Intelligent Log Analysis May Beef up Security

The massive job cuts caused by the recession will pose a huge threat to enterprise security because insider attacks, like disgruntled former employees, account for half of data breaches. Log monitoring and analysis tools provide poor protection from internal breaches because analyzing their reports is a tedious process, experts say.

LogRhythm may have solved this problem by adding the Intelligent IT Search feature to its log management tool. This automatically classifies and tags log entries for easy searching, conducts risk modeling and prioritizes sensitive issues, and puts a universal time stamp on all activities to make them easier to monitor.

Those features will make searches easier, which may help system administrators more rapidly detect breaches through searching the logs. According to the 2008 Verizon (NYSE: VZ) Business Data Breach Investigations Report, which covered a four-year time span, event monitoring or log analysis detected only four percent of breaches.

The technology is sound, and adoption rates have been high for some time, the Verizon report said. “In 82 percent of cases, the victim possessed the ability to discover the breach had they been more diligent in monitoring and analyzing event-related information available to them at the time of the incident. The breakdown is in the process.”

And that process is tedious. Few IT administrators have the time to read logs frequently and look for unusual data activity, Prat Moghe, Tizor Systems’ founder and chief technology officer, said in an article in Compliance Week. According to him, one retailer had an IT staffer spending six hours a day to look through logs.

But the winds of change are sweeping through the log management tools industry.

New capabilities emerging

“Log management tools were used more for compliance than security, but that’s starting to change,” Adrian Lane, senior security strategist at security consultants Securosis told That’s because vendors such as LogRhythm are bringing out new features that make their tools more proactive.

Lane thinks LogRhythm is moving in the right direction. “The ability to weight events so that both the processing and reporting are prioritized, and having log files that are searchable and queryable in a standardized way is very helpful to security and compliance professionals alike.”

Another functionality LogRhythm’s new feature offers is the ability to instantly query all audit events such as modifications to a user’s access and authentication privileges linked to a network login account during a specific period of time, thus spotting any breaches in real time.

“This lets systems administrators get all the logs of that user’s activities, his activities at a particular time of day and the system’s activities at that time,” Chris Petersen, LogRhythm co-founder and chief technology officer, told

The results are served up in 3-D graphs or charts. “We’re great believers in visualization to help users digest the information they get,” Petersen said.

All log data is stamped with a UTC , or coordinated universal time, code. UTC is a time standard based on International Atomic Time. This provides a holistic view of events throughout the enterprise at any point in time which is critical for search and correlation because, in a large deployment, system monitors are collecting data from process servers, routers and servers in different time zones, Petersen said.

Administrators can initiate searches directly from any screen using the LogRhythm Quick Search tool bar. LogRhythm offers wizard-based search capabilities.

Another critical feature is contextualization. Often, log messages will contain information about two hosts and two IP addresses, Petersen said. LogRhythm’s tool will indicate which is the server and which the client, or which the attacker and which the target, making it easier to home in on the attacker.

“Being able to collect and analyze data faster will allow these tools to move more to the frontline as security and detection tools,” Securosis’s Lane said. “But are customers going to perceive them that way? Only time will tell.”

News Around the Web