Centralized Log Management and a Successful 2021

With 2020 dominated by a global pandemic, organizations expedited their digital transformation strategies. (According to TechFirst podcast, COVID19 accelerated digital transformation by an average of 6 years.) One of the most significant changes was the rapid move to a remote workforce. This required stopgap measures to keep the business running. While these measures met the company’s immediate needs, the measures also introduced anticipated and unanticipated issues.

Collecting log data continues regardless of where you are working.  In fact, compared to the office, remote work generates logs on security access points, remote access, server logs, terminal services, and application logging. The volume of logs increased, sometimes significantly, with the introduction of technology required to ensure that performance, availability, and security stayed as normal as possible in an abnormal year.

PwC survey published in June 2020 found that 83% of employees want to work remotely at least once a week and that 55% of employers anticipate their employees will do so even after the pandemic. This means that the WFH status quo will remain in place, and the post-COVID-19 workforce will most likely be a hybrid version of the remote workforce from 2020 and early 2021.

CENTRALIZED LOG MANAGEMENT IN 2021

Now more than ever, centralized log management is a foundational must-have in your IT stack. Logs are fundamental to any IT operations or security program because they tell you everything from who’s doing what to what’s connecting where. All this information can make it harder to see patterns, so placing them all in a single location greatly simplifies their use.

The good news is that with a new year comes a new opportunity. To make the most of this and get value out of your centralized log management solution, Graylog’s experts have identified key areas that you can improve so that you can work faster, mitigate risk, and manage documentation for the new normal WFH and the future hybrid version of WFH and in the office.

As a leading centralized log management solution, Graylog offers various capabilities for companies looking to clean up their log management processes in the new year. Whether you choose our open source or enterprise offering, we have the tools you need to seamlessly connect, enhance, store, and analyze log data.

With this in mind, we worked with our experts to offer some high-level suggestions for getting started streamlining your log management processes.

MAKE ACTIVITIES MORE EFFICIENT WITH SEARCH

Search is the heart of Graylog. This is where everything begins. Graylog’s robust architecture gives you the ability to perform full-text search queries across millions of log messages in milliseconds. Similar to a web-based query builder, you select the fields you want to be returned, use standard boolean operators to create your search, and specify how you want the data returned: raw data, aggregated data, count, or chart. This makes searching straightforward and easy, which was a boon for IT teams saddled with managing the increase in logs over the course of 2020.

According to our experts, if you haven’t already, review your log management needs in light of what you learned last year and the new normal we’re facing in the coming year. Next, you’ll want to review your saved searches and decide what you can use now, what you need to update, and most importantly, what you need to run regularly.

The next step is to create a library of search templates. Graylog makes this easy by providing search parameters for search queries that require defining a value multiple times. Using a single or multiple input parameters, you can initiate common analyses and visualize the data in a large variety of charts and formats so you can quickly find and resolve issues, threats, outages, and tech support help requests. For example, if you need to track in real-time user logins and associated activities, you can create a search and include input parameters specific to what you’re seeking and then save it as a template. (You can also export the results to a report or dashboard.) By saving parameterized searches, you can create a library of search templates that everyone can work from.

While many benefits come with the library of search templates (e.g., streamlined operation, empowered junior members of the team, performance, and availability), the ability to fire up a search template is key to faster threat hunting.

STREAMLINE THREAT HUNTING FOR ENHANCED DETECTION AND RESPONSE

Most security professionals agree: a data security incident is not a matter of “if” but of “when.” With that in mind, it’s important to make sure that you reduce the time malicious actors spend in your IT infrastructure to reduce the data incident costs.

Centralized log management solutions give you the tools necessary to detect incidents, locate weaknesses, respond rapidly, and document remediation.

GEOLOCATION

Geolocation is a key component for Dashboards and Reports. It surrounds your IT Security with an understanding of where Internet connections are going and where or who might be accessing your network.

It is up to every organization to understand their work environment, and with remote work, it is crucial to understand where all of your employees are working.  You can apply Geolocation to logs and information by monitoring VPN Connections to your corporate network and Hosted or Premise based email connections.  Other Geolocation examples of monitoring would be Fraud Detection Systems, whereas Credit Card purchases are made in the USA, and at the same time, purchases are being made in Romania. These examples would clearly indicate an alert and alert notification.

