Designing A Log and Event Monitoring Program

Ultimately, as with all IT security programs, log monitoring programs are designed to address risks to data confidentiality, integrity and availability.  Risks come in many types:

  • Hardware failure
  • System compromise
  • User error
  • Rogue administrator

An organization’s program around log & event monitoring needs to be based on the specific risks that exist in that organization.  Consider two these two scenarios:

Scenario 1: The IT department of a large public corporation manages a large number of critical business systems, including systems that contain the company’s financial information, payroll information and client data.  This company cares deeply about the confidentiality, integrity and availability of it’s applications.

Scenario 2: A small Internet-based retailer of custom soaps is owned by a family.  Dave, a member of the family that owns the business, is technically savvy and has colocated a server to run the retailer’s web site.  Dave manages the server and the web site.  Dave also cares deeply about the confidentiality, integrity and availability of his company’s web site.

These two businesses have similar objectives, but each has a unique set of risks and challenges.

In scenario 1, we can think through the attributes & constraints of the organization:

  • Has many servers to monitor
  • Has many systems administrators
  • Downtime of systems likely creates a substantial financial impact
  • Has regulations to comply with (SOX, HIPAA, etc)
  • Has money to invest in a monitoring system

Let’s consider the attributes & constraints for scenario 2:

  • Has one server to monitor
  • Has one administrator
  • Downtime means lost revenue
  • Most likely does not have money to invest in monitoring

The objectives for a log monitoring program for the company in scenario 1 are likely to be:

  • Scalable monitoring solution across many systems
  • Detect and alert on application performance events
  • Detect and alert on hardware related events
  • Detect and alert on evidence of intrusion
  • Monitor activities of users and administrators

The objectives for a log monitoring program for the company in scenario 2 are likely to be:

  • Simple, low cost solution for a single server
  • Detect and alert on hardware related events
  • Detect and alert on evidence of intrusion

In scenario 1, the company will most likely need to select a mature commercial package.  The company in scenario 2 can most likely get away with some simple scripts triggering email alerts to Dave.

Conclusion

Organizations looking to invest in a log monitoring program need to consider the risks present in their environment and their objectives in order to properly develop requirements for their situation.