What Your Event Log Manager Isn't Telling You

Somewhere along the way, it became a best practice for administrators to set up event logs to capture as much data as possible. This big net method provides a sense that nothing will slip through the cracks if all incidents are captured. However, the vast quantities of data generated by this approach make it more difficult—not easier—to spot threats and remain compliant.

Turn Down the Volume

So how are administrators to go about reducing the noise and focus on capturing meaningful data? The solution is event log management (ELM). The National Institute of Standards and Technology (NIST) defines ELM as “the process for generating, transmitting, storing, analyzing, and disposing of computer security log data.” In practice, that means figuring out what data you need to capture, the best way to capture that data, and how long you need to hold onto the data for compliance—and the software, hardware, and policies you need to implement for optimal ELM.

Start at the End

One approach suggested by CSO online is to quiet the noise by working backward—defining events that are clearly malevolent, then setting your ELM solution to alert on those events. For example, set up alerts for:

  • A user being added (including adding themselves) to the Domain Admins group
  • Unusual login times, like 2:00 am on a Saturday
  • Servers connecting that are not set up to connect
  • Large files sent to an unfamiliar location

The idea is to think of and set alerts for potentially malicious scenarios. However, this approach requires knowledge and experience seeing your IT infrastructure through security-focused lenses.

Put More Effective Technology to Work

For companies lacking experience or dedicated IT teams, or those with IT departments overwhelmed with trying to keep up with the ever-growing demands on today’s technology staff, a monitoring solution can make the difference between unwatched data deluge and security and compliance. These solutions offer focused around-the-clock network security monitoring that detects network intrusions; malware, spyware, and ransomware; botnet infections, internal host-to-host attacks, data exfiltration, and more—providing real-time alerts and reporting functionality.

What You Can’t Find in the Data Deluge Can Hurt You

If you consider how much informative data is available in your log files, it’s surprising that many organizations take such a lackadaisical approach to ELM. Perhaps the reality is that many companies don’t have the resources or experience to put toward effective ELM. If that’s the case, it is well worth investing in technology that can ensure you are safe and compliant.