Out-Law News 3 min. read

10 tips for capturing and using log data in your business


GUEST ARTICLE: The way that your business defends against security threats is likely to generate a vast volume of log data. But do you capture that data and use it to make your business more efficient? Lagis Zavros shares his thoughts.

This article was contributed to OUT-LAW by Lagis Zavros, COO of WebSpy .

Organisations are deploying a variety of security solutions to counter the ever-increasing threat to their email and internet investments. Often, the emergence of new threats spawns solutions by different companies with a niche or a specialty for that specific threat – whether it is a guard against viruses, spam, intrusion detection, spyware, data leakage or any of the other segments within the security landscape.

This heterogeneous security environment means that there has been a proliferation of log data generated by the various systems or devices. As the number of different log formats increases coupled with the sheer volume of log data, the more difficult it becomes for organisations to turn this data into meaningful business information.

Transforming data into information means that you know the 'who, what, when, where, and how' – giving you the ability to make informed business decisions. There is no point capturing data if you do not use it to improve aspects of your business. Reducing recreational web browsing, improving network performance, and enhancing security, are just a few outcomes that can be achieved using information from regular log file analysis.

To achieve these outcomes, it is important for organisations to have a log management process in place with clear policies and procedures and also be equipped with the appropriate tools that can take care of the ongoing monitoring, analysis and reporting of these logs.

Having tools that are only used when a major problem has occurred only gives you half the benefit. Regular reporting is required in order to be proactive and track patterns or behaviours that could lead to a major breach of policy or impact mission critical systems.

Here are 10 tips for getting started with an effective proactive logging and reporting system:

1. Establish acceptable usage polices

Establish policies around the use of the internet and email and make staff aware that you are monitoring and reporting on usage. This alone is an effective step towards reducing inappropriate usage, but if it’s not backed by actual reporting, employees will soon learn what they can get away with.

2. Establish your reporting requirements

Gather information on what you want to report and analyse. Ensure this supports your obligations under any laws or regulations relevant to your industry or geography.

3. Establish reporting priorities

Establish priorities and goals based on your organisation’s risk management policies. What are the most important security events that you need to be alerted to?

4. Research your existing logging capabilities

Research the logging capabilities of the devices on your network such as proxy servers, firewalls, routers and email servers and ensure they are producing an audit log or event log of activity.

5. Address shortfalls between your reporting requirements and log data

Open each log file to get a feel for what information is captured and identify any shortfalls with your reporting requirements. Address any shortfalls by adjusting the logging configuration or implementing an independent logging tool.

6. Establish log management procedures

Establish and maintain the infrastructure and administration for capturing, transmitting, storing and archiving or destroying log data. Remember that archiving reports may not be enough as sometimes you may be required to go back and extract from the raw data.

Ensure data is kept for an appropriate period of time after each reporting cycle and that the raw data related to important events is securely

Evaluate log file analysis and reporting products to make sure your log formats are supported, your reporting requirements are met and that it is capable of automated ongoing reporting.

Ensure it can be used by business users as well as specialist IT staff, removing the dependence on these busy and critical staff members.

Make sure the vendor is willing to work with you to derive value from your log data. Often a vendor that supports many different log formats will have some insight that may help you in obtaining valuable information from your environment.

8. Establish standard reporting procedures

Once a report product has been decided on, establish how regularly reports should be created, who is responsible for creating them, and who is able to view them. Store user reports in a secure location to ensure confidentiality is maintained.

9. Assign responsibilities

Identify roles and responsibilities for taking action on events, remembering that responsibility is not only the security administrator’s domain.

10. Review and adapt to changes

Because of the metamorphic nature of the security environment it is important to revisit steps 1-9 regularly and fine tune this process to get the maximum value.

Webspy is exhibiting at Infosecurity Europe 2009, held on 28th – 30th April at Earl’s Court, London.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.