A data breach today takes 127 days to detect, according to the Ponemon Institute. Comprehensive visibility and real-time analysis of device and application log data provide an early warning of cybersecurity threats before damage occurs. Log monitoring and Security Information and Event Management (SIEM) decision makers sometimes make short-sighted financial decisions to reduce log sources, only to find that it impacts security decision making and incident response. As a channel partner, you can balance advanced threat detection with simplicity and affordability for your end clients as well as protecting your own infrastructure and assets.
Log Monitoring 101
Logs are a crucial source of insight for security analytics like threat detection, intrusion detection, compliance, network security, insider vulnerabilities, and supply chain risks. Almost all devices and applications produce logs. A mid-sized organization may generate millions of logs daily, too many for manual review and correlation. Prospective SIEM partners often ask us: which client logs should I monitor? What are some log management best practices?
A SIEM solution correlates raw log data for crucial security analytics like threat detection, intrusion detection, compliance, network security, insider vulnerabilities, and supply chain risks.
We recommend that you monitor log sources that include infrastructure devices like routers, security devices like firewalls, application logs, web servers, authentication servers, and client devices like laptops. Other log sources include domain controllers, wireless access points (WAPs), and IPS/IDS tools.
Log monitoring is a topic of interest to both hands-on IT and security teams as well as business stakeholders, such as executives interested in risk management.
Log Monitoring Considerations and Best Practices
Here are some critical recommendations regarding log monitoring that provides insight into the health, compliance, and security of your systems, applications, and users:
- Align log management to any compliance requirements: Determine whether there are any security and log monitoring regulations that apply to your organization or end-user clients such as NIST 800-171 (U.S. government contractors), HIPAA (Health Insurance Portability and Accountability Act) , or PCI DSS (Payment Card Industry Data Security Standard). Some organizations view cybersecurity and SIEM as a “checkbox” activity and merely implement the most minimal logging, thereby reducing the visibility and effectiveness of this fundamental security tool.
- Monitor logs 24x7x365: Review logs in real-time with a combination of machine learning and SOC (Security Operations Center) analyst expertise to comply with audit requirements, detect actual threats and minimize false positives. Hackers don’t work 8:00 am – 5:00 pm, Monday through Friday, and you and your clients need “eyes on glass” 24/7. Small-and-medium-sized businesses (SMBs) facing a cybersecurity skills shortage want fewer, but higher quality cybersecurity alerts. They are interested in teaming up with an MSSP (Managed Security Service Provider) who can augment their staff and skill set.
- Watch for hidden costs: Some log monitoring and SIEM vendors charge by data volume such as events per second (EPS). Variable pricing can serve to penalize organizations and MSPs (Managed Service Providers) because more log sources and volume result in unpredictable costs. Look instead for a SIEM solution with transparent pricing based on devices and systems being monitored.
- Archive logs: Tailor log storage and archiving to each client organization’s requirements like HIPAA compliance mandates. Log storage for 365 days is an industry best practice that enables crucial forensics later to determine the impact of security incidents.
- Protect log data: Due to its importance in tracking both internal and external threats, you need to protect the confidentiality, integrity, and availability of log data. Threat actors often erase log data that would divulge their stealthy actions.
Learn more in the Netsurion blog “SIEM explained for MSPs” that is a useful primer on log monitoring use cases, benefits, and deployment models.
Getting Started with Log Management and Managed SIEM
Realize that you are not alone on your MSSP journey. There are steps you can take to minimize cybersecurity risks and visibility gaps while expanding your portfolio at your own pace. For MSPs aiming to evolve their capabilities with a managed security practice, SOC-as-a-Service (SOCaaS) or the more robust and flexible Co-Managed SIEM/SOC can deliver advanced threat protection.
The first step is to collect and archive event logs as an MSP, knowing that adversaries are targeting you and your supply chain. Implement a Not for Resale (NFR) version of the EventTracker SIEM from Netsurion to get started and build your understanding and expertise. Continue to enhance your cybersecurity maturity and familiarity with the comprehensive reports and dashboards.
Expand your cybersecurity portfolio with Netsurion as a proven partner who understands the SMB marketplace and the advanced threat monitoring. Offered as a managed service, EventTracker SIEM from Netsurion and its 24/7 SOC augment your team with hard-to-find analysts who enable you to accelerate business expansion.