blog に戻る

2023年04月04日 Dana Torgersen

What is log management in security?

Log management for security

Cyber crimes are expected to cost the world roughly $10.5 trillion per year by 2025, according to Cybersecurity Ventures. And these attacks don’t just cost money. Businesses impacted by these kinds of crimes can expect to experience not only financial losses but also loss of productivity, damage to their reputation, potential legal liabilities and more.

Instituting an effective log management and log analytics system as a part of your overall cybersecurity plan is an effective way to minimize the potential of threats and shorten recovery time by offering real-time insight into your apps, systems, apps, and potential security events. Discover how security fits into your overall log management process and how a unified approach can help your team troubleshoot security and reliability issues.

Before looking at log management in cybersecurity specifically, it’s critical to understand log management in general. Log management refers to the processes and tools involved in the collection, storage, and management of log data—often from disparate sources into a single system. Another critical component of log management is log analytics. This term refers to the analysis of log data to extract insights and generate information, with the end goal of improving organizational efficiencies, empowering troubleshooting, and monitoring system health and performance.

What is log management in cybersecurity?

Log management in cybersecurity refers to the practices around both log management and log analytics specific to security events like errors, logins, data access or other potential threat indicators. Security Operations (SecOps) and DevOps teams can use the details and information from log files to monitor activities within their technology stack, identify potential policy violations and watch for suspicious or fraudulent activity.

Yet, these tasks aren’t easy with the hundreds of terabytes of log files across disparate systems that many enterprise organizations have. Implementing an effective end-to-end log management system like Sumo Logic empowers DevSecOps teams to collect, monitor and analyze all of their logs in one place.

What is in a security log?

At a high level, the data stored in a security log should include everything a cybersecurity team may need to monitor for suspicious behavior and respond to security events as quickly and efficiently as possible. Typically, this means a security event log should include:

  • Date and time, normalized and synchronized across systems

  • User and/or device ID

  • Network address and protocol

  • Location, when possible

  • Error code, when applicable

  • Event or activity

  • Log or severity level

With that in mind, you may be wondering what types of security logs you need. While every organization will ultimately choose the kinds of event logs to track, this is a security event log example list to help you get started.

  • Changes in user privileges

  • Denial of service (DoS) attacks

  • Data exports

  • Errors on network devices

  • Failed authentication requests

  • File integrity or name changes

  • Firewall scans

  • Hardware activity spikes (CPU, RAM, Network)

  • Login failures

  • Malware detections

  • Modified registry values

  • New device logins

  • New service installations

  • New user accounts

  • Password changes

  • Unauthorized logins

  • USB drive access

Why is log management important to security?

Log management offers many important benefits to organizations.

  • Accessing visibility across the entire enterprise: With an end-to-end log management system like Sumo Logic, your organization can aggregate log data into a single source of truth. This allows you to monitor and detect security events quickly and easily in real-time. Log management and analytics platforms empower SecOps teams to perform log analysis, develop threat detection alerts, dashboard and share findings.

  • Detecting and recovering from threats more quickly: When a security event—or a potential security event—occurs, every second counts. Security logs allow your security analysts to more efficiently investigate the root cause of issues so they can move to respond and recover as quickly as possible. What’s more, logs help you recover essential information and files or reverse changes before employees or customers notice any issues.

  • Following security logging best practices: Log management in cybersecurity is considered critical by many organizations. For example, the Center for Internet Security (CIS) includes audit log management in its 18 CIS Critical Security Controls. Specifically, CIS highlights log management for its ability to help your business “detect, understand or recover from an attack.” Additionally, the National Institute of Standards in Technology (NIST) offers Special Publication 800-92, a Guide to Computer Security and Log Management. NIST lays out log management best practices for infrastructure, planning and operational processes.

  • Meeting compliance requirements: You may be required to meet various logging and security requirements, as laid out in standards like the Federal Risk and Authorization Management Program (FedRAMP™), Federal Information Security Modernization Act (FISMA), Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), International Organization for Standardization (ISO) 27001, and Payment Card Industry Data Security Standard (PCI DSS).

Sumo Logic: because security matters

At Sumo Logic, we understand that security is one of the essential building blocks of most digital-first enterprises. Our platform helps security and operations professionals to make better sense and gain insights from their logs in real-time. With Sumo Logic, you can:

  • Consolidate reliability and security functions in a single cloud-native SaaS platform

  • Troubleshoot issues as quickly as possible

  • Build custom alerts to immediately identify potential outliers or malicious issues.

  • Access robust search and querying to accelerate threat detection

  • Use community analytics with Global Intelligence Service to enable benchmarking against peers

  • Use a secure platform with security certifications including SOC 2 Type 2, PCI-DSS, HIPAA and an available FedRAMP™ Moderate authorized offering.

Ready to learn more? We invite you to explore our cloud security analytics offering to learn more about our log management and security offerings.

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Sumo Logic cloud-native SaaS analytics

Build, run, and secure modern applications and cloud infrastructures.

Start free trial
Dana Torgersen

Dana Torgersen

Senior Director, Security Product Marketing, Sumo Logic

Dana leads product marketing for Sumo Logic security solutions. He is a 17-year veteran in the information security industry with expertise in cloud threat detection and SIEM tools, endpoint detection and response, and network security technologies—including firewalls, web protection, and email security. Before joining Sumo Logic, Dana held product and technical marketing roles at JASK, Malwarebytes, Illumio, Palo Alto Networks, Intel Security, McAfee, and Secure Computing. You can follow him on Twitter @DaToTweet

More posts by Dana Torgersen.

これを読んだ人も楽しんでいます