Log management as a tool against insider threats

How to engineer the log-management product, which was bought for compliance, to protect the network against insider threats as well.


As an IT administrator, I'm often considering how to make the most of all security solutions that my organisation needs to run smoothly, especially given the cost of compliance solutions.

One item I'd like feedback on is how I can leverage the log-management product I've bought for compliance to protect the network against insider threats as well. If I have a log management solution in place, will that be sufficient to protect my sensitive data? What other best practices are there, and can you provide a few real-world examples?

Information security tools are often split into two categories - detective and preventive. The latter should help prevent attacks, as the name implies, while the former gives ways to monitor and find security events.

Log management is a detective control only, so it is not sufficient on its own to protect sensitive data. You still need things like access controls and authentication to prevent unauthorized access and stop attacks.

However, detective controls significantly enhance preventive controls because they warn of impending attacks (eg, suspicious activity and surveillance) and alert you to attacks even if they are failing. Log management therefore has both direct and indirect applications that will help with compliance as well as insider attacks.

A direct method of log management usually involves collection of known logs into a centralized and secure space with long-term retention capabilities to satisfy requirements like "Secure and Central Log Collection" (PCI Requirement 10.5). Indirect methods can involve anything related to monitoring or auditing activities. This means everything from authentication and authorisation to encryption to change management could benefit from log management.

File Integrity Monitoring, for example (PCI Requirements 10.2.2, 10.5.5 and 11.5), depends on a log management back-end. Some may be surprised that virtually all encryption has a significant log-management component, but monitoring access and change related to keys and signatures is essential to good encryption management. Take, for example, an insider who modifies or replaces a key. Even the reverse can be important; a key that has not been rotated in a timely fashion (some rotations are meant to happen weekly) indicates a potential exposure or suspicious activity.

Best practices involve the following decisions in both planning and implementing your logging solution to meet compliance objectives:

1) Data should be normalised yet allow generation of daily summary reports for specific roles. This enables data centralisation without loss of the ability to manage the details of the data at a localized and granular level. Normalisation should be done with regard to long-term archiving and later review as well.

2) Specific security events should be flagged with real-time alerts, which are sent to incident responders. Compliance requirements have various terms such as "compromise," "suspicious activity," and "red flags," but they all emphasise the need to both stop and document unauthorised access to sensitive data. Specific security events will depend on your business model and data, but the typical things to watch for are unusual changes to regular patterns. These often are considered evidence of fraud.

3) Make log management part of the business decision. When sensitive data is spread out, the cost of protecting it is much higher and the complexity of logging and monitoring also escalates. Is there a more efficient and therefore more secure approach to doing business? Will the cost of consolidating all the logs from various systems cost more than consolidating the systems to be logged?

A log management solution can significantly enhance an environment in both prevention and detection of attacks, helping you both achieve compliance and protect the network against insider threats.

Ottenheimer is director of compliance solutions at ArcSight. Have an insider-threat question? Contact us. Read past Insider Threat columns.

"Recommended For You"

A model for credible and responsive security operations PCI security - what's wrong