NewslettersRelated Resources
EventSource July 2009 – EventTracker 6.3 review; Getting more from Log Managemen; Correlation techniques and more Featured Article Smart Value: Getting more from Log Management By Jasmine Noel Every dip in the business cycle brings out the ‘get more value for your money’ strategies, and our current “Kingda Ka style” economic drop only increases the strategy implementation urgency. For IT this usually means either use the tools you have to solve a wider range of problems or buy a tool that with fast initial payback and can be used to solve a wide range of other problems. This series looks at how different log management tasks can be applied to solve a wider range of problems beyond the traditional compliance and security drivers so that companies can get more value for their IT money. Login attack identification is a common use of log management. Most folks monitor and analyze login failures from a security perspective. They use reporting and policy engines to identify anomalies in user login patterns multiple login failures with different user names in a short amount of time, as indicators of security attack or for forensic or auditing purposes. Others are taking this one step further to apply this analysis to recognize the specific devices a customer uses to login as a means to prevent fraud or lower attack risks. However, these login analysis and reporting tasks can have uses beyond this traditional security driver. Performance problem resolution Login failures can also be an indicator of server or database misconfigurations, particularly since modern applications and databases depend on a complex collections of software modules. Those modules depend on login permissions to communicate just as much as we depend on login permissions to check our email. Sometimes error messages about unknown login types or missing database connections are the result of duplicate installations of a particular module or slight variances in permissions within a database server cluster. Depending on where the error sits it may be fatal to the performance of a critical business service or it may fly under the radar -- until a specific set of circumstances causes service performance to rapidly unravel. These types of performance problems will also be occurring more frequently because:
These types of performance problems require log analysis solutions to identify error patterns and uncover unsuspected relationships between production environment deployment choices and error occurrences. Customer service Login failures could also be a customer service indicator as well. For example, you can analyze the number of users that request password reminders that actually login a few minutes later. If your analysis shows that most users do not login successfully after a failed login then you have an indicator that a particular business goal is not being met. The business is missing opportunities to connect with those users -- and you have an opportunity to engage/align/interact with business managers to figure out how to positively impact the business. That’s the type of “tech hero” I think most IT managers aspire to be. The guys and gals that go beyond their day-to-day tasks to find ways to lighten burdens their colleagues didn’t know they were carrying. The data to do this type of hero-work is in the logs. It just needs to be surfaced in a way that makes sense to business managers, web designers and application developers. Doing more with the same If you already have tools to consolidate and analyze log data for login failures for security breaches you also have tools to prevent login misconfigurations from causing application performance problems, prevent login misconfigurations from creeping into VM templates, and provide insight into lost customer opportunities. It is simply a matter of applying the tools to these additional situations. However, we all know that just because something seems simple doesn’t mean that it is easy to achieve. It’s when you apply a solution to multiple problems do you really put the claims of flexibility and usability to the test. A good analysis tool should help you uncover patterns and relationships without creating a whole lot of extra work to bring in new data sources or run ad-hoc reports. If you are trying to justify log management and analysis tools specifically for identifying login-based attacks don’t forget to include an ROI roadmap that shows a timeline for benefits beyond security attacks. The reason I like ROI roadmaps is that they get business folks thinking about IT solutions and IT time saved as assets to be leveraged in the next round of efficiency and productivity improvements -- instead of thinking about IT time as only a maintenance cost that should be eliminated. The most effective roadmaps would show how the solution will initially be used, the resulting benefits and the initial payback period as the first phase. Subsequent phases would show how you would leverage the time saved to apply the solution to other areas and the resulting benefits. These subsequent phases don’t have to be completely fleshed out, but should include enough substance to demonstrate that you are doing one of the fundamental laws of good business execution -- thinking strategically while acting tactically.
Industry News 4th of July hacker jailed after hospital hack
Microsoft confirms another zero-day vulnerability
Insider arrested for stealing critical proprietary code from Financial Services Company
EventTracker 6.3 review
Featured Webinar Using behavior based correlation to detect threats in real-time LogTalk We continue our look at the 100 uses of Log Management. Over the past few weeks the focus of the video blog has been on supporting the 15 automated controls of the Consensus Audit Guidelines (CAG), a joint initiative of defense experts from federal agencies and the SANS institute. These controls are viewed as effective in blocking the most serious real-world threats. Follow LogTalk on Twitter
Legal
|
© 2010 Prism Microsystems, Inc. • Privacy • Terms of Use