In this blog post, we will unfold a challenge many organisations are faced with today: the collection and storing of log files. We will explain why it is a necessity and how your organisation can accomplish the challenge with the introduction of log management and SIEM. You will learn what the systems can do and how they can help your organisation retain a better overview of your IT systems.
Companies may find it difficult to assess whether they have lost data or been exposed to security incidents because they do not know where to look. Firewalls, anti-virus, and backup procedures are good measures, but experience tells us that it is not enough.
If a security breach happens in your organisation, you hardly have any opportunities to detect and react to it. The incidents can either be due to external parties entering the company’s systems or inappropriate behaviour from the within the company.
The reason for this uncertainty is because most organisations do not have control over how they collect and store their log files. One common misconception we have heard from many organisations is that they believe that their servers log everything, so they can just go back and look at its logs if necessary. This, however, is not the case. Some organisations may even think that since they’ve never had any problems, they don’t need any of these insights.
In the context of IT, a log file is automatically created and is a timestamped documentation of events that happen in a system, application, or asset (e.g., server). Almost every IT system produces log files.
Log files are valuable for organisations because they create a documented trail of actions, communications, and behaviour in a system, application, or asset. If a cyberattack happens, log files can be used when investigating and analysing where the attack came from and its effect on the IT infrastructure.
Log management is about collecting relevant logs from the most important systems and assets in the organisation and storing those logs in a single location. From this location, the data can be examined by the IT department. By collecting and reading the logs, they will know how the system should function on a regular basis, which means they will be able to react when they notice something unusual.
However, analysing the logs is often a manual task, which can be very time consuming and easily overlooked. Additionally, the analysis normally happens after the events have appeared, meaning that the threat can only be resolved after. A SIEM system can be the solution to this problem.
When the data has been collected in the log management system, it is important to know how we can get insights and value from the data. Security Information and Event Management (SIEM) has evolved from log management.
SIEM combines the technology in security event management and security information management. SIEM identifies, categorises, and analyses incidents and events found in log files.
A SIEM system will provide the IT department with reports on security events, such as successful and failed logins. It can also send alerts if its analysis finds that there is an ongoing event in the system, that is against the predetermined rules, which indicates a potential security issue.
One of the drawbacks with SIEM is its resource-intensive process. Because of the time and money needed, SIEM is inaccessible to many organisations. Additionally, SIEM demands that organisations are able to maintain and operate the SIEM system after implementation, which requires even more resources and a specific skill set.
At CyberPilot, we have acknowledged this challenge and have developed CyberPilot SIEM, a product that any organisation can implement. CyberPilot SIEM is a complete SIEM solution for your organisation, but it can also function as an add-on to already existing SIEM systems.
There are two key differences between the two systems. Log management is primarily used for collecting log data and SIEM is primarily used for security. A log management system can be used for security, but it is very complicated and time-consuming. The advantage of SIEM is that it does real-time analysis, and log management does not.
However, that doesn’t mean that a SIEM system is without its drawbacks. An organisation’s IT systems constantly change or get updated, which can create many false alarms in your SIEM system. This will create a lot of work for the people working on the system because it can be difficult to sort through to see what the real threat is when an alarm goes off. You can read more about the drawbacks here. Therefore, the IT department must be able to recognise what is a regular event and what is not with log management. Only when knowing what regular activity looks like, will it be possible to see when there is abnormal activity. One could say that log management is the cake, and SIEM is the frosting.
If your organisation wants to prevent, detect, and respond to security incidents, log management and SIEM is highly recommended.
One good reason to implement these is to help you comply with the GDPR. Since the two systems provide you with information on how your IT systems are used, it will give you a report on who is accessing personal data in your organisation. This monitoring process can help you achieve compliance.
However, it is important to highlight that the need for either log management or SIEM differs from organisation to organisation. If your organisation wants a system that can collect all your logs in one place, then we recommend the log management system. If you need to use logs to manage information security, we recommend SIEM. One thing to keep in mind is that log management must be implemented before you can implement a SIEM system.
Join our 2000+ subscribers and sign up for our newsletter. You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.