The question is relevant because, increasingly, small and midsize organizations appear to be using security log management software -- in its more advanced form, also known as security information and event management (SIEM) software -- not just to demonstrate compliance after the fact with regulations, but also as real-time warning consoles for preventing or detecting in-progress attacks or for pursuing forensic analysis.
Those findings come via SANS and RSA, which recently conducted studies of log management use at small and midsize organizations. The SANS Sixth Annual Log Management Survey Report, released in April, surveyed about 501 people, 29% of them at companies with 2,000 or fewer employees. Separately, RSA surveyed 50 organizations with 10,000 or fewer employees that use log management or SIEM software.
"This data suggests that organizations want and need the efficiency of a log management solution to move beyond compliance, to security detection, reaction, and prevention," said Jerry Shenk, senior analyst at SANS, in a statement.
Exactly what are their top requirements when it comes to log management? "Respondents reported that logs are most useful for forensic analysis and correlation, followed by detection and prevention -- both at more than 90%... suggesting the needs of midsized organizations are becoming more sophisticated," according to a statement released by RSA.
Beyond displaying more advanced security needs, small and midsize organizations, perhaps unsurprisingly, do face slightly different concerns and drivers for using SIEM. For example, according to the SANS survey, which also queried larger organizations, the overall "most critical" reason for collecting security logs, endorsed by 63% of respondents, was to detect or prevent either unauthorized access or insider abuse.
Detection and prevention, meanwhile, were either the first or second most important consideration overall for 83% of respondents, while roughly 40% said that meeting regulatory or compliance requirements, as well as forensic analysis and correlation, topped their most-critical list. For roughly one third of respondents, tracking suspicious behavior topped the requirements list.
For small and midsize organizations, however, almost 80% of organizations ranked detection and prevention as their most critical requirement. According to the RSA survey, roughly 75% also rated real-time log monitoring as essential.