Yes, you heard that right, the boss said, “We need Log Management!” And he’s right but what does he mean? Isn’t that the horribly complex software that is only needed by huge corporations? And why is he saying it now? Did something happen?
Okay, breathe, it’s going to be all right. And you’re off on the right foot because you’ve started asking questions. In order to understand log management, lets first get a definition in place for the data you’ll be managing. Every system, application, network appliance, mobile device, and other universal machinery that we come in contact with every day, generates log data. Splunk refers to this as “machine data." This data lies at the heart of log management and SIEM process. In order for devices to perform tasks, or for security events to be identified, we need machine data. Watch the Splunk video below to obtain a further grasp on this concept.
Now that we understand machine data, let’s go over the first steps to getting the log data that you’ll need to satisfy the boss’s requirements.
Step 1: The questions…
Before you do anything else in this process, you need definitive answers to some questions.
- Is there a specific business requirement that is driving this request? Maybe audit requirements. If so, there may be some limitations in place already that need to be understood.
- Do you have a log creation & retention policy? If not, then now is the right time to get one in place. This sets the baseline for all your teams when configuring new systems and ensures that when you get to a specific system, it’s ready.
- What systems need to be managed? The more detail you have for the systems you’ll be managing, the easier it will be to acquire their logs.
- Which systems have the most critical data? While nearly every system generates some sort of log, they are not of equal value. User authentication data is frequently the first approach for log management. This data is well understood and relatively easy to acquire. But every business has different needs and approaches.
- Who needs access to the log management tool? Surprisingly, the answer to this question often isn’t as simple as it sounds. Yes, the security team will probably want access. But what about the server team? If their systems are supplying data, then you’ll want them involved. Same with your application team, the network team, etc. As the scope of the systems your managing expands, the scope of your user base should, too. This means that the tool you choose must be flexible enough to provide useful data to any team that needs it.
Getting these questions answered will undoubtedly lead to additional questions. Nonetheless, it’s important that you get this done before all else.
Step 2: The implementation!
With clear answers to the questions you’ve posed, you’re now prepared to begin the implementation. Here are some things to consider to ensure a solid implementation:
1. Stop! – Wait, the first step to get started is to stop? Yes! It’s easy to get psyched up about the potential for all the data you’ve now learned about. But the reality is that each data source and type bring its own unique challenges. From data collection to interpretation, there is a lot of work to do as each system begins to deliver data. Take on each new system in methodical fashion, ensuring that you’ve got the data you expected and that it’s valid. Once each system has been thoroughly integrated, move onto the next one.
2. Communicate – As you integrate each new system, make sure that you keep the teams and stakeholders in the loop. Provide access to the system as early as possible and make sure that VIP's get the reports they’d want from the system. By keeping everyone up to date with the status, you’ll spend less time playing catch up.
3. Train – Make sure that the people who are going to be responsible for using the tool have received adequate training. Log management tools have far more capability than most customers ever tap but that doesn’t mean that you shouldn’t try. Make sure to look out for automation around alerts and reports that will reduce the workload.
4. Connect – Every day you should spend at least some time using the system. The data coming into this system is just as dynamic as the network that it’s monitoring. This means that as new systems get added, they need to be managed. Keep up with updates provided by the vendor to ensure you’re getting maximum value from the investment.
Now, get going – the boss wants Log Management.