First published November 2006
courtesy of GFI Software – www.gfi.com
Underrated, undervalued and underutilized; events management is most often rated as a tedious and ungrateful task. System administrators shy away from event logs and the events contained within, citing lack of time and clear definitions to the events produced as the principle detractors to the events management process. Events however constitute an invaluable source of information that can be utilized in a number of business processes such as fact finding and decision making. Various laws also mandate that logs have to be maintained and reviewed. This paper examines various corporate needs and provides information on how GFI EventsManager can help corporations achieve important goals.
Events management and GFI EventsManager
What are events?
Events are records generated and stored in specific locations by processes within a computer system. Events are triggered either by a user or by an automatic/background process. Examples of the events logged abound:
– The installation of new software generates a wide range of events (in Windows Event Logs) detailing the installation procedure and the file details.
– Web servers log huge volumes of events (in W3C event logs) related to the users that access services offered on them.
– Firewalls and network routers automatically log events (Syslogs) related to allowed, denied and unauthorized access.
Events logged are automatically stored in text files such as W3C logs (typically used in web servers) or binary files such as Windows Event Logs. Alternatively these can be transmitted on the network via TCP/IP for storage (ex. Syslogs used in Unix/Linux machines) to a log server. The log server then stores the received event logs in either a file or a database. Events management is the management, analysis and reporting process involved in the management of computer and user generated events data and the logs within which the generated events are stored.
The problems with events management
The aura of discontent that surrounds events management derives from the fact that operating system and equipment manufacturers usually supply event analysis tools with only the most basic of features.
In addition events data typically is:
– Voluminous – Hundreds of thousands of events are generated daily on a typical medium sized network, and all of them are logged.
– Vague – Events data contained within log files are, more often than not, cryptic.
– Distributed – Events data within logs is stored in various locations (computers, servers and other equipment) all over the network.
Problems also exist in the management of events data using the default tools supplied where:
– Administrators have no way of being alerted when particular problematic events are logged.
– The events browsing and filtering tools supplied by software and hardware makers have very limited search and filter capacities.
These issues create manpower and budgeting problems for corporations. To enable efficient events monitoring and the related policies, corporations often have to plan for extra time, resources and the acquisition of the required expertise. This often forces corporations to deviate from best practice principles and adopt the least-effort possible approach to log and events monitoring in general or, worse still, not to monitor events at all.
The renaissance of events management
The introduction of legislation such as S-OX, HIPAA, GLBA, PATRIOT Act and FISMA, has had a profound impact in the attitude to events management. Corporations are nowadays legally bound to maintain and proactively review log and events data in a continuing, self-assessment process. Increasingly, more experienced IT Management and audit staff are realizing that events data are an essential and invaluable tool in the forensic examination of systems failures and security breaches. Systems administrators are learning that the proactive review of events data serves as an early warning system for various types of failures and therefore allows them to take pre-emptive action before the actual damage occurs.
GFI EventsManager automates and simplifies the tasks involved in events management, transforming it into a do-able functional process. It is the tool that:
– Automates events collection from various log file locations.
– Removes irrelevant noise (background process generated data) through the use of intelligent events processing while retaining all the important events data.
– Provides a single user interface for the major types of events, making events browsing a relatively simple task.
– Explains logged events using user friendly explanations.
– Enables research of specific issues through extensive query tools.
– Provides extensive forensic and security analysis reports that aid auditors and management in identifying shifts in network resource trends and therefore help them in their decision making processes.
The uses of events management
Through GFI EventsManager, events can now actually be used for a number of intersecting purposes, amongst which:
– Legal compliance
– Information systems security
– System health monitoring
– Forensic investigation
A main purpose of events monitoring is legal compliance. Current laws and regulations oblige corporations to assess their internal control architecture on a regular basis. In order to comply with these laws IT management staff and auditors have to consider events data contained within logs as the primary source through which to gain information, determine level of compliance and identify deficiencies.
Respondents to the SANS 2005 poll on firewall logs report that:
– 28% retain logs for over a year
– 14% keep logs for a month or less
– 31% keep logs for under 3 months
– 14% maintain logs until the disk is full
– 13% do not keep logs
Furthermore survey respondents to the SANS 2006 survey on the use of logs finds that:
– 25% use logs for System health monitoring
– 11% use logs solely for forensic investigation.