You can use Geolocation to monitor network and application performance of large network clusters like load balancing and performance between large scale applications and networks across the globe.  Knowing when your load balancers are being heavily used in one geographical area of your network and underutilized in another is key to maintaining peak network performance and uptime.

Monitoring network logins is another area where Geolocation comes in handy.  For example, an unrecognized mapped location not known might indicate network access from a location other than where employees are working. This might be a possible threat to the network and company information, or it might be that your employee is working in an unmapped location. By setting an alert to trigger any unknown locations paired with an alert, you can immediately determine and respond accordingly.

ALERTS

Alerts are created by using Event Definitions that consist of Conditions. Once a condition is met, it will be stored as an event, which is used to trigger notifications.  These can be in the form of an email sent to a SOC or Ticketing system.  Other types of alerts are HTTP POST in JSON format.  Script Alerts can be enabled to run your own customized script like a python script, and Graylog can trigger these scripts to act on your behalf.  Alert Notifications can be sent to your Slack workspace, and these are just a few examples of Alert Notifications.

When creating your alerts, you want to think about what logs will help detect and locate the security incident. If you collect too much information, you risk a high number of false positives that your team needs to investigate. If you collect too little data, you run the risk of not getting an alert when an event occurs. The key to getting the most out of your centralized log management solution is planning what you think you need in advance so that you can create the right balance of data collection.

COMPLIANCE IS A NEVER-ENDING STORY

With the move to remote work in 2020, we might think that compliance could have taken a back seat. Unfortunately, just because a global pandemic changed the way we work doesn’t mean the compliance wheels stopped spinning. In some industries like healthcare, agencies allowed for wiggle room. In most, regulators and auditors continued to want documentation proving compliance.

The problem is that every new application added to allow for remote work also added a new risk. At the same time, moving this quickly meant that many things companies do to meet compliance requirements didn’t happen.

For example, before putting new technology in place, most companies need to do a risk assessment. Then, that risk assessment needs to be approved by senior management or a Board of Directors. However, because companies needed to react quickly, they couldn’t always follow these best practices.

One of the biggest compliance changes in 2020 that came from remote work was a focus on Identity and Access Management. Proving that you limited access according to the principle of least privilege became the new normal of security, just like working from home became the new normal of work.

In the middle of this chaos, 2020 also brought more privacy legislation that companies will need to manage. Voters approved the California Privacy Rights Act (CPRA), which builds in new language around privacy and information security compliance. Even at the federal level, legislators started introducing new laws that they wanted to see passed in 2021.

As you move through 2021, it’s important to think about how these new laws and a hybrid workforce will impact compliance requirements and documentation. If you added new technologies too rapidly, you might need to look at how secure they are and look at your user access to make sure that you meet compliance requirements.

With a central log management solution, you can bring together audit logs from all applications, even across a multi-cloud or hybrid IT stack. With all documentation in a single location, you can see your compliance posture more clearly by correlating logs from disparate systems and applications.

As you build out your log management resolutions for 2021, you should prioritize how you track your proactive monitoring and incident response activities.

Knowing what to collect and how much data to store can feel overwhelming. At the very least, you should make sure that you collect and retain the following security event log data:

  • Firewalls
  • Endpoint Security (EDR, AV, etc.)
  • Web Proxies/Gateways
  • LDAP/Active Directory
  • IDS
  • DNS
  • DHCP
  • Servers
  • Workstations
  • Netflow

If you aggregate the data in a centralized log management solution that allows you to correlate it and tie activities to users or devices, you’ll be starting the new year right.

WHY GRAYLOG?

Graylog is built to open standards for connectivity and interoperability to seamlessly collect, transfer, store, and analyze log data. Graylog is also SIEM-agnostic by design—our log streams can pass unaltered or enriched data to any application in your monitoring, alerting, and analysis stack. Your choice of scalable log management solution should let you do more with your security and performance data. Graylog is purpose-built to deliver efficiency, context, and scale to log analysis. Regardless of your event and data stack, technologies, and configurations, you want a centralized log management solution that helps you navigate the known and unknown that will undoubtedly accompany the rapidly changing workplace in 2021.

Happy Logging!

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.