KÜRT – Data Recovery and Information Security

Log and event analysis

Why do we need correlation log analysis?
Would you like your IT-supported business processes to operate at maximum availability?
Would you like to prevent unexpected system failures and IT meltdowns? Would you like to measure IT performance, the return on IT investments and the effectiveness of IT services? Would you like to detect those harmful programmes that have sneaked into the system “under the radar” as soon as possible? Would you like the ability to react to hacking attempts immediately?
All executives would probably answer  “yes” to the above questions. However, not all of them know where to look for the solution.

Log and event analysis monitors the processes taking place in the IT systems, analyses them in their particular context, then compiles reports on the results and makes recommendations regarding solutions. The problem with classic log analysis is that the events not recorded in logs are not registered at all, and therefore they are not processed either, which means that many incidents remain undetected due to a lack of information. Under our methodology the source data for log and event analysis is provided not only by the log files, but also by the system monitoring tools through the intrusion detection (IDS/IPS), the database and application audit systems, which makes for considerably more accurate and comprehensive analysis and incident management. We monitor the events generated by these systems and compare them in the same timeframe. If we identify a conspicuous incident based on a comparison of the events, we analyse it and include the result in the report.

Efficient, centralised fault tracking and detection
When running complex applications, network, system and application operation staff, and development teams, often make decisions that impact the operations of other departments, based on incomplete information. Centralised real-time log and event acquisition not only eases error tracking, but also accelerates the process of identifying and eliminating the underlying fault. Operating costs can be materially reduced by the centrally processed and immediately available events.

Legal and sector-specific compliance
The banking, financial, healthcare and industrial sectors are subject to continuous external and internal controls. Transparent IT operation is not only a prerequisite for passing periodic external and internal audits, but is also a basic requirement for achieving sustainable and efficient business operation. The regulatory and legal requirements are diverse, so there are also various means of achieving compliance. With customised log analysis IT operations can be monitored continuously, while comprehensive support for a wide range of standards (SOX, PCI DSS, HIPAA, FISMA, NERC CIP) consistently ensures the conditions necessary for compliance, and the mitigation of risks.

Comprehensive system supervision
 Making use of a variety of data, alerts and information gathered from heterogeneous sources and IT systems, both minor and major changes occurring in the system can be detected and verified, thereby promoting accurate and efficient change management.

The human brain finds it easier to process visual data too; the display of incoming raw data in the form of charts considerably accelerates and eases comprehension, which helps to speed up the process of formulating a response to the problem.

Supervision of administrators
The most complicated area of control is the administrators’ activity, since they have unlimited access rights and without proper supervision can effectively access anything without any controls on their activities. The supervision and auditing of their activity is of key importance to most organisations; however, the implementation thereof requires major technological development, and is often met with stiff resistance.

Supervision of super users
The key super users at companies have access to the most critical files, statements and resources. The detailed tracking of access and changes to these resources, and the cause and effect relationships between events, is not possible without the proper controls and technology.

Enhancing security
Upon detecting and inspecting an incident it is essential to collect as many items of information as possible within the shortest time. It often subsequently transpires that the needed information is missing or incomplete, which frustrates detection, leaving the incident unexplored.

Detection and investigation of unexpected events
 A substantial proportion of the events occurring in our network does not serve standard operation, and in fact may even hinder it. Unfortunately the “out of sight, out of mind” approach is especially harmful in this case, since an absence of centralised monitoring functions could easily result in a failure to detect events signalling virus activity, undesired user traffic, deliberate attacks targeting our website or critical business applications, which could in turn lead to severe financial losses.

Almost all business decision-makers face the above problems in connection with unexpected system failures, delays in troubleshooting, control audits or changes in personnel. The introduction a central log management system also facilitates the prevention and remedy of numerous other problems besides those listed above. This makes it an essential component of any modern IT system.

Printable version