In nature, a fallen log might appear dead, but it provides a valuable role in maintaining a healthy ecosystem. In technology, logs often sit virtually dead to the world. You need to understand and utilize the valuable role they play in maintaining a healthy network. We’ve asked Security Engineer, Bob Salmans to explain the role of logs in your technology systems.
All of our systems from firewalls, to switches, to servers, and just about every other device, have the ability to write a whole lot of helpful information to a log.
Now why on earth would we need these logs? I’m asked this question quite often believe it or not. The simple answer is, “without logs, how do you know what’s happening on your systems”?
Take for instance, your car. When you take your car into the shop because the lights on your dash are flashing odd-looking symbols, the technicians are going to plug your car into a computer and examine your cars logs. When something happens in your cars computer it records these occurrences in a log, just like the servers at your office (or in the cloud) do. As you can see, logs help provide technicians with clues as to what’s going on “under the hood”, or in your server.
There are other reasons to have logs as well, such as compliance. What? I have to have logs to be HIPAA or PCI compliant? Absolutely! And not only that, but you have to be examining the logs too. Now lets have a little math fun. You have 2 servers and a firewall at work that creates logs. Each of these devices will easily log 10,000 events daily. In order for a single person to examine all of these events in a single 8-hour workday, they would need to read and evaluate roughly 1 event per second. I don’t know about you, but I’m definitely not that good. So should we have someone doing daily log reviews? The answer is yes, but instead of a person manually examining the logs, we use a tool referred to as a SIEM.
A SIEM (Security Information & Event Management) is a system that analyzes all of your logs and provides insight as to what you should investigate. SIEM’s filter out what is normal and what is not, allowing you to manage by exception. This makes log analysis possible, and much more accurate than having a person attempt to review logs manually. SIEM’s also keep a copy of your logs in the event a breach occurs and the attacker erases the system logs. This allows us to provide incident response and identify what happened, because without logs it’s nearly impossible to figure out what really occurred.
How about a little anecdote? A while back we were asked to assist a company in figuring out why one of their accounts kept getting locked out. Long story short, their servers had been compromised and the bad guys were living on them, serving up fraudulent websites and using the servers for malicious activities. If this organization would have had a SIEM in place, they would have seen many thousands of login attempts, part of a brute force attack. They would have also seen remote connections into their server from questionable countries of origin. There would have been plenty of time to take action and prevent the breach from occurring, if a SIEM was in place.
Yes, hindsight is 20/20, but now you have foresight, so you can decide whether a SIEM is right for your organization. Integrity IT can provide you with a SIEM and SIEM management to act as an early warning system to watch for both internal and external threats. The best part is, you don’t have to hire someone to manage the system and try to figure out how to interpret data. We can take care of it all, leaving you to do what you do best, manage your business.