SANS Survey: IT Not Analyzing Log Data
Security outfit SANS recently did a survey on log and event management that reveals that although midsize business IT professionals are no longer struggling with how to collect, store, and archive log data, they still aren't using said data to their advantage. This is especially true when it comes to analyzing data for security purposes.
The SANS survey highlights that IT's lack of analyzation isn't out of pure neglect--most IT professionals would like to use log data more effectively. Instead, it is an inability to efficiently search and normalize data with the tools given that is hindering them.
As any IT professional knows, different systems and devices record the same events in different ways. This makes checking logs across the board daunting. Theoretically, normalization should alleviate the stress of trying to compare and contrast information--which it does to some extent. However, many commercial log management programs only save the normalized log data and not the original, leaving IT able to identify an attack but unable to determine if it was successful or not.
The problem proves even greater when it comes to collecting log data from devices and storage systems that aren't well-supported, like smartphones, tablets, and the cloud. Add Windows into the mix--it doesn't support Syslog, the most popular management system--and it's no wonder midsize business IT pros have been slacking on log data analyzation.
The obvious solution is for commercial log management vendors to step up their game. Smartphones, tablets, and cloud storage systems aren't going away any time soon. The Bring Your Own Device movement has been steadily gaining traction, and tablets are predicted to be the device of choice by 2016. It's time that commercial providers acknowledged this change in office networks and offer log management systems that support all of the devices IT pros have to oversee.
Microsoft also needs to be more Syslog-friendly. It seems ridiculous that the most popular operating system for midsize businesses and the most popular way to collect log data aren't compatible. If Microsoft were to bite the bullet and make some changes, IT wouldn't need third-party agents to translate.
Until changes are made though, it's unfortunately up to IT to slough through the mess. Yes, analyzing and presenting log data may not be as quick and easy as one would like it to be, but it is still the most thorough way to clock discrepancies in the network. The SANS survey provides a smart suggestion: Get to know your log data right after collection. Identify what normal looks like and then it will easier to spot when something is abnormal. This may mean making log data a top concern, which for some midsize business IT departments requires rearranging priorities. That said, taking the time to invest now and figure out a process that works effectively for your IT department means that down the line, collecting and analyzing will only be that much easier.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.