How Better Log Monitoring Can Prevent Data Breaches

Recent high-profile data breaches reaffirm that the threat from data thieves is both persistent and pervasive. Could better log monitoring mitigate or even prevent these types of security catastrophes?

1 2 Page 2
Page 2 of 2

That said, though we have no specific knowledge of the internal IT environment of any of the recent victims of corporate data loss, we'd wager that most if not all of the targeted IT shops had log file monitoring software installed. Yet those tools still did not raise sufficient alarms to prevent ongoing data loss after the initial intrusion, even though some of the harvesting of PII from the hacked companies may have gone on for weeks or months.

If an Intruder Breaches a Network in the Forest ...

Unfortunately, enabling log messages for collection and configuring log file levels is just the beginning of the process to detect intruders and their malware payload. Turning on the notification feature of your log file monitoring software is the next logical step. But if administrators are notified of every single hiccup in a server, application, device or other software component, human nature dictates that the administrators will likely begin to ignore important log file alerts just because of the high volume of notifications they receive. What's really needed in this situation is a log file aggregation tool that will collect all IT log files in a single back-end database, where further analysis and correlation can be performed.

[Related: Why Database Monitoring May, or May Not, Secure Your Data ]

When shopping for a log file aggregation tool, be sure that the tool comes preconfigured to detect common intrusion log messages, including external attempts to open IP ports, any changes to administrative passwords, and any access of PII or other mission-critical data. Those types of log file messages should be either built-in defaults or easily configurable in your log file aggregation software. But each IT environment and each application likely has unique log files messages that must be collected and analyzed, so the capability to easily add additional log file rules to match specific intrusion or malware indicators is an absolute must.

Hang Together or Hang Separately?

The last step to better protection from intrusion and malware for your networks and applications is the act of correlating the collected log file messages. This is the most likely breakdown point for many of the data-loss events that have dominated the headlines in recent years. The detection of intrusions or unauthorized data access will be greatly enhanced by correlating logged events on multiple server, network or application components. If an administrator sees unauthorized attempts to access sensitive data or if an external attack on an obscure IP port is logged, you might or might not recognize those as related symptoms of an attempted intrusion.

However, if your log file aggregation and correlation tool can show you that an IP port is breached, followed by an unauthorized or failed admin login attempt on a sensitive server, followed by someone accessing a back-end database that houses PII, that’s an example of a chain of alerts that should be viewed as a single intrusion thread.

Log file aggregation and correlation is an excellent strategy to minimize the exposure and mitigate ongoing damage that can be caused by intruders and the malware they introduce on your network. Automation is the key to building robust intrusion- and malware-detecting processes, but also remember that alerts will do no good if a human being doesn't pay attention to those warnings and act accordingly to protect digital assets. Your company is depending on it.

Copyright © 2015 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Get the best of CIO ... delivered. Sign up for our FREE email newsletters!