Log management – it’s not just for compliance anymore

In your efforts to ensure SOX (or PCI/DSS, or…) compliance, you’ve set up a log management solution. Systems across your enterprise are churning out logs that are being stored securely, reported on and analyzed. Your boss is happy. Your auditor is … gone. So, until the next audit, what are you going to do with all of those logs?

Compliance has been the major force behind log management initiatives. But once the log management solution is in place, many companies find that good log management solutions, such as LogLogic, have unexpected and valuable uses across the enterprise.

LogLogic goes beyond just compliance, giving you the tools to use the logs that are being generated for a myriad of uses. Think of it as Compliance+. The logs already being generated by your systems, from firewalls to HR applications, can by used for a variety of use cases, including:

Logging for eDiscovery: Use the logs being generated across your enterprise to quickly discover information about users and systems in order to satisfy legal investigations and auditor requests.
User activity tracking & data leak prevention: Use proxy logs to track who is accessing what on the network and detect potential data leaks, both malicious and accidental.
Database monitoring: Use the logs generated by your database to audit database activities and monitor database access for change management, security and threat management, business continuity and more.
Make the most out of your log management system – and your logs – by putting them to work in areas beyond compliance. You’ll improve network availability and security, cut costs, boost IT staff productivity, improve business continuity and more – all through the logs your system is already generating.

Log Management for eDiscovery: Finding the needle(s) in the haystack

Whether coming from attorneys involved in an investigation or lawsuit, or from an auditor wanting specific pieces of electronic information for her survey, eDiscovery requests are not limited to finding email correspondence from a particular user. Rather, these requests can encompass the collection of all types of electronic information, including email, scanned documents, user activity information and more. How do you easily access all of this information? The answer is simple. Logs.

Logs contain information on the types of activities that investigators and auditors are looking for. Information about what emails were sent and when, data on network activity, information about which applications where accessed and when and by whom, and much more. If the logs are stored on tapes sitting in a warehouse, or the data is scattered across multiple production systems throughout the enterprise, it would simply take too long to find the information. By using a log management solution, such as LogLogic, you are able to search through the terabytes of data flowing through your corporate network efficiently and effectively, enabling you to find the piece (or pieces) of data – the needle(s) in the haystack – and satisfy or contest the request.

So, how do you make your logs discoverable? For successful eDiscovery, logs must be:
•    Raw and unmodified, just as they come from the original sources
•    Collected and stored securely and reliably
•    Searchable by keywords like user, email, file name, etc.
•    Easy and fast to locate

An LMI solution such as LogLogic can help to ensure your company is prepared for any eDiscovery requests that come your way. Using LogLogic, your logs are stored in a secure, central repository in their original form, completely unmodified.  Storing logs in a remote appliance ensures you can establish a means to prevent modifications to the logs, either malicious or unintentional. And by defining and enforcing a corporate log retention policy, you’ll have the logs at your disposal when you need them, enabling you to search for historical data if necessary. LogLogic provides you with the ability to search these stored logs based on a variety of search parameters, including by username, IP address or activity type. And because the information is stored in the appliance, you’ll have blazing fast results, without slowing down your production systems. Simply by saving all your raw logs for a documented period of time will make any eDiscovery requests simpler.

Using a log management system for eDiscovery will give you fast, searchable access to information from throughout your enterprise, ensuring you find the information you need in a timely fashion, and reducing the possibility of fines or other legal ramifications.

If you can do just one thing for eDiscovery:
Save ALL raw logs and store them for a documented period of time. LogLogic enables you to store your raw logs safely and securely, and search them quickly when you need to.

