Logging: Opening Pandora's Box - Part 2 (Elation)

In a previous post [Logging: Opening Pandora's Box - Part 1 (Anxiety) ], I started us thinking about the Pandora's Box that is your enterprise logging function.  In this post, we get past the anxiety that you were feeling and start feeling good about logging.  More than just feeling good about logging, we're starting to feel great about what logging can do for us, and how it can improve our enterprise security posture.

 

Once you get over the anxiety of logging, a wave of elation generally hits.  You get really, really excited about what logging can provide, and the amazing things you can do with your enterprise's logging capabilities.  Whether you're getting excited about being able to catch evil-doers in the act, or the capability to notice system failures before they happen logging can save your skin more than you'd think.  In fact, logging can be like having a crystal ball into the future of your organization - and it's an amazing feeling knowing that you have it there ...sitting there to be tapped into ...you just have to figure out how to do it.

 

Logging can be amazing.  As I said before, many organizations don't do a very good job of taking advantage of the logging facilities across their organization.  I get excited just thinking of the cool things I could tell you about your organization just by consolidating your security devices into a single logging facility.  Tracking attacks from their initial starts to the full blown attack is possible when you've got the data ahead of you.  All possible if you turn on logging and crank the knob to 11, and just let that beautiful data flow.

 

Once folks realize just how much capability you get from logs, the tendency is to go log-happy and want to turn on everything and anything to log to maximum level.  Applications all of the sudden spout fountains of logging information pointed at some central logging repository and the network utilization starts to visibly increase as logging traffic starts to make its way like a river down a canyon towards the logging central repository.

 

There are challenges with being trigger-happy on logging, and pushing the 'log everything' mentality can not only cause security issues if done in excess and pushed in an insecure manner, but logging everything also causes a glut of logs which slows down the logging system and fills disk really fast.  Think about that while you're being elated and running around setting logging levels to maximum.

 

Now a bit of a reality check - logging is a magical thing which can assist in forensics as well as real-time detection and situational awareness ... but there is a tipping point at which you're logging too much and you will start seeing diminishing value to the system overall.  Of course, a lot of this scale and value depends on the logging archival and analytics (intelligence) platform you're using.  Obviously I'm partial to one in particular ... but there are others out there many others, which you may already be using and which will have different value points, scaling capabilities, and analytics capabilities.

 

Be smart about your logging - don't get overwhelmed by the excitement that logging everything can bring ...

Comments
Clerkendweller | ‎05-04-2012 10:23 AM

Excellent business justification but I was hoping there was going to be a Part 3 (Enlightenment) containing pointers to some resources to help management take the next step.

 

I'm sure you know the sort of thing I mean :smileyhappy:

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation