Death by Event Log Overload

When it comes to security, event logs are supposed to be the best friends of an IT guy managing the environment, right? Roger Grimes from InfoWorld claims that the evidence of malicious activity can be found in Event Logs.

So, if companies today already have all necessary data that points directly to the malware, why do we see so many breaches these days?

The answer is simple: They’re just not watching. The reality is companies today aren’t looking, not because they don’t care, but because it is difficult to search through a disparate array of event logs spread across the network and detect the one log entry that’s truly meaningful.

Grimes says – ‘We get information overload from everywhere’. Companies simply do not have the time to analyze every single drop from the information ocean that they get daily. The ‘manual’ approach to log file analysis is just not an option.

So then, are companies required to purchase powerful and costly alerting systems? Grimes mentions that “most alerting systems are 99.999 percent full of events that indicate nothing malicious whatsoever” – a sad reality that makes the ROI of an alerting system suspect.

If your system analyzes everything and sends you all the data the system finds relevant, it’s a classic case where you believe you’re keeping an eye on everything but in reality there’s too much information to keep anything secure.  The challenge here is to simplify down the process of auditing events without data overload while raising the intelligence used to determine what’s a problem and what’s not.

Simplicity, Transparency and Effectiveness are the 3 key elements you should expect from a 3rd party solution that helps you understand what’s going on in your environment at any point in time. Being able to detect and report on who is doing what in your critical systems, like Active Directory or File Server, or Exchange should be EASY. Moreover it should provide you with the actionable intelligence that could be used ‘as is’ to address your specific problems (i.e. predefined compliance reports).

Still thinking that relying on event logs alone is a good idea? Unless you want to drown in a sea of meaningless events, think again.