Technology: New Logs Show Who’s There
In tough neighborhoods, when there’s a knock on the door, street smart people don’t unlatch the deadbolt until they know who’s there.
In the computer world, log management aims to identify who’s clicking on and verifying that person should be allowed access. With smartphones and other devices adding to the access points, IT staffs are working to keep up.
As demands for effective log management have increased, prompted by security and compliance issues, the $1.6 billion FAIRWINDS Credit Union in Orlando, Fla., decided it was time for some new approaches to log management.
“There were a lot of reasons,” said Ted Spero, vice president of technology at FAIRWINDS . “We were using a hardware appliance for log aggregation and log monitoring, and as with any equipment there are limits to the lifetime of a device. We were getting close to the end of the expected life of that particular product.”
Spero said it was time to reevaluate what was out there in the market. The credit union relied heavily on general industry reports and expert analysis, he added.
While FAIRWINDS was dealing with a huge number of logins, at the same time the credit union had a significant amount of local storage so it could cope with that volume. Even so, the credit union did want to consider storage capacity, since at some point there would be a limit.
Responding to what seemed like a simple request would sometimes present a challenge, according to Spero. For example, say an employee left the credit union six months ago. A report is needed showing every time that employee logged in and out of a machine on the credit union’s network.
“As simple as it sounds, that kind of request was difficult for us.” Spero explained. “The important thing was to have centralized log management with information from all the devices in one place, and a powerful reporting engine which can generate output not only for regular analysis but also specialized requests.”
Spero said these functions would tie together to produce a pretty detailed management program that can document any incidents found either proactively or as result of regular monitoring of the log aggregation output report.
Log aggregation also helped when a developer’s credentials kept locking him out from work he needed to do. Perhaps there were 50 or 60 servers involved in the project, and it was frustrating to check the logs of each server manually to find the problem. With log aggregation, it’s actually very easy to identify the glitch, the credit union discovered. Overall, Spero sees log management as one piece of a more comprehensive security strategy. Still, it can’t be the only tool in the arsenal. At FAIRWINDS the tracking tool works closely with other approaches such as early intrusion detection.
“We monitor very closely all of our member-facing channels such as online banking. We tie that together with virus detection, malware detection and surveillance,” Spero said. “We can see what’s happening in real time at an ATM, for example.”
Keeping on top of this, he continued, has a lot to do with sophisticated event correlation and reporting. Most of the logs generated every day are pretty innocuous, and the credit union wants to focus on events that are important. That demands a reporting and analytics engine intelligent enough to understand which log entries are significant.
“The big benefit for us has been enhancing the security of our infrastructure,” Spero said. “Being able to quickly identify any kind of problem so we don’t have to do it manually is hugely important to us. The biggest thing, whether it’s log management or any other security device, is not forgetting about the big picture.”
The credit union also performs internal vulnerability scans and external vulnerability scans and is starting to go as far as monitoring some of its cloud-based applications proactively on a minute-by-minute basis, Spero said.
Barriers, as well as the costs to maintain log management, are coming down, according to Christian Beedgen, co-founder and chief technology officer at Sumo Logic, a log management and analytics company in Mountain View, Calif.
While there is plenty of information available, the challenge is that information may not be properly formatted, he said, adding effective log management requires timely collection and interpretation.
“If you look at the past couple years, there are more and more devices, more and more applications, more and more data. It’s growing exponentially,” Beedgen said.
“That’s a lot of information, a lot of data. Over the last couple years, there’s been a move to connect all the logs. The challenge is it needs to be formatted to allow timely collection and interpretation. People have spent a lot of time on this.”
In a paper on security and risk professionals on identity and access management, Eve Mailer, a security and risk principal analyst at Forrester Research, notes that at many businesses, all functions are no longer contained with a company’s boundaries.
A credit union, for example, may be sharing information with an external business partner. The credit union wants strict access controls, but it doesn’t control the partner’s processes. Then there’s the issue of cloud applications, which the credit union doesn’t directly control.
“We see some companies synchronizing user accounts to external apps on a relatively infrequent schedule through insecure file transfer protocol, or relying entirely on ‘front-door’ authentication for access to wide swaths of app functionality,” Mailer noted.
“Organizations can lose all visibility into access events whenever users can access a SaaS-based (Software as a Service, an on-line or network-based application) business function through the open Internet from an unmanaged device or network without touching ‘home base’ infrastructure, according to the Forrester research paper.