5 Tips for Effective Log Analysis

The technologies that you have invested in can provide even more value if you are able to analyze the log data effectively.  Here are 5 key tips:

1. Know which logs to monitor and which not to monitor.  With the average infrastructure generating millions of log events, you don’t want to take in logs that do not provide value for detection of unusual behavior because they will take up bandwidth and make it harder to focus in on the events that should be investigated.  One exception to this would be devices that must be monitored to maintain a regulatory compliance, such as devices in the Cardholder Data Environment for PCI compliance.
2. Centralize logs for correlation.  If your logs from firewalls are not monitored in the same portal as your server logs, O365 logs, endpoint solution logs, etc. you are missing the ability to correlate the logs to look for patterns that can identify a suspicious event that any one single log source would not indicate. Normalize the logs from disparate technologies.  Convert the common elements from the various types of logs or various device manufacturer’s standards into a common format.
3. Customize your business rules.  Starting with a standard template of rules to alert on is great, but knowing where your biggest areas of risk are – where the most sensitive data is, which users have access to critical data, when no one is physically on location to notice unusual activity, allows you to create custom business rules to be alerted for creation of a new admin account, an escalation of account privileges, a connection into your network at a time of day that is highly unusual in your business.  By tuning the rules, you can be alerted to what is most critical and also tune out events that you don’t need to be alerted on to avoid even fatigue.
4. Enrich your log data with outside threat intelligence.  There are feeds that you can subscribe to from device manufacturers, outside agencies, and some very specific to a particular sector, such as banking.  Foresite’s Threat Intelligence solution gives us comprehensive view of the web and mobile frontiers, monitoring 9M+ websites and 141+ mobile app stores daily, adding more site and app store crawls continually.
5. Analyze log data in real time.  While log data is still valuable for forensics investigation of a cyber incident, ideally you want to be able to detect suspicious events and take immediate action to prevent the incident from ever occurring.

Get a demo of our ProVision solution to see how we can help you to get the most value from your logs.