Log Management and Intelligence-LMI

Introduction

LMI is a governance enabler. Log data is no longer just the domain of technical personnel (traditionally used for trouble shooting). Log data is no longer just an IT asset and it is a corporate and business asset. It is used extensively by both management and external parties (auditor, forensic investigators) and hence has gained executive level visibility. In this post we look at the new approach to log management.

Sources of Log Data

IT infrastructure in an organisation would generally comprise the following:

1. security solutions such as firewalls, antivirus
2. OS Platforms
3. Clients and Servers
4. Applications
5. User

It is therefore inevitable that the number of event logs generated by these components would run to millions of lines of data. All this leads to an information overload of diverse logs-too much information.

What is a Log?

It has been estimated to account for about 20%-30% of enterprise data. So what is a log? It is a detailed description of user and system activity comprising events such as logon attempts, Security Breaches, Credit Card data access, User Privilege changes etc. It is a record of all events occurring in the enterprise.

Approaches to Log Management

Traditional approaches to log management results in information overload as data was kept in silos and there was no clear ownership of log data. Analysis of data was mostly manual as data was not in a consistent format and hence time consuming and therefore delay any risk mitigation process.

The LMI approach consists of the following steps:

1. Collect and Index- 100% of logs from any source and at anytime
2. Alerts based on real time and hence quick risk mitigation
3. Store-Log data should be encrypted and stored
4. Report-Relevant information in the right hands through use of dashboards to meet the relevant legislative requirements

The new approach of LMI is based on a fully integrated log data warehouse- a single instance of logs that makes it easier to ensure that all data is stored and encrypted. This approach ensures that LMI is a platform for enterprise wide compliance.

Log Management and Intelligence solutions also provide you with the ability build custom searches on log data, build a policy library that is mapped to regulatory frameworks and create dashboards and reports.

LMI is not a log management approach it is mandatory

LMI is not a just a new approach to log management it is also been made mandatory by SOX, ISO27000 and PCI to name a few. For instance Requirement 10 of PCI states that –

1. Automate and secure audit trails for event reconstruction
2. Review logs daily
3. Retain audit trail history

There are other regulation require log monitoring activities and that the organisation take steps to ensure accuracy of logs.