Log files are metadata. These are data that tell you what is happening with other data. That means that your log files contain a lot of good stories. Stories that will never be told, because no one ever looks at them.
We actually do get that. A medium-sized company can generate thousands of log lines in its IT systems – every second. It is not humanly possible to take all this in, which of course is an important reason why logs are not very often used actively.
Some companies may have gone as far as sending their log files to a syslog server, so that they are at least gathered in one place. However, that does not really make you wiser as to what is in the files.
In connection with GDPR, where companies processing personal data, are met with a number of specific logging and reporting requirements, it may be a good idea for many of them to look into how an improved and more streamlined processing of log data could benefit them.
Fortunately, there are ways to retrieve the good stories from the company’s log files, and the best one is called SIEM.
SIEM stands for Security Information and Event Management.
So what does a SIEM system do other than just collect logs? We would like to highlight four things:
- The system’s ability to understand and interpret your log files
- The ability to visualise logs
- The ability correlate logs from different system units
- The ability to report
In the following, we will describe each of these functionalities separately, but in combination, they ensure that your knowledge about what is going on in your systems can be turned to account in your day-to-day operations, but also in case of concrete security incidents.
In short: You will go from groping in the dark to being able to react at very short notice to incidents in your systems.
The ability to understand logs
A SIEM system has been designed to handle syslogs. This means that it contains a large amount of knowledge about how log files should be understood and interpreted. A lot of things are almost identical, only located in different units. This means that some things in the log file from a Windows server can also be found in the log file for a network switch, for example.
But but... the system manufacturers also have so-called proprietary codes in their logs. These are logs that are unique to the individual manufacturer or to the individual system unit.
To accommodate this, a SIEM system has to be very smart. This may either be built into the system by design, which is the case for many SIEM systems, or you can “teach” the system to understand the logs sent by the relevant unit to your SIEM. This is called normalisation of data, and it is sometimes a tall order; however, it can be broken down into chunks.
The ability to visualise logs
One of the greatest strengths of the SIEM system is that it can translate your obscure log files to graphics, or visualisation of what is going on in your IT systems.
This means that SIEM can give you an overview of your systems’ current status in a way that no other solutions can. This could, for example, be a graph that shows you how many users have been logged into the HR system today.
Or a graph that shows you the 10 users that have sent the most data out of the house. The point is that if it can be found in your log files, you can visualise it.
The ability to correlate data
Now, we are approaching the core of what makes SIEM so useful. It is possible in a SIEM system to correlate data from different system units to give a complete picture of an incident or a number of incidents.
This means that it is possible for a given incident to follow the digital footprints left in the log files from your different units and compare things such as IP address with a given user, and establish what actually happened all the way down to the server and application level.
Of course, to do this, you must have configured each unit to send the log files to SIEM, but if you have done this, the SIEM system will act as a single pane of glass to all incidents in your system. In other words: Regardless of what happens, you will only have to look for causes and connections in one place.
Because SIEM can act as a hub for everything that is going on in your systems, it is clear that your reporting should also be based on SIEM.
This reporting can obviously be tailored exactly as you want it. This makes it possible to define the searches in the SIEM system that are relevant to the documentation of your GDPR compliance – and report based on these searches.
With the right homework, the IT audit does not have to cause you any worries – simply because you can configure SIEM to report on everything you need and basically have the documentation ready when the auditor comes knocking.