In his IT World Canada article, Robert Cordoray writes that log management is absolutely critical for IT security today. While plenty of companies make sure to invest in firewalls, anti-virus and other security solutions, log management solutions offer “real-time information about network users, equipment status, and miscellaneous threats” that you will have a more difficult time finding anywhere else.
There are many log management solutions available today, such as Splunk, LogRhythm, IBM QRadar and AlienVault and Rapid7 InsightOps, among others. Each solution has its own benefits and valuable features, which can make choosing the right solution for your company all the more daunting.
To help with this process, we have turned to the IT Central Station community for their advice. Here are six questions that our users commonly ask in their own searches for log management solutions.
1. “How much visibility does it offer to detect anomalies in my environment?”
For IT Central Station users, visibility is crucial when searching for a log management solution. When your solution can detect anything abnormal happening in your environment, it saves the company time and money in the long term.
James D., IT Director at MyEyeDr.
“It has improved our ability to research and detect anomalous behavior and activity within our network. It has really helped us in our ability to research active threats. We saw the threats when we implemented it, and we saw that we had all kinds of deficiencies in our network infrastructure that we were unaware of previously.”
Joshua B., Engineer, Infrastructure Applications at a healthcare company
“Imagine a single application with 17 application servers and dozens of log files per server that rotate as often as once per hour. How do you track and analyze anomalies in those log files with the ability to go back and correlate data for the past X weeks? That was use case for just our team, not to mention the hundreds of other application teams.”
Michael M., IT Infrastructure Manager at a non-profit
“This has granted us visibility into anything changing on our environment. It enables us to satisfy that portion of our PCI requirements. Arguably more importantly, Change Tracker has given us greater visibility into what is changing within our system directories across the enterprise. This saves us significant time and money.”
Cyber Security Engineer at a recruiting/HR firm
“It also gives us a lot of almost "forensic" capabilities, because the agent itself monitors the entire system, from the registry all the way down to the file level. If there's anything malicious, or network connections, anything of that nature that's going on, you can do searches on them and it's beaconing back in real time.”
2. “Does it centralize the logs well?”
Centralization is another important factor for IT Central Station users that are looking to buy a log management solution. As many enterprise tech professionals have to manage logs for a large and complex environment, having all of the information in one place helps to conduct root cause analysis and risk assessment more quickly.
IS Manager at a financial services firm
“It has allowed us to centralize our logging. We had used previous products and found AlienVault centralized the logging for our security. Additionally, we are better able to meet our compliance needs.”
Horacio B., Senior System Administrator at a tech services company
“I have implemented QRadar in a big airline company, where they needed to get all their security information in one place. It helped in reducing the amount of time that was needed to evaluate the risk of every event. Configuring the alerts has never been easier; you just search for the event you think you need and start creating the rules that way.”
Ryan C., Information Security Analyst at a financial services firm
“It’s brought all of our devices into one area, so I am able to understand and manage all of our devices and understand what is going on with an individual device.”
Sylvian D., IT Coordinator
“The ability to browse logs from multiple sources at the same time really speeds up root cause analysis, which involves more than one source and this is almost always the case.”
3. “How easy is it to use?”
As with many enterprise technology solutions, ease of use is pretty important when investing in a log management solution for your company. With log management specifically, our users write that ease of use has helped increase reporting quality, problem resolution and overall understanding of the product.
Amarnath P., Senior Solution Architect at a media company
“Given the ease of access to the information in a few clicks, the user base of the product has increased tremendously. As the word of mouth spread, the increased reachability of this for the performance reporting space within our organisation increased.”
Brian B., SYM Engineer Specialist at FIS
“I would give LogRhythm a 10 out of 10 just purely on the fact they are very helpful, very knowledgeable. The software is very easy to use. Easy to learn. I came into security with no knowledge of security or how to do anything, and within a year I'm an administer of the software. So it's pretty good.”
Benson C., Information Security Analyst at Allegiance Air
“The benefits are that it's easy to navigate the UI and to get the information as quickly as possible. We're able to resolve problems quicker, so that we get to the solution in an easier manner.”
4. “What is my company looking to monitor?”
Another important suggestion from our users when choosing a log management solution is to determine what you are actually looking to monitor in advance. This will help you determine what will be the most cost-effective and
Cyber Security Engineer at a recruiting/HR firm
“Make sure you know what you're trying to monitor. Because one of the things that you can do, and I started doing it at the beginning myself, is have it ingest all the logs you give it. I mean, we have everything pointed at it and giving our alerts and our logs to it. And then I got to the point where I've got everything coming in, what do I need to monitor the most? So having a very well defined path for it, on exactly what you want to use it for. What you want to monitor, how you want your alerts to go. Just make sure you have a good starting point.”
SOC Manager at a energy/utilities company
“My advice, when they first implement the solution, they should make sure that they know what data source or log sources that they want to give to LogRhythm to do the correlations, because they cannot just simply dump all the log sources to LogRhythm. It will impact performance, so they will need to carefully choose the log sources first. Then, after that, they can move away to the correlation, the engine rules, and so on.”
Information Security Analyst at a transportation company
“Evaluate your network first. Determine the target audience that you will be monitoring and working on this tool. It is important to note whether your organization is looking for a compliance-based checkmark practice (defensive security), or active threat monitoring and out-of-the-box security posture.”
5. “How will I implement this tool?”
When investing in a log management solution, it is also helpful to determine how you will implement your solution in advance. Whether the vendor is doing the implementation or your company has an in-house team, a thought-out implementation plan will ensure that when you invest in a solution, you will be getting the most of the product.
Director of Cyber Security at a insurance company
“Make sure you really understand all the requirements before you implement. I think the group that did this implementation didn't necessarily understand fully what we were going to use it for, so it was maybe designed for smaller things. So, you should really understand the requirements prior to stepping into it.”
Troy L., Specialist Master, Cyber Risk at a tech vendor
“Plan your implementation carefully. Be sure you have someone to implement it, someone who knows what he is doing. Splunk’s inherent flexibility is a great thing, but it also provides an opportunity to really mess things up.”
Paul G., Foundation Technology Specialist at a insurance company
“Use an experienced Splunk architect to design your infrastructure configuration. Ensure that your tech leads are intimately involved and understand exactly how the product fits together.”
6. “What do other people in my industry think about these tools?”
Aside from these initial questions, the IT Central Station community also recommends continuously searching for user feedback. Learning more about your colleagues’ personal experiences with a wide variety of log management solutions is invaluable, and will help give you the information that you need to ultimately invest in a solution for your company.