Log Management: Understanding What Happened in a Security Event

Security configuration management (SCM) is central to an endpoint detection and response (EDR) strategy. It allows organizations to keep track of changes to their network devices, including those implemented by an unauthorized actor.As I discuss in another blog post, one of the most important features of an SCM program is the creation of a “secure gold image” for each endpoint. Those security settings not only allow organizations to compare the state of each endpoint to a known secure configuration but also provides them with a model for replacing that device if an attacker ever compromises it.It’s not that simple, however. Whenever an endpoint receives a software patch or other update, it generates an event log. Most of those messages relate to normal behavior, but some do pertain to malicious activity. The challenge is separating the approved entries from the unapproved. Indeed, if adequately maintained, most devices will undergo a large number of changes during their lifetime, which means they will generate a significant quantity of logs.How are organizations supposed to sift through those mountains of log data to detect anomalies and threats?The answer is log management, one of the six critical controls of EDR featured in Tripwire’s resource Endpoint Security Survival Guide: A Field Manual for Cyber Security Professionals.As the volume and sophistication of threats continue to grow, organizations can no longer rely solely on collection utilities or expensive, large-scale security information and event management (SIEM) deployments. They should instead work to embrace log management, an approach to data collection which captures event logs from operating systems, apps, databases, IDS/IPS, and network devices.Log management lets security teams know what happened in the event of a security incident. In effect, it helps IT professionals come to better understand their organization’s network environment.Log management begins when security personnel enable logs on network devices. To help facilitate the collection of log data, information security professionals should create a map of their organization’s data collection architecture that notes from which locations they will be collecting logs, as well as how long event logs will be stored as “active” and “archived.”Once they have documented the log collection process, organizations should deploy a secondary log manager that, among other things, reliably collects data and stores it in a central location.From there, security teams can take log management to the next level, such as by setting up event alerts and integrating the secondary log manager with their security configuration management program.Want to learn more about how to make the most out of your log management strategy? Download Tripwire’s guide here.

Leave a Reply