Relatively few organizations are making good use of gobs of log data they collect for purposes such as identifying attackers, according to a survey of 600-plus IT professionals by security outfit SANS.
According to the SANS Analyst Program survey on log and event management, "Sorting through the Noise," 22 percent of respondents use a security information and event manager (SIEM) to collect and analyze data, while 58 percent use log-management systems, and the remainder rely on other means. Most respondents said one of the main reasons to collect logs is for the purpose of regulatory compliance, though 9 percent discounted the importance of that.
[ InfoWorld Test Center reviews leading log-management solutions. Find out which one came out on top. | Prevent corporate data leaks with Roger Grimes' "Data Loss Prevention Deep Dive" PDF expert guide, only from InfoWorld. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
As in previous years that SANS has done this type of survey, virtually all the respondents said that "detecting and tracking suspicious behavior was important." But according to SANS, there's evidence that insufficient time is being spent in actually analyzing the collected log data.
"The data suggests that respondents are having difficulty separating normal traffic from suspicious traffic," said Jerry Shenk, author of the SANS report. "They need advanced correlation and analysis capabilities to shut out the noise and get the actionable information they need. But first they need to get more familiar with their logs and baseline what is normal."
The key issue in log analysis was cited to be "indication of key events from normal background activity" and "correlation of information from multiple sources." According to the survey, organizations are typically collecting log data from Windows and Unix-type servers, security devices, network equipment such as switches and routers, intrusion-detection systems and antivirus and other security applications, and virtualized servers and hypervisors, as well as desktops and laptops.
Organizations want to detect suspicious activity but when the IT professionals were asked how much time they normally spend on log-data analysis, the largest group (35 percent) replied, "none to a few hours per week." As for the rest, 18 percent didn't know, 11 percent said one day per week, 2 percent outsourced this task to a managed security service provider, and 24 percent defined it as "integrated into normal workflow." The SANS survey report, which notes analysis time overall actually seems down from last year, noted that about 50 percent of the smaller organizations spent zero to just a few hours analyzing logs.