Pulling the plug on legacy log management

Log management has been a staple in IT environments for years, amassing volumes of data in the name of security and compliance. But a recent IDG survey reveals serious concerns around the prevailing status quo.

Key findings indicate that platform, performance and price are all up for heated debate as organisations ready themselves for something better. A full 69 percent of respondents are willing — if not already planning — to pull the plug on their legacy log management solutions.

Market PulseKey research findings include:n  A majority of respondents demonstrate waning  loyalty to their incumbent log management solution.n Strong importance is placed on simplifed manage-ment, real-time threat response, and reduced costs. n Respondents overwhelmingly realize the value in integrating log management and security information and event management.Log management has been a staple in IT environments for years, amassing volumes of data in the name of security and compliance. But a recent IDG Research Services survey reveals serious concerns around the prevailing status quo. Key findings indicate that plat-form, performance and price are all up for heated de-bate as organizations ready themselves for something better. A full 69 percent of respondents are willing if not already planning to pull the plug on their legacy log management solutions. Something is definitely amiss and CSOs are on the warpath. Needs have evolved and organizations are no longer seeing the value in the systems they ve implemented, declares Tim Zonca, product marketing manager for Tripwire Inc., a global provider of IT security and compliance automation solutions based in Portland, Ore. Whether they re fed up with the needless complex-ity or the overwhelming costs, CSOs appear to want more from log management. And they re tired of trying to get it by clumsily patching together the necessary components. A rip and replace mentality has taken a IDG survey reveals pent-up demand for next-gen solutions to nix complexity and high costs in log management.When it comes to log management today, CSOs have been left in the lurch. According to this IDG Research Services survey, organizations are poised to rip and replace legacy technology to get a better handle on compliance and security.Pulling the Plug on Legacy Log Managementstronghold in this space. It s unlike anything I ve seen in any other industry, says Zonca.  The Status Quo Today s business climate demands log management in one form or another; it is obviously a priority in IT organizations. According to an IDG Research Services 2010 online study of a cross-section of 100 respondents with management titles across a range of different industries, 74 percent of organizations have or plan to implement log management solutions. Security and business continuity are of critical importance to the respondents: 82 percent say the establishment and enforcement of policy is critical or very important to their organization and 74 percent point to maintaining compliance as a top priority. But 65 percent have expe-rienced some security event in the past 18 months. Put simply, log management is an approach to dealing with large volumes of computer-generated log mes-sages (e.g., audit records, event logs, etc.). Log man-agement tries to log everything without evaluating the actual value, explains Paul VanAmerongen, manager of information security services at MultiCare, a not-for-profit health organization based in Tacoma, Wash. It typically includes basic functions such as log collection, centralized aggregation and long-term retention. It also Custom Solutions GroupUntitled DocumentMarket Pulse2creates, says Dwayne Melan on, vice president of log management at Tripwire, virtual landfills of data. CSOs don t want landfills of data; they want something that s much more refined. So when CSOs talk about log management today, they re really thinking about a broader, more intelligent view of IT happenings, encompassing technology such as Security Information and Events Management (SIEM) and often Configura-tion Management and File Integrity Monitoring (FIM).  Room for Improvement When it comes to legacy log management implementa-tions, many respondents appear to be unsatisfied with the status quo: an astounding 69 percent desire and/or plan to upgrade or replace their existing log management solution. What s causing this alarming unrest? The IDG study unearthed several contributing factors:n CSOs want a simpler, more effective way to deal with security and compliance requirements. The majority of respondents rank simplified manage-ment as important in log management and SIEM. This may stem from the technology s own evolution as dis-creet capabilities have come to the market separately to solve different business problems. That s evident in the fact that 35 percent of surveyed organizations use point solutions for log management, while 33 percent use point solutions for SIEM.As CSOs strive to do more with technology, they re discovering that in some cases they can t. For instance, log management solutions collect data, but typically lack the intelligence to correlate it. And some SIEM so-lutions may store logs as objects in a database, making reports a challenge. Trying to blend the disciplines can be a costly and complex endeavor involving incompat-ible black boxes that require multiple management consoles. Too often organizations end up sacrificing intelligence or performance.More important, CSOs lack a snapshot of what is going on in the information environment, notes VanAmerongen. Indeed, the majority of respondents in-dicate that a dashboard display of alerts and event data is important to them. Organizations should be able to dance across disciplines, says Zonca, to correlate data and create audit trails whether logs, security-related events or configuration changes. But today CSOs are doing without that snapshot because it s just too hard to bring those point solutions together. A rip and replace mentality has taken a stronghold in this space. It s unlike any-thing I ve seen in any other industry. Tim Zonca, TripwireToday s IT priorities are all about mitigating risk, achieving continuous compliance and reining in operational control. To do that, CSOs need three things: visibility, intelligence and automation. That s where Tripwire comes in.Tripwire offers the first and only solution that dynamically analyzes event and change information for intelligent threat control without the cost and complexity associated with existing security tools. Tripwire Log Center extends visibility by combining log and event management with file integrity and change intelligence capabilities, so organizations can instantly identify sophisticated threat patterns across their infrastructure and respond quickly to safeguard information assets. The next generation is now and there will be no