Collect - The first step is to collect event logs. Every device, system and application produces log data. The amount of information and data is growing exponentially. Collection and normalization of unstructured data sets is the primary step in creating an effective log management system.
Filter - Second, filter out the relevant data for the respective analyzes. Logs can be sorted based on their content and various other parameters. Distinguishing the relevant log data can be done before this data is loaded into the SIEM or SIM solution. Relieving this SIEM or SIM solution is equal to lowering costs and improving performance.
Distribute - When transferring and distributing logs we need to be sure that the solution is reliable and that the transfer and distribution happen in a secure way. This means no logs can be accessed by third parties and no logs can get lost during transfers. On the server side, the solution needs to be scalable so it can handle high volumes of log processing. Remember that you can only analyze a situation correctly when you have all the relevant data needed.
Store - Finally you need to store all of your logs in some sort of database. Storage of logs can be dependent on compliance regulations such as PCI DSS, HIPAA, and SOX. Logs need to be stored secured, encrypted, compressed, indexed, and time stamped. Additionally, authorized personnel has to be able to search, analyze and report on the data. Data retention is necessary for forensic investigations after a cyber attack.
need several weeks to discover breaches
Alert - Set alerts for critical events that will alarm the Information Security personnel of suspicious activities. These automated analyzes will immediately inform the authorized person about possible issues.
Track Incidents - Actions that follow an alarm have to be documented. That way, you will get a history of incident management activities and responses. This function will contribute to your tracking, audit and reporting needs.
Monitor Threats - Monitor you systems for known and unknown threats. Having insight into affected assets, the vulnerability of certain IT assets and contextual information, will help you to search for suspicious activity.
Audit for Compliance - A growing number of sectors have to obey certain regulatory compliance requirements. Reports on these compliance requirements will help you save time and resources.
Customize Reports - Custom made reports are useful in every environment. As every department has different key issues and various interests, custom made reports should be available to visualize these topics.