), the collection, storage and analysis of logs is a Critical Security Control. The CIS explains the relevance of log management for security quite succinctly in its description of CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs. As quoted on its website:
Deficiencies in security logging and analysis allow attackers to hide their location, malicious software, and activities on victim machines. Even if the victims know that their systems have been compromised, without protected and complete logging records they are blind to the details of the attack and to subsequent actions taken by the attackers. Without solid audit logs, an attack may go unnoticed indefinitely and the particular damages done may be irreversible.
Very simply, if you’re not collecting, storing and analyzing log data for every asset in your organization, you have significant gaps in your security visibility of your network.
Log management, therefore, plays a key role in your digital security strategy. Having complete visibility into what events have occurred and are occurring on your network is a must. You need this information to focus on network events of interest. With this type of visibility, you can then take timely and appropriate measures to address potential threats before you balloon into full-fledged security incidents. The visibility granted by log management thereby enhances the overall productivity of security teams across the organization.
Log Management for Compliance
Log management can also be driven by compliance requirements. A failed audit often has consequences that may be more important than less immediate security needs. For example, requirement 10 in the Payment Card Industry Data Security Standard (PCI DSS) says as follows:
Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.
Given the above quotation, merchants and other in-scope vendors need to maintain compliance with PCI DSS by keeping and managing their logs. If you don’t, the PCI Security Council could find you in non-compliance with their standard. The body could then punish you with a fine potentially amounting to tens of thousands of dollars.
The Characteristics of a Good Log Management Solution
Now that you know that log management comes with its unique security and compliance benefits, it’s time to find a good log management solution. You should be aware that this type of tool usually distinguishes itself via five primary characteristics. These traits are as follows:
- Be able to provide evidence. Collected data is meant to be used. Not only that, but crucial information needs to be readily available at all times. Details gathered by your log management solution could make the difference between stopping digital attackers in their tracks and not learning about a security issue before it’s too late.
- Identify and respond to events of interest. As noted above, a log management solution should provide actionable intelligence that you can use to improve your digital security. There’s no point in having it if you can’t derive some benefit from it.
- Out-of-the-box support for major and more relevant platforms and devices. A log management solution needs to support its customers as soon as it is deployed. With that said, customers should have the option to configure the solution accordingly so that they can use it to achieve visibility across a variety of platforms and devices.
- Automated configuration and user tasks. In a similar spirit to the previous point, users should be able to focus on working with the data collected by the log management solution and not with unnecessarily fiddling of the system’s configuration.
- Integration with third-party systems. Modern software should not live in isolation and should be able to interact with existing enterprise applications to further enrich available information. By integrating with vulnerability management tools and other security solutions, in particular, log management solutions will yield even more accurate and pertinent threat data.
With these characteristics in mind, let’s now examine look at the capabilities of Tripwire Log Center, Tripwire’s log management solution.
Inside Tripwire Log Center
Tripwire Log Center securely collects, analyzes and correlates log data from all devices on your network to improve security and simplify compliance. The solution can also reduce the workload and costs associated with traditional SIEMs and security analytics solutions by pre-filtering data so that only actionable and relevant data is forwarded.
It aggregates and archives all log sources—from network devices to servers, operating systems, applications and more. You can then generate proof of compliance using a pre-defined set of report templates specific to your compliance policy.
Tripwire’s centralized log management system ensures those logs are all available in a single place and that they’re indexed and searchable. Tripwire Log Center’s ability to easily search logs removes manual effort, saving you valuable time and increasing investigation accuracy.
It’s also important to note that Tripwire Log Center 7.4.3 introduces the Failover Manager, which acts as a backup system to any existing TLC Manager. In the event that a TLC Manager goes offline, the Failover Manager takes over its workload with a simple change to ensure seamless logging and high availability.