compromise in intelligence, performance or cost. For more information, see www.tripwire.comNext-Generation Technology in the Here and NowUntitled DocumentMarket Pulse3Real-time threat response has proven an elusive goal for many organizations because they re dealing with massive amounts of data, Zonca says tens of millions, if not billions, of events per day. VanAmerongen concurs, saying manual event correlation and even bandwidth availability can hinder threat response. But in the real world, organizations need to identify what really mat-ters amidst the barrage of logs and events with immedi-ate right click access to detail and data correlation. n CSOs are paying a premium for log management solutions and not realizing the full value. Log management and SIEM solutions have long been plagued with high costs. Cost-related challenges top respondents lists in both log management and SIEM. Solutions are not cheap and trying to show the busi-ness value is not clear cut, VanAmerongen laments. Traditional pricing models are based on a complex array of variables a perplexing combination of everything from events per second to the number of users and the level of integration. In addition to proving expensive, this makes it hard for CSOs to keep track of costs and calculate accurate forecasts. What s more, the solu-tions are often appliance-based, incurring the typical acquisition, implementation, integration and maintenance expenditures associated with hardware deployments. And they come with management inefficiencies.What s called for is a solution that s ground-ed in a simple, cost-effective pricing model, so CSOs can grow their infrastructure, add-ing as many users/consoles as needed and only paying for the additional throughput. Software-based approaches also tend to be more economical in regard to implementa-tion and maintenance. But most important, time is money and more efficient manage-ment could free IT organizations from hours spent on manual investigations and data correlation.The Promise of the Next Generation So what does the future hold for log man-n CSOs realize they need to be able to do more with their log management solutions to address today s security threats.  Immediate response to threats catching a security breach before too much damage occurs is the key to protecting an organization s reputation and information assets as well as avoiding costs. Some 63 percent of respondents indicate that the ability to act in real time against threats is important. Response to an external intrusion must be real time, VanAmerongen clarifies, and external threats must be monitored 24x7x365. Many technology solutions offer close-to-real-time monitoring, but that s not really the problem, says Zonca. Rather it s about decreasing breach detection time. Just consider the Verizon Business 2009 Data Breach Study, which reports breaches still go undis-covered and uncontained for weeks or months in 75 percent of cases. Log management tries to log everything without evaluating the actual value. Paul VanAmerongen, MulticareSOuRCE: IDG Research Services, January 2010Important Features When Making Vendor Section DecisionsDashboard display of alerts, event and vulnerability dataAbility to store events of interest for further analysisAbility to generate and prioritize event tickets for quicker responseAbility to perform sophisticated searches across all event dataEasy access to forensic log dataAbility to replay events to see how network areas were affectedSupport of MySQL and Microsoft SQL databasesGraphical representation of event locations   26% 57% 13% 3%  1%  15% 57% 23%    2% 3%    21% 49% 25%    3% 2%   18% 52% 25%    4% 1%   21% 47% 26%   4% 2%   21% 41% 27% 9%   2% 15% 38% 22% 21% 3% 12% 37% 34% 10% 7%CriticalVery ImportantSomewhat ImportantNot Very Important    Not at All ImportantUntitled DocumentMarket Pulse4agement? Product integration is gold, VanAmerongen says. Pure-play log management has done its job. But as compliance requirements evolve and security threats abound, the IDG Research study strongly suggests that a mix of technology is needed to over-come today s challenges: a staggering 83 percent of organizations see the value in integrating log manage-ment and SIEM.CSOs need to stop thinking in terms of discreet solutions for log management and SIEM and even configuration management and FIM for that matter. They re all means to the same end. Of course log management excels at capturing and retaining loads of log data, while SIEM provides a means for analysis and event correlation. But what is one without the other? asks Zonca. Seeing log data isn t always the answer. And knowing about changes isn t necessarily enough. But visibility into the two makes for a compelling view of potential threats. Consider, for example, five failed login at-tempts followed immediately by a successful one. This may not always trigger alarm. But if that successful access is followed by a change to an /etc/passwd file, a hacker could have just captured the keys to the kingdom, warns Melan on. And that would be a huge problem that warrants immediate action.Bringing together log management, SIEM, configuration management and FIM under one platform is indeed a bold game-changer. CSOs won t have to think about what kind of event they re dealing with, but rather what an event means in terms of risk. They ll gain greater visibility across disciplines and have the intelligence to analyze and correlate data. They ll be able to ask questions of the data and look for suspicious matches. And they ll have access to that data in usable formats, like a real-time dashboard and single-click detail investigation, says Melan on. What s more, CSOs will be able to automate policies and their enforcement. And no more taping together disparate solutions and then paying dearly in both cost and efficiency. It [an integrated solution] streamlines workflow and simplifies a complex environment, notes VanAmerongen.Bottom Line Organizations can have it all expediting breach detec-tion from months to mere minutes while spending less time and money on security and compliance. Perhaps that s what has CSOs up in arms about traditional, pure-play log management solutions. In the past they have been forced to choose between intelligence and performance. Cost over security. With an integrated solution, there simply is no compromise. And that s cause for change. Visit www.tripwire.com/ to learn more about log management.A staggering 83 percent of organizations see the value in integrating log manage-ment and SIEM.SOuRCE: IDG Research Services, January 2010Most Important Outcomes With Regards to Log Management and SIEMImproved ability to act on compliance and security threats real-timeReduced solution costsSimplified log management (reduced management costs)Ability to prove compliance/product audit trailsReduced training time/costsOtherNoneDon t know63%60%54%49%36%1%4%6%