Industry View
Avoiding Pitfalls in Log Management Planning and Selection
Key considerations include scalability and references at comparable organizations, says ArcSight's Ansh Patnaik.
By Ansh Patnaik, ArcSight
Scale in log management has several dimensions. For example, expanding a log management investment from perimeter threat monitoring to regulatory compliance will increase the number and type of assets that need to be monitored significantly. In turn, the total event volume that must be supported also rises. Given the long term retention requirements that accompany regulations, capacity also now becomes a challenge. Depending on how distributed regulated assets are, geographic scalability becomes a must have. Finally, each use case adds additional load in terms of analysis and all these dimensions of log management scalability should be considered as part of the planning process.
Evaluation Phase
When planning is done right, short-listing vendors for evaluation becomes much easier since the test requirements are well defined and aligned with long term goals. However, as part of this process, evaluation of many factors such as vendor independence, viability, evaluation of support and services, and relevant reference accounts is often overlooked.
Across use cases, any organization will need to monitor devices all the way from the physical layer up through custom applications; this infrastructure will rarely come from a single or even a handful of vendors. Yet several log management vendors have very limited out of the box support for a broad range of devices. Larger vendors may offer breadth in collection capabilities, but it is often limited to sources from their own portfolio. When you look across layers of the OS stack, the infrastructure at most organizations will be heterogeneous so support for the entire range of vendor and device logs in the environment (not just the immediate use case) is an important evaluation criterion.
Technology is only one aspect of any IT investment. With the downturn in the economy, many vendors are hard hit financially. Before making any investment, it is important to evaluate the viability of the vendor, independent of their technology. Along the same lines, the quality of support, services and partnerships should be evaluated. Don't assume that a larger vendor can meet your needs best. A more accurate metric would be the size of the support and services staff dedicated to log management. Otherwise you may end up having to go through three tiers of escalation before actually speaking with a specialist in log management.
Finally, organizations in different verticals may differ in the type of devices they have. References from deployments of equal scale are invaluable in ensuring that solutions under consideration can in fact meet your needs in terms of technology, support, and services.
log management
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
