Death by Event Log Overload

When it comes to security, event logs are supposed to be the best friends of an IT guy managing the environment, right? Roger Grimes from InfoWorld claims that the evidence of malicious activity can be found in Event Logs.

So, if companies today already have all necessary data that points directly to the malware, why do we see so many breaches these days?

The answer is simple: They’re just not watching. The reality is companies today aren’t looking, not because they don’t care, but because it is difficult to search through a disparate array of event logs spread across the network and detect the one log entry that’s truly meaningful.

Grimes says – ‘We get information overload from everywhere’. Companies simply do not have the time to analyze every single drop from the information ocean that they get daily. The ‘manual’ approach to log file analysis is just not an option.

So then, are companies required to purchase powerful and costly alerting systems? Grimes mentions that “most alerting systems are 99.999 percent full of events that indicate nothing malicious whatsoever” – a sad reality that makes the ROI of an alerting system suspect.

If your system analyzes everything and sends you all the data the system finds relevant, it’s a classic case where you believe you’re keeping an eye on everything but in reality there’s too much information to keep anything secure.  The challenge here is to simplify down the process of auditing events without data overload while raising the intelligence used to determine what’s a problem and what’s not.

Simplicity, Transparency and Effectiveness are the 3 key elements you should expect from a 3rd party solution that helps you understand what’s going on in your environment at any point in time. Being able to detect and report on who is doing what in your critical systems, like Active Directory or File Server, or Exchange should be EASY. Moreover it should provide you with the actionable intelligence that could be used ‘as is’ to address your specific problems (i.e. predefined compliance reports).

Still thinking that relying on event logs alone is a good idea? Unless you want to drown in a sea of meaningless events, think again.

Nick Cavalancia is a technical evangelist and founder of IT consulting firm Techvangelism. Nick has over 20 years of enterprise IT experience, 10 years as a tech marketing executive and is an accomplished technology writer, consultant, trainer, speaker, and columnist. He has authored, co-authored and contributed to over a dozen books on Windows, Active Directory, Exchange and other Microsoft technologies and has spoken at many technical conferences on a wide variety of topics. Previously, Nick has held executive marketing positions at ScriptLogic (acquired by Quest, now DELL Software), SpectorSoft and Netwrix where he was responsible for the global messaging, branding, lead generation and demand generation strategies to market technology solutions to an IT-centric customer base.