– 10% use logs exclusively for legal compliance
– 54% use logs for a combination of all the above factors
The retention of secure, tamper-proof archives of the original, unaltered events stored in log files is critical in proving evidence of legal compliance. Different laws demand that different event logs are maintained for dates that range from six months to seven years according to the law in question and the state where they were enacted. This effectively means that a substantial segment of the respondents to the 2006 SANS Firewall Log Monitoring survey may be in breach of one law or another.
To maintain legal compliance, organizations also need to provide physical documentation showing that they have appropriate control over access to resources. Guidelines issued by bodies such as NIST recommend an events data review at least twice a week. GFI EventsManager’s competitors in the SMB market do not offer a clear strategy on original events retention for legal compliance. This is a feature that is only emphasized on by competitors that cater for the enterprise market. In addition, while GFI EventsManager’s SMB market competitors all claim to assist in legal compliance efforts, some of them permit the deletion of database archives, while others do not collect all the events stored in different formats. These facts seriously undermine any corporation’s legal compliance efforts. Through GFI EventsManager, organizations can collect, store, and report on events related to user logins, account management, access control management and more. Databases can also be archived to provide backing evidence on all reports produced. GFI EventsManager does not tamper the original log files or the events data contained within, in any way, ensuring that the legal provisions that require original log file data retention are met.
Information system security
With almost all corporations nowadays relying on Information Systems to carry out their daily operations, information system security is a very important aspect of events monitoring which cannot be taken lightly. Security incidents result in loss of operations leading to loss of business, loss of face and customers. Recovering from such incidents is very time-consuming and expensive.
This aspect of events monitoring intersects with the legal compliance aspect. Enacting legal compliance implies that various information system standards (Ex. COBIT 4.0, ISO 17799) have to be adhered to. These standards all stress on the implementation of events monitoring as one of the main information systems security methods.
GFI EventsManager provides events management functionality which helps in achieving peace of mind with regards to security. GFI EventsManager provides the following functionality to systems administrators:
– 24/7 Real-time intrusion detection and alerting.
– An early warning system that enables administrators to take intrusion countermeasures.
– A backup facility that thwarts whoever tries to cover their tracks by deleting log data.
– Intelligent and configurable event processing rules that also detects malicious insider attacks.
– Configurable alerting features that change administrator notification methods according to the time of day.
GFI EventsManager also provides comprehensive analysis and reporting features. This allows regular auditing and reporting to senior management of, for example, changes to individuals’ privilege levels. Audits also include reviewing and validating successful and unsuccessful logons, as well as all attempts to access restricted files and directories.
Detecting anomalous behavior is crucial in detecting system and resource abuse both by privileged and non-privileged users. Implementing a security policy and monitoring users against it enables anomalous behavior to be detected without hindering business operations.
Employee performance metrics
As a subset of information system security, employee performance metrics can be used to measure employee resource use against configurable rules and rule sets. Modern day card and keyless access systems, PABX or VOIP systems are all integrated to operate over the corporate network and most of them generate a log that can be used with GFI EventsManager. Together with the events monitoring tools, the monitoring of access and telephony systems gives corporations the unique opportunity to measure staff behavior from when they access the corporate premises, to when they make personal calls, to what they do and which files they access during their work day. This is achieved through the use of a single console. Apart from the security aspect of this tool, human resources management now have the unique opportunity to utilize one tool that provides them with employee related reports that can be used for performance appraisals and other cost-reduction exercises.
System health monitoring
Reducing system downtime to a minimum is critical to organizations, since it leads to customer attrition, loss of brand reliability and revenue. It is generally agreed that when restoring a system from backup, 90% of the time is taken up with manual investigation to identify the cause of the system failure. In some cases full system recovery may not even be possible, leading to the irretrievable loss of business data, important documents or source code.
Event management helps identifying those events which could be symptoms of potential hardware failure. Error events are generated when hard-drives which are about to fail experience I/O failures. Error events are also generated when defective memory modules cause applications to fail when accessing the damaged area. These are only two examples from the large number of system and network components which may fail.
Event management enables system administrators to be proactive and to take corrective action to repair or replace critical system components before they fail. System reliability is therefore greatly increased. Although the benefits of having a reliable system may not be immediately apparent as this equates to having normal operations, the adverse effects of system downtime are immediately evident.
Typical event patterns also help the system administrator spot future system or utilization risks, allowing him to implement preventive maintenance. Such patterns may help a system administrator realize, for example, that hard disk storage is approaching full capacity every three months. The administrator can take preventive measures by scheduling backup and housekeeping tasks to prevent storage from reaching full capacity.
