Is it better to leave some logs behind?

Is it better to leave some logs behind?

Log management has emerged in the past few years as a must-do discipline in IT for complying with regulatory standards, and protecting the integrity of critical IT assets. However, with millions of logs being spit out on a daily basis by firewalls, routers, servers, workstations, applications and other sources across a network, enterprises are deluged with log data and there is no stemming the tide. In fact, the tide is just beginning to come in. With always-on high-speed internet connectivity and an increasing number of servers and devices that an IT department has to manage, the task of collecting, storing and making sense of all this data is no mean feat. Adding to the confusion are non-specific regulatory requirements relating to logging and archiving that are entirely vague on what an IT department must do, coupled with the increasing pressure for data privacy. It is not surprising then that for many companies the default plan to keep the auditors happy is to simply collect and retain everything from every source. However, collecting and retaining every single log ever generated is often unnecessary from both a regulatory and forensic standpoint, and the retention of the data can often represent a security or liability risk itself.

This confusion in the log management space is further compounded by vocal proponents amongst the vendor community of the “collect everything” approach as necessary for being compliant and secure. My experience is that the world is not a black and white place but a myriad of grays. If you dig a little deeper you might find a reason for the extreme position. It turns out that some vendors really sell capacity for storing logs, others have license fees tied to log volume, yet others have no ability to enforce central configuration of filters across a large installation.

OK, putting aside cynicism, are they actually right? Is this one of those rare cases where the broad statement is simply the correct statement (“don’t smoke” immediately springs to mind)? Let’s explore this in some more detail.

Industry News

The essential guide to security audits

The security audit is a practice that could best be filed under the “necessary evil” category. While no business owner, executive or IT manager relishes the thought of enduring an end-to-end security examination, it’s generally understood that an audit is the best and only way to fully ensure that all of a business’s security technologies and practices are performing in accordance with established specifications and requirements.

PCI – Smart or Stupid ?

There is something odd about the payment card industry (PCI) standard. Its one of the best things to happen to the security of consumer data, yet many think it is as complex as rocket science.

Prism Microsystems and Finally Software bring SIEM to the EMEA market

Prism Microsystems, a leading provider of integrated SIEM (Security Information and Event Management) and Change Management solutions, recently announced a reseller agreement with Finally Software, a UK-based provider of security software solutions, to market and support Prism’s SIEM solution, EventTracker, in the EMEA region.

Featured Webinar

Beyond Traditional Security. Blending Proactive and Reactive Security to Protect the Enterprise

Traditional firewalls and Intrusion Detection Systems leave your organization unprotected from most zero-day and internal attacks. You need a combination of both event and change management practices to protect your organization. This webinar will discuss how to use a combination of proactive and reactive security strategies to shield your organization from these dangerous threats.