SANS recently published their Analyst Program survey on log and event management. Report author Jerry Shank noted many interesting facts within the paper. Specifically, he highlighted that The data suggests that respondents are having difficulty separating normal traffic from suspicious traffic, and that security practitioners need advanced correlation and analysis capabilities to shut out the noise and get the actionable information they need. Despite the ever evolving threat landscape, as noted in the latest Symantec Threat report, there was another telling statement within SANS report: A large percentage of organizations—22 percent of the respondents —say they have little or no automation and no plans to change. The most common reasons given for not automating include lack of time and money… resources that are closely intertwined.
Log Analysis is certainly a key component within any organizations security practice. Maintaining logs can help with the forensic analysis when reviewing a breach, and can help to identify baselines to hopefully note when anomalies are occurring. The statistics around actual time spent analyzing logs for attacks was extremely telling though. When the IT professionals were asked how much time they normally spend on log-data analysis, the largest group (35%) replied, none to a few hours per week. As for the rest, 18% didn’t know, 11% said one day per week, 2% outsourced this task to a managed security service provider, and 24% defined it as integrated into normal workflow. The SANS survey report, which notes analysis time overall actually seems down from last year, noted that about 50% of the smaller organizations spent zero to just a few hours analyzing logs.
These statistics show that log analysis is a difficult and time consuming process that even the largest organizations are struggling to integrate into the everyday operations of security, much less smaller organizations with limited security staffs. That is why we at FireMon believe it is vital to augment SIEM products with a tool that can operationalize the identification of risk to the network in real-time. The tool should automate the identification process of assets that can be compromised, and be simple and easy to deploy for any organization regardless of size. Risk Analyzer is just such a product. It automates the identification of assets at risk in your network, and provides a prioritized list of actions that will reduce the greatest amount of risk with the least amount of effort. This tool is valuable in any organization of any size. As the SANS report notes in its conclusion, the issue has been getting usable and actionable information out of the data when they need it for detection and response. Risk Analyzer does exactly that; it provides actionable information that will reduce the risk to your network.