GFI EventsManager provides real-time monitoring of critical applications and IT systems. The system health rule set used by GFI EventsManager is an important tool in the system administrator toolkit, allowing him to be in control at all times on all that is happening on the network. Systems administrators can monitor current network state through the scanning monitor and is alerted when predefined important system related events occur. Configurable alerts allow the administrator to be notified even when off-site, through email or sms.
Apart from legal compliance and information systems security, GFI EventsManager fulfils another important need that corporations have. In the June 2006 SANS survey a substantial amount of the corporations interviewed indicate that they use Log Management systems to perform forensic investigation of dubious network occurrences.
In any forensic investigation, one crucial need is for evidence derived from as many different sources as possible. This helps establishing unequivocal proof of facts. Logs and the events data contained within makes them invaluable in building a timeline of the events that occurred on any given system. In this light, events data can be a very important piece of evidence that supports lawsuits. In addition to all of this it is very important that the whole forensic investigation process is as fast and streamlined as possible to ensure that strict deadlines in presenting the evidence gained are met.
The forensic analysis aspect of events management is a strong value-added feature that almost all of the events management software makers in the SMB market accentuate in their marketing. Software products which claim forensic analysis features are likely to be seen as simple, low cost alternatives to specialized security consultancy and external audits fees. There are a number of issues that need to be addressed when considering forensic investigation software. These are:
– The identification of access (malicious or unintentional) on multiple and diverse platforms.
– The secure storage and maintenance of log backups so that they cannot be compromised by malicious hackers and insiders.
– The range of filtering and browsing tools required for forensic investigation.
– The timeliness of the searches and the reports generated.
GFI EventsManager excels in forensic data examination due to its wide range of search and drill down tools and the comprehensive range of fast reporting capabilities and customizable reports. These two features and the underlying technology that drives GFI Events Manager enable GFI’s offering to very well position itself in the forensic analysis aspect of events management tools for the SMB market.
GFI EventsManager ROI and benefits
“The cost of being proactive is less than the cost of reacting to an incident!” (Abe Usher, Security Expert, Sharp Ideas). The ROI benefits of GFI EventsManager are significant in assisting corporations in not losing out when problems related to network security, legal compliance or system health (problems to which no corporation is immune) occur. It acts as a proactive insurance policy that not only protects corporations when regretful incidents occur but actually stops these incidents from happening in the first place. This actively protects corporations from losing money in terms of lost working hours, loss of customers, loss of face and loss of sales.
GFI EventsManager also enables the timely forensic investigation of dubious events by the staff already employed with the corporation. This enables forensic investigation without the costs related to expensive consultancy and audit firms. In itself this also constitutes significant savings for the corporation that as an added benefit does not need to wash its dirty linen out in public.
Another benefit that corporations gain in using GFI EventsManager is through employee performance metrics. Through GFI EventsManager corporations can now monitor employee behavior for performance appraisal purposes. This eliminates ambiguity in a normally grey area of the employee appraisal process by providing clear evidence, through a single console, of employee conduct. It therefore assists corporations in better investing their money and resources where these are most needed.
Through the use of GFI EventsManager, corporations are now able to achieve important goals that are very important to the overall wellbeing of the corporation in terms of legal compliance, information systems security, system health and forensic investigation. Moreover these goals are achieved through the use of technology that is simple to use and which does not necessitate extensive training and technical assistance. Through the “Get Things Done” approach that this software provides, corporations are assured that they are getting not only value for money on their investment but are also adopting best practice principles that pay-off
GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. With award-winning technology, an aggressive pricing strategy and a strong focus on small-to-medium sized businesses, GFI is able to satisfy the need for business continuity and productivity encountered by organizations on a global scale. Founded in 1992, GFI has offices in Malta, London, Raleigh, Hong Kong, Adelaide, Hamburg and Cyprus which support more than 160,000 installations worldwide. GFI is a channel-focused company with over 10,000 partners worldwide. GFI is also a Microsoft Gold Certified Partner. More information about GFI can be found at http://www.gfi.com.
Â© 2006 GFI Software Ltd. All rights reserved. The information contained in this document represents the current view of GFI on the issues discussed as of the date of publication. Because GFI must respond to changing market conditions, it should not be interpreted to be a commitment on the part of GFI, and GFI cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. GFI MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. GFI, GFI EndPointSecurity, GFI FAXmaker, GFI MailEssentials, GFI MailSecurity, GFI MailArchiver, GFI LANguard, GFI Network Server Monitor, GFI WebMonitor and their product logos are either registered trademarks or trademarks of GFI Software Ltd. in the United States and/or other countries. All product or company names mentioned herein may be the trademarks of their respective owners.