IT systems in today’s world are churning out more and more logs, and the challenge of storing, managing, and analysing them has been pushed to the forefront of the IT security industry. Largely this is thanks to the advent of legislation like GDPR and a focus on the growing complexity of threat actors. Although the task itself seems relatively simple, having a robustly defined log-management strategy takes a business from an ‘in case of emergency’ mentality, where we statically store logs in a database somewhere, only to pull out and examine when a breach occurs, to one where active log investigation leads the security defence.
If you’re reading this and thinking, “I haven’t the first clue about starting a log management regime”, then fear not. The NCSC (National Cyber Security Centre) have released a seriously in-depth guide to help you. It is something that will take a little while to read, but the guidance is perfect to helping a business put the right foot forward in terms of getting their logs together. Once you’ve followed the steps laid out, the next question in front of you is: how do I get the most out of doing this?
It should be no surprise to any statisticians out there that the next step is this: once we’ve pooled all our data together, the way we interrogate it is through analytics. For us in the security industry, this process is done through Security Incident & Event Management tools (SIEM). For anyone unfamiliar with SIEM tools, I go into more detail in a previous blog. Setting up and getting the most out of this is not a small task. Deploying a SIEM requires having a Security Operations Centre (SOC), which in a majority of cases is a 24/7 facility requiring 10+ good security analysts to run and investigate events. After that there’s tweaking key performance indicators such as Mean Time To Identify (MTTI), Mean Time To Resolution (MTTR), and incident response policy effectiveness. For businesses that have the breadth and budget to operationalise this, it quickly becomes one firm stride into security excellence, and one large safety net for day-to-day IT operations.
And it can be. In house SIEMs done properly are high-cost, high-reward engagements and balancing infrastructure purchase costs with expensive SOC analysts means that for some organisations in the SMB market, the dream of having a SIEM appears unobtainable. This is where Softcat can demonstrate our value. Softcat’s Managed SIEM service allows you to enjoy the peace of mind that knowing every single log your estate generates is being analysed to protect you, without having to invest six figure sums just to get it off the ground. As security becomes more and more prevalent, and as attack vectors increase in complexity, having our team comb your logs for any sign of compromise means you can focus on driving your business forward, enjoying all the benefits your infrastructure affords.
If reading this has got you thinking, or you feel like it’s time to make a change within your log management strategy, please get in touch with your account management team. If you’ve not spoken to Softcat before, please reach out via the button below.
We would love to hear any comments you have about this article!