It now takes organizations 207 days to identify and 73 days to contain security breaches, according to IBM’s 2020 Cost of a Data Breach Report. That means the average “lifecycle” of an incident is a staggering 280 days — 7 months!
Moreover, cybercrimes are becoming increasingly sophisticated and attackers are quicker than ever when it comes to finding cracks in corporate infrastructure. Therefore, companies need an approach that helps them spot and remediate cyberattacks quickly and efficiently. Unfortunately, Accenture’s 2020 State of Cybersecurity Report found that on average, “cybersecurity programs actively protect only about 60 percent of an organization’s business ecosystem.”
Therefore, it is more important than ever for enterprises to establish strong security practices and make use of all data available to them. To help, this article explores how security log analysis can help you monitor activity across your IT infrastructure and stay on top of cyber threats. Log analysis is usually performed using a security information and event management (SIEM) solution or log management system (LMS), so we’ll cover their respective features and capabilities. We’ll also compare SIEM vs log management and dive into specific use cases to help you figure out which solution is right for your company.
What Is a SIEM Solution?
SIEM software solutions collect and aggregate log data from multiple sources, such as applications and network hardware, into a centralized platform. Then they perform correlation and real-time analysis to provide alerts on indicators of compromise (IOCs), such as failed login attempts, to enable faster and more effective response to attacks in progress.
SIEM tools combine the capabilities of security event management (SEM), security information management (SIM) and security event correlation (SEC) into a single solution.
What Is a Log Management System?
A log management system (LMS) collects and stores log files from multiple sources into a single, centralized place where they can be reviewed and interpreted by an IT security analyst. Examples of data sources include web servers, authentication servers and firewalls, as well as infrastructure devices like wireless controllers, switchers, routers and access points.
LMS applications offer:
- Log data collection and retention
- Log indexing and searching
- Reporting capabilities
- Centralization of logs
- Storage of large amounts of log data
LMS applications provide visibility into activity across your infrastructure but do not typically offer the analysis, alerting and incident response capabilities of SIEM solutions.?
SIEMs vs Log Management: Commonalities and Differences
SIEMs and log management have a lot in common. For starters, they both:
- Enable real-time collection, storage and search of log data across operating systems, security devices, network infrastructure, systems and applications
- Report on operational and compliance performance
- Require dedicated personnel to manage the software, figure out the type of information that needs to be collected, set up log transfer, set up storage workflows, frequently fine-tune the settings, deploy and configure changes, deal with numerous alerts, and sort out false positives
However, they differ in critical ways as well:
- SIEM logging combines event logs with contextual information about users, assets, threats and vulnerabilities and compares them using algorithms, rules and statistics. Log management provides no analysis of log data; it’s up to the security analyst to interpret it and determine whether or not the threat is real. It’s difficult to spot aberrant activity and interpret data if you’re not yet aware of a problem with a specific account or file.
- SIEM tools provide real-time and historical threat analysis based on log data. They also send alerts whenever a potential security threat is detected, and prioritize the threats according to importance, making it easier for security professionals to tackle issues systematically. Log management does not have features like automated alerting and threat notifications, and so LMS applications are typically not ideal tools to drive decision making.
- Once collected by a SIEM, logs are converted into a uniform format and organized into categories, helping to ensure consistency across all log data. LMS applications do not convert log data across disparate sources into a unified format, resulting in inconsistency and variability across the collected data.
Extending Visibility Beyond SIEM or LMS
The NIST Cybersecurity Framework is respected framework for helping organizations improve their ability to assess and address cyber threats. It organizes its guidance into five primary functions:
- Identify — Determine security risks to all company assets, including personnel, systems and information.
- Protect — Implement systems to protect the most valuable and sensitive assets.
- Detect — Catch active cybersecurity events that could threaten your environment.
- Respond — Take informed action against threats to prevent or mitigate loss or damage.
- Recover — Restore capabilities, data or services damaged by an attack.
However, most SIEM solutions cover only two of these security functions (Detect and Respond), and log management technology addresses only the Detect function.
Therefore, organizations are wise to look for solutions that cover all five NIST pillars. Using the Netwrix Data Security Platform, you can:
- Identify what data requires protection and what doesn’t.
- Minimize the risk of a breach by proactively spotting gaps in your IT security controls
- Detect true threats quicker and avoid alert fatigue
- Speed incident response with actionable context about each incident.
- Restore operations faster by accurately prioritizing the recovery of the most critical assets.
1. What is a SIEM?
SIEM solutions collect and aggregate log data from multiple sources into a centralized platform, correlate and analyze it, and deliver alerting, reporting and automated incident response.
2. What is a log management solution?
Log management solutions collect log files from multiple sources (e.g., web servers, authentication servers and infrastructure devices) and store it in a single repository. IT security analysts can then review, correlate and interpret the data.
3. What is the difference between a log and an event?
An event is a collection of information about what it took to complete a specific process or task. An example is accepting an HTTP request, fulfilling the request and returning a response.
A log is a message or collection of messages, usually with a corresponding timestamp. Individual logs are not necessarily related to each other.
4. How are logs used by a SIEM?
SIEM solutions aggregate log data into a centralized platform and correlate it to enable alerting on active threats and automated incident response.