Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, February 27, 2012

Log management deserves a company’s respect

Keeping and maintaining data logs is a corporate best practice and, in many cases, when you consider regulation and industry standards, it?s the law.
Still, few companies take advantage of the benefits of log maintenance when it comes to detecting and responding to data breaches. In fact, according to Verizon?s 2011 Data Breach Investigations Report, less than one percent of the breaches analyzed were discovered through log analysis, while 69 percent of those breaches were detectable via log evidence.

What this signals is that companies either don?t maintain the logs needed to identify unusual system behavior or they do and they just fail to take advantage of them.  All of these are common answers, but perhaps the most important factor is a general lack of understanding among key decision makers about the value of log maintenance and analysis.

As mentioned, there are reasons as to why organizations fail to keep adequate logs: expense, resources, etc.  However, logs of any kind can be useful in security analysis, and are invaluable to reconstructing the events of an intrusion.

While there are limits to how long logs should be kept for legal reasons, legal counsel can help you determine what is appropriate.  Maintaining logs is an important step in regulatory and standards compliance.

For example, the HIPAA Security Rules require covered entities to regularly review information system activity through records such as audit logs, access reports and security incident tracking reports.

Logs won?t tell you directly that you?ve had a breach, but unusual or abnormal occurrences within the log activity will.  That is, abnormalities in log entries that could reveal an intrusion or unauthorized use of data.

Inadequate or nonexistent logging may contribute to the need to notify in the event of an intrusion.  You would never think of not logging your company expenses, lest you become the subject of an IRS audit.

Posted on 02/27