Log Management, The Next Generation

Log management technologies have become a staple for regulatory compliance and security reporting. That said, most log management systems provide little more than triggers and alerts when something happens. What about security forensics? Yes, all the information is there but getting to it is a lot like the early days of the World Wide Web when you found information by following hyperlinks. Even a senior security analyst can wade through useless haystacks of security logs for days before discovering valuable needles.So what’s needed? The next generation of log management featuring:1. Consolidation of logs and network flows. Some vendors collect both of these data sources but most don’t. Log and flow data together tells about individual network nodes and where they are connecting, helping me understand the origins and ramifications of an attack. Without this combination, I am filling in the blanks in one area or the other. 2. Location awareness. Yes, I want to know what happened but I also want to know where it happened. An IP address is a piece of random evidence while an IP address in the Ukraine may constitute a crime scene. 3. Deeper granular visibility. The system logs provide the big picture but researchers need to dig into particular sub-routines and processes to get a more accurate understanding of what happened. This requires the correlation of many types of data inputs and visual tools that make these relationships understandable. Leading log management vendors like ArcSight, LogRhythm, Q1 Labs, and others realize that log management isn’t just about collecting and storing esoteric IT data, it is about providing organizations with the right data and tools to make this data actionable. It’s time for users and other vendors to realize that the next generation of log management isn’t a visionary concept, it is an absolute requirement.