In the effort to secure IT operations against cyberattack, there are many technologies which are required to provide supplemental or ancillary information. One such need is that of centralized log management and retention. Usually, attacks on computer systems rarely look like real attacks except in hindsight – if this were not the case, ALL security defenses could be automated without ever needing to employ human analysts. This is why it’s important to know what is contained in the log files of computer systems, even in hindsight – they are often the only way to detect attacks.
In many instances, the routine activities of network and system Admins look a lot like hackers. They are often using elevated privileges to make changes that could look (or be) malicious. So it is important to have more information and insights in order to effectively detect malicious behavior.
This is where Log Event Management (LEM) comes into play. In its simplest form, Log Event Management centralizes the system logs from all workstations, servers, networks, and in many cases telephony devices to a secured repository that is hardened against tampering and loss. With all logs safely stored in a central location, additional monitoring and analysis can be performed to better detect attacks and malicious activity. This activity permits organizations to look at the overall activity on their network(s) through a larger lens than can be provided by a single security control or information source. For example: