What is Log Management?
Log management refers to real-time alerting, collecting, storing, putting together, and analysing data from differing programs and applications.
The data is referred to as log data.
Log data is a computer-generated file (or the data within the file) written to every time-specific event in a controlling application (or program).
Going one step further, Logrythm defines Log Management as:
a mature SIEM corelation tool can help you tell a cohesive story around user and host data, making it easier to gain proper insight needed to remediate security incidents faster.
Log management allows you to understand what is going on and when.
In doing so, your teams can quickly diagnose and gain valuable information while also ensuring the compliance and security of your systems.
What type of information will be documented?
The log file is dependent on what has been designed by system administrators and what is deemed of a critical nature.
Event logs can be categorised as anything happening in your system, from messages and file transfers to critical system errors, error codes or suspicious activity.
Why is Log Management important?
Log Management is important as it gives the business an overall view as to the current cybersecurity posture and in keeping with this is the assets in scope.
In order to get value from a log management system, you need to ensure your critical assets are covered and centralised, for example:
- critical servers
- firewalls and networking devices
This can then be extended to on-premises, cloud environments and end-user devices.
Why Does Log Management Work?
Log management works by allowing you to optimise your allocation of resources, centralise IT information and thus help your IT team’s performance by reducing resources needed.
As the data is time-specific, cyber security professionals and developers can understand what occurred and when.
This use of data aspect allows for auditable analysis to be performed on any given task.
Having a SIEM solution in place and centralising log management can help you combat future issues by looking at the root causes and putting remediation steps in place.
In saving time like this, you gain the foresight of knowing where your team priorities can/will lie and therefore align resources to gain the most value from your team.
Another advantage is the multiple uses of log data which can allow you to formulate playbooks to take automated actions for specific behaviours or align your business towards any compliance or standard goals.
For non-standard log sources, SIEM can interpret this data and can turn these log sources into easily understandable information for reporting.
But Won’t I be Flooded With Too Much Data?
The volume of data generated from log files will undoubtedly give you insight into how your organisation’s systems and networks are performing; however, high volumes of data can be counterproductive.
Due to the various syntax and tags of log data, specific tools must make sense of what you have.
Teams may struggle to organise log data efficiently. Imagine running search results of a log message stored in various places?
This is where log management tools prove useful by giving the functionality to triage tune and then action specific log data.
What are log management tools?
A log management tool helps collect, store and archive large amounts of data.
A Log Management System (LMS), for example, will take log data and store it in one central place.
IT teams, DevOps, and SecOps professionals can have one point of reference and access for all the data they require across their entire network.
What are Log management best practices?
In covering these important aspects it allows the main benefits to become clear:
Reduction in Threat Dwell Time
Dwell Time is the duration a threat or threat actor has undetected access within a network or system until completely removed.
Longer Dwell Times lead to greater exposure to threats being successful, increasing risk and cost.
The Sapphire Security Operations Centre (SOC) measures the Dwell Time of discovered threats.
More than just a metric, this represents a positive step towards a mature security posture.
Reduction in Mean Time to Detect (MTTD)
Faster detection of threats is a crucial target for our SOC (Security Operations Centre).
It improves operational availability for customers, and early detection can prevent exploitation and provide valuable insight into how and why a cyber incident has occurred.
Our Security Analysts monitor multiple indicators of compromise (IoC) and analyse events against numerous threat intelligence sources.
This process helps eliminate false positives and offers valuable context. Reducing MTTD greatly impacts the effectiveness of a threat or exploit.
It can slow down lateral movement, make communication with command and control (C2) servers less likely, reducing exposure.
Mean Time to Respond (MTTR)
Our Security Analysts examine threat information to assess validity, severity and impact.
We correlate this data against multiple premium threat intelligence feeds, providing context and deeper insight.
Credible threats are reported to customers via cases, which contain both evidence and Analyst commentary, assisting with remediation.
Contextualised threat data, combined with the experience of our analysts, reduces our MTTR.
We help to improve operational efficiencies in remediation, control and threat mitigation.
MTTD and MTTR are measured and reported based on an average of all cases raised over a reporting period.
We measure Dwell Time from the timestamp of the earliest evidence detected to the point of case creation.
These metrics help illustrate a continual improvement in cybersecurity operations.
The benefits of Sapphire’s logging solution
Sapphire enhances what is considered the norm for log management, which is generally a reactive approach.
Alerts are generated, an agent picks up these alerts and then takes action.
At Sapphire, we take this to the next level.
We assign a primary and secondary analyst, which allows us to build a real-world knowledge of what “normal” looks like on a client’s network.
Sapphire’s highly technical team can then use that knowledge to actively threat hunt on any given network and take actions even before generating an alert.
Enhancing this service further, we utilise external threat feeds, whether open-source intelligence or premium threat feeds.
Utilising external threat feeds allows us to look at the bigger picture outside the network we are looking at and apply real-world knowledge to threats that could cause an issue.