Logging: Opening Pandora's Box - Part 2 - Elation

Thursday, May 10, 2012

Rafal Los


In a previous post, Logging: Opening Pandora's Box - Part 1 (Anxiety) , I started us thinking about the Pandora's Box that is your enterprise logging function.

In this post, we get past the anxiety that you were feeling and start feeling good about logging.  

More than just feeling good about logging, we're starting to feel great about what logging can do for us, and how it can improve our enterprise security posture.

Once you get over the anxiety of logging, a wave of elation generally hits. You get really, really excited about what logging can provide, and the amazing things you can do with your enterprise's logging capabilities. Whether you're getting excited about being able to catch evil-doers in the act, or the capability to notice system failures before they happen logging can save your skin more than you'd think.

In fact, logging can be like having a crystal ball into the future of your organization - and it's an amazing feeling knowing that you have it there... sitting there to be tapped into... you just have to figure out how to do it.

Logging can be amazing.  As I said before, many organizations don't do a very good job of taking advantage of the logging facilities across their organization.  I get excited just thinking of the cool things I could tell you about your organization just by consolidating your security devices into a single logging facility.  

Tracking attacks from their initial starts to the full blown attack is possible when you've got the data ahead of you.  All possible if you turn on logging and crank the knob to 11, and just let that beautiful data flow.

Once folks realize just how much capability you get from logs, the tendency is to go log-happy and want to turn on everything and anything to log to maximum level. Applications all of the sudden spout fountains of logging information pointed at some central logging repository and the network utilization starts to visibly increase as logging traffic starts to make its way like a river down a canyon towards the logging central repository.

There are challenges with being trigger-happy on logging, and pushing the 'log everything' mentality can not only cause security issues if done in excess and pushed in an insecure manner, but logging everything also causes a glut of logs which slows down the logging system and fills disk really fast.  Think about that while you're being elated and running around setting logging levels to maximum.

Now a bit of a reality check - logging is a magical thing which can assist in forensics as well as real-time detection and situational awareness ... but there is a tipping point at which you're logging too much and you will start seeing diminishing value to the system overall.  Of course, a lot of this scale and value depends on the logging archival and analytics (intelligence) platform you're using.  

Obviously I'm partial to one in particular... but there are others out there many others, which you may already be using and which will have different value points, scaling capabilities, and analytics capabilities.

Be smart about your logging - don't get overwhelmed by the excitement that logging everything can bring...

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Forensics Log Management Data Loss Prevention SIEM Threats IDS/IPS Network Security Monitoring Analysis
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.