When anything happens in your network infrastructure it can be logged. Servers have log files, firewalls have log files, routers and switches have log files, every single PC has a log file. That's a lot of log files! In fact, that's so many log files with such a vast amount of logged information that it becomes a complete, unintelligible, amorphous mass of data. In fact most organisations probably turn logging off because it's too hard and too time consuming to evaluate.

But what can these logs tell you? Actually, the question is probably better "what can't these logs tell you?". There is a vast amount of very useful information that can help direct your IT services in solving technical issues, access issues, security issues and generally the health of the systems being monitored.

We've been working with one of our clients to implement a SIEM (Security Information and Event Management, although possibly substituting System for Security may be quite appropriate) pilot across their estate of well over one hundred servers. It's early days but the amount of interesting information coming through already is quite staggering. Identified attacks on the infrastructure from China, Germany, Taiwan and a few other places, a SQL service failing but not spotted elsewhere, potential vulnerabilities uncovered are all in a days work for the SIEM.

This information helps direct the IT team to priority areas to look at as there is now a constant visual display (dashboard) of what is happening throughout their infrastructure. How are the servers and services coping? What happens at the start of the day when everyone logs in? Checking changes that have taken place to servers to ensure that they comply to change management control.

It's a tough job ensuring compliance against company policies, proving to the auditors that you know exactly what has been happening in your infrastructure, pro-actively closing off potential vulnerabilities in your security and checking to see what the users have been up to. Being able to display, in real-time, the state of play within the network to board members is a real bonus. It's a very difficult call to request spending on anything that is deemed non-productive and security is usually deemed as such. However, with the information now being correlated and displayed for all to see, the task gets a great deal easier.

We've been working with AlienVault on this pilot and extremely pleased to see the kind of information being presented to our customer. There's a lot to do, but at last there is some real intelligence to make sense of the vast amount of data that is being collected. Intelligence that will improve the day to day operations of this customer, will help to secure the system from outside and inside attacks and to help prevent any loss of intellectual property. SC just posted an article here.

http://www.vioptim.co.uk