The Importance of Log Management
Automated analysis of logs in near real time can detect data breaches in progress. Forensic analysis of logs after the breach has occurred can trace the breach back to its source and trace it forward to the other systems that were compromised.
Limitations of Log Management
Log management is effective as a security control only to the extent that complete log data is gathered, aggregated, consolidated and analyzed throughout the entire organization, across each and every device in the network. Collecting this log data can use significant WAN bandwidth and disk storage.
A skilled attacker in certain situations will have the
ability to clear his presence from the log files in order to prevent forensic detection.
Vidder's Recommendations for Deploying Log Management
Vidder strongly recommends logging all security-related events on all hardware devices and software applications. These logs should be forwarded to a SIEM and stored in an encrypted format (see Vidder's recommendations for SIEM for other suggestions).
However, companies should not rely solely on automated log analysis. Rather, servers containing highly confidential data should have their logs analyzed manually on a regular basis.