January EventSource Newsletter
By Jasmine Noel
Log Management can find answers to every IT-related problem
Why can I say that? Because I think most problems get handled the same way. The first stage is someone getting frustrated with the situation. They then use tools to analyze whatever data is accessible to them. From this analysis, they draw some conclusions about the problem’s answer, and then they act. Basically, finding answers to problems requires the ability to generate intelligence and insight from raw data.
IT-related problems are no different. The only twist is that IT problems are growing in number, size and complexity at a faster rate than the budgets and resources targeted at those problems, even during good economic times. This means a lot of people (from CIOs to CFOs to security to operations managers) are frustrated with this situation. However, they lack a solution designed to analyze raw data and report intelligence and insight needed draw conclusions. What they need is a cost effective way to find answers from the available data.
The case for log management
Given this backdrop, it is fairly straightforward to see the logic behind my article title:
Step 1: Logs are a source of raw data for IT
Step 2: Log management solutions can make it easier to extract intelligence from IT data
Step 3: IT managers can use extracted intelligence to find answers to problems
Logs are a record of what a system is doing minute by minute. Each system log by itself is only mildly interesting (usually only to a technician when troubleshooting a problem). However, the aggregate of all logs contains more treasure than a Nicolas Cage movie. With the right search, query and reporting tools this raw data can turn into detailed understanding of most aspects of your business, from how consumers use your systems to purchase goods, to how the company’s risk profile changes over time, to how bottlenecks slow automated workflows, to identifying unusual patterns that indicate security threats.
The raw data for all of this understanding is already there. It is distributed on every IT asset with a log file because log files often contain electronic traces of interactions between assets and between users and assets. By examining these traces you can see patterns, by understanding patterns you can draw conclusions and plan actions. That is what it means to be proactive. That is what it means to work smarter not harder.
However, to turn gold ore (IT logs) into gold treasure (actionable answers) requires the ability to search, query, report, analyze the vast and restless sea of data generated by IT assets running your business’ operations to generate intelligence and insight. With that solution in place, it becomes a matter of applying that ability to generate intelligence to the specific scenario.
The gold coins for IT Operations include answers to questions such as:
• Have there been any unauthorized configuration changes? With this answer staff can act to prevent service outages, data leaks, SLA penalties and compliance issues.
• How many VMs are deployed right now and who owns them? With this answer staff can act to increase resource utilization and minimize capital costs.
• How is the new load-balancing policy actually allocating workloads? With this answer staff can act to ensure capacity is allocated according to business priorities.
For security teams, the treasure chest contains real-time gems and forensic jewels. Since enterprise environments are getting more complex and more dynamic, it is more difficult to rapidly investigate cause/effect during the crisis without automated correlation of configuration changes and events that logged by systems, applications, and network infrastructure. Forensic analysis of IT data allows staff to test potential answers (such as changing an operational policy, adding a new configuration check, or implementing a new correlation rule) to the “how do we prevent this from happening again” question.
Compliance officers can swim away with multiple gold medals because most analysts believe more regulations are coming, even if their computing environment remains relatively unchanged over the next 18 months. These new regulations are likely to involve analyzing and reporting the same raw IT data different ways to answer questions about:
• The integrity of systems, applications and processes,
• The ability to differentiate between good and bad interactions between systems and between employees and systems,
• The process for preventing and mitigating unauthorized changes, etc.
The effort involved in answering those management, security and governance questions could be days worth of remotely accessing systems and copying data into spreadsheets – or could be a mouse-click to view a dashboard or report generated by a log management solution. Similarly, each group could purchase separate solutions to generate their intelligence treasure – or could use an enterprise-wide solution flexible enough to address their critical needs in each area. It’s up to the company to decide by focusing on their needs.
Get started by focusing on critical needs
Financial crises tend to cut through the hazy grind of daily business operations and to focus people on critical needs. This global credit crunch is no different. For business executives, the two critical needs are:
- protecting what they have by keeping service performance stable while lowering operational costs; and
- adapting to unexpected situations and problems by increasing business agility while lowering risk management costs.
For business technologists, the two critical needs are meeting those business demands and holding onto their jobs.
The margin for error is very slim. Businesses that allow service performance to disintegrate during tough times or take risky actions to deal with market fluctuations, unexpected service problems or malicious attacks rarely make it through economic downturns in any shape to compete effectively in the future. Typically, survivor companies do not cut costs blindly. Instead they use tough times as a mandate for projects that dramatically improve the competitive value of their staff’s daily activities.
There is only one way to do that when your business services and competitiveness are IT-dependent – skyrocket productivity with a proactive approach to managing, securing and governing technology assets delivering business services and agility. Since there can be hundreds of technology assets per business employee, the only way operations, security and compliance staff can become more proactive is to get better intelligence, knowledge and insight.
This brings us right back to where we started. Having better intelligence is a key part of dealing with every IT-related issue and every additional demand that business executives challenge IT to meet without increasing its staff. Therefore, it is time to get IT intelligence (aka log management) solutions off of the wish list and into the hands of the staff that need it.
Jasmine Noel is founder and partner of Ptak, Noel & Associates. With more than 10 years experience in helping clients understand how adoption of new technologies affects IT management, she tries to bring pragmatism (and hopefully some humor) to the business-IT alignment discussion. Send any comments, questions or rants to firstname.lastname@example.org
Lock down that data
Another example of the insider threat to personally identifiable information has surfaced. In December, an employee in the human resources department of the Library of Congress was charged with conspiring to commit wire fraud for a scheme in which he stole information on at least 10 employees from library databases.
Did you know? EventTracker not only enables insider threat detection, but also provides a complete snapshot of a user’s activity including application usage, printer activity, idle-time, software install/uninstall, failed and successful interactive/non- interactive logins, changes in group policy, deleted files, websites visited, USB activity and more to deter unauthorized access
In the Vault
When it comes to protecting financial info, IT security professionals can never rest on their laurels. These organizations must adopt new technologies, ramp up online banking options, and deal with employee turnover. That’s why these firms continually need to review the security measures in place.
Did you know? EventTracker provides you with scheduled or on-demand reviews of security measures allowing you to proactively address potential weaknesses in security controls, while reacting to security incidents.
EventTracker melds Smart Search with Advanced SIEM capabilities
Best-of-both-worlds solution combines free-form, intuitive searching with intelligent analytics, correlation, mining and reporting in one turn-key package
What’s new in EventTracker 6.3 ?
Free form Google-like search, user profiling and more… Watch video for detailed information.