Cybersecurity 101: The criticality of event logs

Coaches love to talk about “the basics” – the fundamental skills their athletes need to master before they can move on to more advanced techniques. The basics can seem simple and even dull, but without them as a foundation, ultimate success can prove elusive.

Cybersecurity programs have their own set of “the basics.” Sadly, one of the most critical of these essentials is also one of the most neglected: the collection and regular review of event logs. Good log practices can pay big dividends throughout the entire cybersecurity lifecycle, from helping to profile “normal” activity, to identifying and preventing attacks, to, if necessary, performing post-breach forensics and remediation.

Even organizations that understand the importance of event logging can be overwhelmed by the sheer volume of events that routinely occur across even modest IT environments. Operating systems, firewalls, network routers, applications and dozens of other infrastructure elements can each generate their own event logs. Large corporate environments may log thousands of events per second and millions of events per day. With the proliferation of mobile devices and Internet-of-Things endpoints, today’s staggering log volumes will only continue to grow.

The embarrassment of riches in raw log information can result in operational paralysis more than information insight if organizations fail to implement sophisticated log filtering systems. Such filters need to strike a balance between collecting any and all event information versus filtering out so many logs that potentially meaningful data is lost.

Once the data is collected, organizations need log retention policies that ensure that pertinent data is still available if needed to detect, prevent or analyze some future security incident. Many companies will need outside experts to help them institute optimal log collection and retention policies.

Once they have good log information in hand, organizations can use it to create profiles of typical networking and user activities. When paired with security information and event management (SIEM) systems, this baseline log information can help security professionals identify suspicious activity that falls outside of expected norms. In this way, the logs form the core of an early warning system that can help organizations counter threats before they even gain a foothold.

When suspected or actual breaches do occur, the log data serves to help in the identification and isolation of any intruder or malware. Then it provides an audit trail for tracking which network elements, processes or users were involved in the attack. While of obvious value, this critical log data is often lacking.

In a recent AT&T Cybersecurity Insights report, Todd Waskelis, executive director of Security Consulting Services at AT&T, said, “We consistently go in and find that the evidence [log] data we need just isn’t there or readily accessible. This makes it difficult for us as we try to figure out what happened.”

Log data can even play a crucial role in mitigating the regulatory or legal ramifications associated with any significant breach. The audit trail provided by the logs may help an organization prove that a breach didn’t occur because of its own negligence or through some other internal fault.

In the cybersecurity realm, where attention is often focused on the latest big attack or on the newest cutting-edge security control, lowly event logs can sometimes be overlooked. But without good log collection, retention and analysis capabilities, an organization’s security program will rest on very unstable ground.

Dwight Davis has reported on and analyzed computer and communications industry trends, technologies and strategies for more than 35 years. All opinions expressed are his own. AT&T has sponsored this blog post.

Copyright © 2016 IDG Communications, Inc.