Log Management for User Activity Tracking and Data Leakage Prevention: Locate and respond to potential leaks, both malicious and accidental

Data leakage prevention (DLP) is important to all organizations. Most organizations have established policies how information enters and leaves the company’s systems in order to ensure that sensitive information doesn’t get into the wrong hands. Web proxy servers provide an ideal way to monitor what information is exiting the company, either by individuals with malicious intent or those merely skirting security policies for the sake of convenience.
Web proxy solutions, such as Squid, Blue Coat and ISA, store, pass, block, authenticate and secure web traffic, and can provide logs on what is entering, or leaving, your network, by whom, and how it was done.  Information such as a user’s web activity, application HTTP activity, web-enabled malware traffic and proxy performance metrics are all contained in the proxy logs. This information can help IT departments track user activity to ensure that data is not leaked.

Typical proxy log files include a time stamp, the user name, browser type, destination URL, HTTP method and response code and more. Valuable for security, compliance and operations, by looking at your proxy logs, you can see who’s been on what sites, what they’ve done on those sites, and how often the sites were visited. Use proxy logs to:
•    Identify web access policy violations
•    Monitor user activity
•    Track internal spyware and malware
•    Detect web client attacks
•    Track server attacks by hackers from inside
•    Detect IP theft and information leakage
•    Measure proxy performance

Discover this information by searching the proxy logs for POST requests along with specific document content-types (e.g. MS Excel, PowerPoint, etc), looking for uploads to unusual ports, unusual sites (especially those with unresolved IPs), webmail, or for sensitive document names or file types. By using your proxy logs to your advantage you can track user activity and prevent data leakage easily and quickly.

Example: Ensuring company compliance with document security policies
A company wants to ensure that internal policies regarding the prohibition of using personal email to send company documents are followed throughout the organization. Even employees not intending harm, but simply wanting to avoid logging into a VPN when they are working from home in the evening, might send a document to themselves using their personal email, in violation of internal policies and presenting a significant security concern. The file could be intercepted in transit beyond the company’s firewall, or it could become accessible to people outside the company once on the employees external email server. By using proxy logs IT staff can discover these kinds of behaviors and the company can act on them. How do they do it? When a file is attached via webmail, the file is forwarded from your computer to the webmail server. These commands are executed by the originating computer and recorded in a specific order in a proxy log. Using LogLogic you can search through these proxy logs for document type, name or specific request, enabling you to pinpoint the employee violating company security policies and improve data security across the corporate network.

If you can do just one thing for DLP:
Search proxy logs for sensitive file names or file types and POST request type to identify potential data leaks in the corporate network.

Log Management for Database Monitoring and Auditing: Protect customer data by monitoring data access

Monitor what users are doing with your databases using the logs they are generating.  Using your log management system, you’ll have fast, efficient access to information important to organizations across your company, from IT to Human Resources.

Though most databases are set up for only the most basic logging, you can configure Oracle, MS SQL, IBM DB2 and others to generate logs that go beyond the basics of system crashes and major events. By enabling data access logging and other parameters, you’ll have a gold mine of information to use for security and operations monitoring. Information in your database logs might include database security and schema modifications, data and object modifications, user and privileged user access, failed user access, and failures, crashes and restarts. And by using the database reports available with LogLogic, groups from throughout your company are able to take action on their most pressing concerns.

Database Log Reporting for Security, Compliance and Operations
Category: LogLogic Database Reports
Identity and Access: Database Server Access
User Activity: Database Data Access
Change Management: Database System Modifications, Database Privilege Modifications
Security and Threat Management: Suspicious Database Activity
IT Infrastructure Monitoring: All Database Events
Business Continuity: Database Start/Stop Events

If you can do just one thing for database monitoring:
Watch database logs for table backups and data dumps at unusual times. This common method of database theft is easy to recognize in the database logs.

Unleash Log Power – Make the Most of Your LMI Investment

Ever increasing regulatory requirements and compliance mandates have revealed the importance of log management to companies in every industry. But that’s just the beginning. Once you have established a log management solution, such as LogLogic, put the logs that are being generated to work – even after the audit is done. LogLogic provides features and tools that enable eDiscovery, web tracking and data leak prevention and database monitoring and auditing, giving you more control over not just compliance – but allowing you to control costs, improve your company’s security and ensure your operational health.

For more information about LogLogic LMI solutions, visit www.loglogic.com.