Log Management Moving Back to its Security Roots - Page 2
Once the mainstay of security teams everywhere, then relegated to the compliance toolbox, log management is making a comeback as a cyber-crime avenger.
"These teams need to be able to stop having their budgets cut on the grounds that there haven't been any security problems. Log management allows them to show data that proves the number of times that an organization has been attacked," said Kindervag.
In terms of actual security, Kindervag believes that systems such as firewalls, anomaly detection systems, IDSs and Web security appliances are much more valuable, because they can stop malicious attacks before they can cause damage.
"You have to be able to stop the bad guys on the wire. If you are logging an attack then it is already too late" Kindervag said. And he dismisses the idea that log management systems are the best or only defense against APTs. "Any Layer 7 device, like an IPS [intrusion prevention system] can detect command and control traffic. Proactive controls are much more important."
But this argument is contested by Ross Brewer, a vice president at LogRhythm.
"Big breaches have led many organizations to recognize that firewalls, IDS and other single point perimeter defenses are failing, and failing massively. They now need a way to respond to attacks automatically," he said.
As well as carrying out forensics by building a picture of how an attack was perpetrated and what damage may have been done by analyzing logs, log management systems help detect many sorts of ongoing threats, from APTs to rogue administrators. When they do, they can respond with alerts or direct actions.
"If I appear to log in to the network from Hong Kong, and then 10 minutes later I log in from London, the system will automatically spot this. It can then automatically disable the account, or send out an alert," he said.
In fact, LogRhythm comes with about a hundred "generally discernible patterns" such as port scans that it is programmed to recognize from logs, and react to. As a result, Brewer believes that systems like LogRhythm should be a key part of an organization's defenses.
"At the turn of the millennium, log management was about security. Then, from about 2002, the market shifted from security to compliance. But now there's been another fundamental shift and log management is moving back into the realm of cyber-security."
Vendors and pricing
Log management systems are available as software, virtual appliances, or physical appliances that sit on your network, and which can be connected together to provide scalability. Increasingly they are being provided in the cloud, as well.
Pricing may be done in a variety of ways including per appliance, per log source or by the volume of logs collected per day. As a rough guide, a system for a company with a few hundred employees may cost around $30,000 to $70,000. A large company with 10,000 to 50,000 employees may be looking at $500,000, while for a very large enterprise a log management system is likely to cost in excess of $1 million.
Key log management vendors include:
Nitro Security (part of McAfee)
NetWitness (part of RSA)
Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.