The role of Central Log Management

With the increased reliance on analytics to drive security operations, IT security professionals are paying particular attention to one of the oldest tools in their toolbox, log management. A recently released report by Gartner focuses on the role of Central Log Management (CLM) in improving threat monitoring and detection, and highlights the challenges of fragmented or incomplete log management environments.

Regarding the current log management challenges organizations face, Gartner’s report states: “Enterprises that have started their SIEM journey usually end up in one of two places: underinvested in their initial implementation and having to find budget to increase capacity to meet their use cases, or overlicensed and being stuck paying higher maintenance costs to the SIEM vendor for years for that unused capacity.”

This report highlights an approach that we have been advocating for more than 16 years. For many organizations, the resource constraints, coupled with the budget and expertise requirements for successful SIEM deployments can mean that they don’t always meet expectations. Added to that, there are often unknown costs to factor in, particularly when SIEM costs are based on the volume of data processed.

Recommendation for security and risk management leaders

The report includes recommendations from Gartner that security and risk management leaders responsible for security monitoring and operations should pay attention to:

  • Use a CLM tool to address security monitoring and compliance use cases where there are insufficient resources or budget for a SIEM or for managed security services.
  • For midsize organizations, look to use existing IT and network operations log management tools to collect and manage security event logs.
  • Consider a multitier approach using a CLM tool when planning a SIEM deployment to avoid overutilization, and overlicensing, from the start.
  • Use a CLM tool to better manage your existing SIEM tool investment if your organization has an existing SIEM solution that cannot scale its collection and analysis capabilities due to budget constraints.

Security analytics is only as good as the data feeding it. By filtering irrelevant data and classifying messages before they are fed to SIEM solutions can improve SIEM performance of SIEMs investment and process structured and unstructured data across their IT environment.