Effective monitoring of IT systems thanks to log management and SIEM

Seemingly every week, we hear about a big company which has suffered a data breach. Hackers gain access to protected information, often collecting sensitive and financial data on employees and customers. The problem is that we don’t know how network attacks will occur until they happen. If we could magically know this in advance, we would be able to automate all our defenses.

Often the only way that companies can detect cyber-attacks, even after they have happened, is to know and understand what is happening in the logs and in other protected areas. There are many software products and techniques which offer information on the state of health of your company’s security but, as we will see, at times they only show a narrow view of the whole picture.

Two common terms, Log Management (LM) and Security Information and Event Management (SIEM) are often used together, but there are significant differences in the definitions and approaches. Let’s take a look together.

A first, important step for establishing a security analysis protocol is log management. Logs are messages generated by the computer originating from all types of software and hardware: almost all ICT devices have the ability to produce logs. Logs show, in detail, the various functions of the device or application, as well as when users log in or attempt to do so.

Log Management Systems (LMS) can be used for a variety of functions, including: collection, centralized aggregation, archiving and viewing, rotation, analysis and reporting of logs.

The logs are often used to reveal weak spots in security, and forward-looking companies which employ security analysts are often able to identify them and resolve them before violations occur. Nevertheless, the larger the company, the more logs there are, considering that companies can easily produce hundreds of gigabytes of logs every day. As log sizes continue to grow, and companies become ever-more vigilant in terms of security analysis, managing logs alone is no longer sufficient: it is just one component of a holistic solution.

Contact a consultant

Any type of software offers a limited view of the state of health of your security. For example, a resource management system keeps track only of applications, company processes and administrative contacts; a network intrusion detection system (IDS) can see only IP addresses, packets and protocols. Taken individually, these options cannot show what is happening on your network in real time.

This is where SIEM, which goes one step beyond log management, comes into play. Experts describe it as “greater than the sum of its parts”: it indeed includes numerous security technologies, and its implementation makes each individual security component more effective. To all intents and purposes, SIEM is the only way to view and analyze all your network activity.

The term, coined in 2005, draws from and is based on different cybersecurity techniques which, taken individually, cannot show what is happening on a network in real time. By combining the best of these techniques, however, SIEM provides a complete approach to security. Vendors can offer them as managed services and/or products, alongside other security solutions. The most complete SIEM products are those with the following functionalities:

• Aggregation, analysis and reporting of the output of logs from networks, OSs, databases and applications
• Applications which verify identities and manage access
• Vulnerability management and forensic analysis
• Policy compliance
• Notifications of external threats
• Customizable dashboards

As for log management, the goal of SIEM is security, but the advantages of an SIEM approach are its real-time analysis and the connection of different systems in order to bring the information together in a single console.

In summary, SIEM provides a wide-ranging and detailed view of your company’s security. Your security analysts can thus continue to do what they do best – analyzing security in real time – instead of dedicating precious time to learning every single product which falls under the definition of security.