The average IT Pro doesn’t need to be told stories about big data – you’ve been inundated with log data from dozens of sources for at least a decade before the term “big data” even came to exist. The concept of wanting security log and audit trail data being meaningful is also not new.
Why, then, is security log data so difficult to utilize?
We can only guess that manufacturers of hardware and software decided that it made more sense to provide raw security data at more a transactional level (presumably from the perspective of the system generating the logs), than provide something needed from the perspective of the IT or security pro looking at the log data. We’d obviously rather see “John gave Susan Full Control rights to the Accounting database” than a series of fields with values that we need to interpret.
So we employ SIEM or Event Log Management solutions to consolidate logs and be alerted when specific event log criteria is triggered. In many cases, the only way to obtain information about changes in security is via event data, making these solutions necessary. If you’re at this point, or thinking about being here, you’re a step closer to having visibility into what’s happening to your security.
But even with those solutions, you still have to do the work to make sense of the security log data. That means, at a minimum, interpreting the single log entry or, at worst, need to review a number of log entries that, in total, make up a single event.
The reality is most IT and security pros don’t have the time to do even this small amount of work. It has to be simpler than this.
That’s where Change Auditing comes into play. This is a step above SIEM or Event Log solutions, in that in addition to visibility into security changes, you now get intelligence. A good change auditing solution is designed in reverse – change auditing starts with the person who will be auditing the security changes in mind, presenting the security changes found in log data in a meaningful, way with Who did What, When and Where details.
To make sense of your security logs, you’re going to either a) need to invest a lot more time into reviewing log data or b) employ a solution that provides both the intelligence and visibility needed to boil thousands of daily log entries down to “John gave Susan Full Control rights to the Accounting database.”
Take your pick.