Don't Ignore Lowly Log Analysis

Computerworld - Ever take a look at the computer security hardware and software products available these days? The number of them is staggering. They promise to (and for the most part do) help keep your workstations and servers secure. Nonetheless, although these routers, firewalls and intrusion-detection and -prevention systems spit out valuable information in the form of log files, too many organizations ignore or discard those logs.
It's unfortunate that log analysis is often overlooked as a vital part of an enterprise's computer security. While organizations may spend piles of hard-earned revenue on the latest and greatest in hardware and software, they continue to ignore the logs generated by those products. Sadly, hidden within those logs are nuggets of information that can prove invaluable.
One reason companies ignore logs is that the tools and knowledge for making use of the information they provide are often not available or are considered too cumbersome. Some log outputs may be innocuous, while others are critical.
According to Marcus J. Ranum, co-creator of www.loganalysis.org and chief of security at Tenable Network Security Inc., "System logs are one of the great overlooked resources in computing today. Folks spend lots of money buying IDS but don't look at their firewall logs -- that's backwards! In fact, many organizations don't even turn on logging in their firewall (because of inaccurate concerns about 'performance'), which means they are losing an incredibly valuable resource."
It's not hard to see why security and network managers are apprehensive about logs. Log analysis can be a double-edged sword, mostly because it precludes security managers from ignoring certain security issues. To wit, "comparing firewall 'permit' logs with a blacklist of spyware sites can give a very illuminating -- or horrifying -- picture," according to Ranum.
Those in IT need to remember that logs aren't just security tools; they are also management and performance tools because they tell you if your link is reliable. Logs alert you if your system went down, then record when and for how long the interruption lasted. From a security standpoint, logs can tell you if your Internet link is largely used for file-sharing traffic or that more than three quarters of your desktops have been infected by spyware. These facts shed some light on the reasons behind avoiding log reviews. "If ignorance is bliss, actually looking at your logs may remove that bliss," says Ranum.
Vendors are noting this aversion to log analysis and are taking steps to reverse the trend. Currently, firewall vendors inundate users with the large volumes