Log Management: Bad News, Good News
The “bad news” is that log management has failed miserably. The “good news” is that it can’t get any worse. That’s the obvious conclusion from the 2011 Verizon Data Breach Investigation Report (DBIR) where they report that NONE of the breaches they investigated were detected via log analysis. This is down from a paltry 3% in last year’s report.
In a half-hearted attempt at humor, the authors of the DBIR do try to make the point that things “are only looking up from here.” I wish that were true. The reality is that we’re actually far more likely to remain in single digits for years – unless the attitude on log management and “analysis” (air quotes) changes dramatically.
Most compliance initiatives require log files be collected, and there’s no shortage of security experts and educational institutions promoting the many benefits and use cases for logs. So, it should come as no surprise that in the breach investigation report they found (again this year) that “good evidence of the breach usually exists in the victim’s log files…” We’re apparently doing a good job collecting log data which has been useless in detecting, much less preventing, breaches.
Do the Math
If…
- The evidence of a breach is present in the logs
- The average time to breach a network is measured in days-to-weeks
- The average time to detect a breach is measured in weeks-to-months
- And zero breaches are detected via logs
How long does it take to realize that log management alone is not the answer?
The fact is that we’re dealing with massive amounts of information, and the “store and search” approach may help you achieve some level of compliance (today), but it does little to improve your security posture. Most organizations simply don’t have the time or expertise to search through millions (or billions) of daily log lines. When they do search, many will admit they have no idea what they’re searching for and give up.
Solve the Problem
We can increase (dramatically) the number of breaches detected and prevented, and next year’s report could tell an entirely different story. The “first step” is to admit there IS a problem and the next step is to give us a call.
*** This is a Security Bloggers Network syndicated blog from TriGeoSphere authored by Michael Maloof. Read the original post at: http://blog.trigeo.com/2011/log-management-bad-news-good-news/