Log management is the function of having hosts, devices and applications forward event messages to a syslog or event log manager for collection in a central repository and subsequent analysis to assist in security operations, investigations and compliance reporting. SecureVue can collect log data from virtually all network devices and allow correlation profiles and corresponding alerts to be configured on this live event data. This allows security administrators to take corrective actions to safeguard networks in the fastest, most efficient manner.

Challenges for Log Management
You may have been led to believe the volume of data and associated storage costs, collecting nonstandard log data from devices, performance scalability and quality reporting are the key challenges driving organizations to look at log management solutions. While these issues are clearly areas of concern, the real challenge for log management is one of TIMELINESS. Current generation log management solutions have proven inadequate for detecting and preventing many security breaches in a timely fashion, such as with the now-famous TJX and Hannaford network breaches.

To remain undetected once they have compromised an organization’s systems, attackers employ “low and slow” attacks designed to evade detection from existing defenses like IPS and device security. Timely detection of these “low and slow” attacks is elusive for log management systems because it requires the real-time collection and correlation of multiple sources of data. Specifically, log, asset, configuration, vulnerability, performance and network flow data each contribute to identifying different aspects of an attack. The following table outlines some of the more typical steps attackers use in a “low and slow” attack and the data source that most effectively reveals the true intention of the attacker.

A Typical “Low and Slow” Attack

Attack step:	Attacker action:	Action revealed in:
1. Probe	Runs port scans seeking targets with known vulnerabilities.	Log data
2. ID entry point	Identifies a target system with a known vulnerability.	Log data
3. Access	Brute-forces access to the system with multiple failed logins preceding the successful login.	Log data
4. Admin privilege	Escalates to Admin/Root or created a new account with Admin privilege.	Asset data
5. Config change	Disables logging.	Configuration data
6. Exploit vulnerability	Creates a buffer overflow that spikes performance by exploiting a vulnerability.	Vulnerability & Performance data
7. Rogue app	Installs a back door to the system.	Asset data
8. Data theft	Steals confidential data.	Flow data

As shown above, log data helps reveal suspicious behavior in the initial attack steps, such as the scan for vulnerabilities and failed login attempts. However, this data also includes tens of thousands of routine harmless scans, as well as all the failed logins by authorized users, amongst log information from other acceptable activity. Thus, while log data provides an essential data source for detecting attacks, it is only the correlation of log data PLUS many other data sources that effectively detects activity relevant to real threats in a timely manner. Log data by itself is insufficient for achieving such targeted, efficient and timely security incident detection.

Log Management Using SecureVue
SecureVue is designed from the ground up to collect and correlate all this important data—automatically, 24x7, in real time. First generation log management products require additional products and/or modules on top of—but separate from—its log management offering at extra cost to the customer. That is, these components are “bolted on” to the core log management solution rather than having all components tightly integrated into the original architecture of the security management platform.

The two fundamental benefits of this integrated architecture are to boost operational efficiency, while reducing management complexity:

• More timely and relevant detection of security incidents such as “low and slow” attacks
  

• More robust compliance monitoring and auditing based on comprehensive network-wide, real-time data
  

To complement these benefits, SecureVue addresses other common log management challenges with:

• Fast forensic analysis through high performance log processing, end-to-end correlation, QuickVue™ to drilldown on target nodes and quickly generated, out-of-the-box reports
  

• A GUI-based Universal Parser that, along with auto-discovery, makes adding new network nodes with nonstandard log formats a snap by providing an easy mechanism to collect and parse data from unsupported nodes and applications
  

• Centralized archival and a patent-pending data compression, encryption and archiving capabilities achieving a market-leading 15:1 compression ratio
  

• Data integrity that ensures a clean record of all logs through encryption of both raw logs and normalized data, providing evidence that will stand up in court
  

• High performance architecture with linear scaling ensuring SecureVue can meet the event management and GRC demands of even the largest enterprises

• A single user interface and customizable dashboard to ensure the NOC, SOC and Audit teams all work collaboratively off the same data set, while meeting each team’s unique needs

Discover why Network World wrote, “eIQnetworks has the broadest range of capabilities we have seen in one integrated product”. Download whitepapers, datasheets, case studies and more from the eIQ Resource Center today.

When you are ready, don’t hesitate to test drive a free evaluation copy of SecureVue to see how it can simplify management, boost efficiency, and enable easy audit reporting for your organization.