Log files and their management aren't cool sexy topics in security and management discussions, but they are the foundation pieces in just about any enterprise threat management and regulatory compliance efforts. Global DataGuard, a provider of enterprise Unified Threat Management (UTM), has beefed up its log file management by enhancing its Firewall/Syslog Module (FSM) technology with the release of version 3.4.
The new version provides increased storage - up to 1.5 terabytes of onboard storage - as well as advanced search capabilities for locating and analyzing specific log events over vast periods of time and more sophisticated log parsing and alerting. Scott Paley, CEO of Global DataGuard, says, "Our customers came to us and requested the addition of a log management and analysis service. In the grand scheme of things we have a lot of traffic hitting the server. We decided to build something that integrated log management with the integrated threat management and signature-based threat recognition of our core services."
According to Global DataGuard, one of the large drivers behind customer requests was the search for a tool to help businesses achieve full regulatory compliance. The FSM's ability to collect, analyze, respond to and retain log information is instrumental in providing long-term verification of regulatory compliance. In addition, the system may offer visibility into IT operational efficiencies, detect potential security breaches, provide forensic capacity and enable corporate accountability across an enterprise.
Randy Potts is director of security for Town North Bank in Dallas, Tex. He says that his firm based the decision to buy a log management tool on its impact in the compliance arena. "Compliance played a huge role in the decision," he says. "We got [the log management module] when we were in a PCI compliance effort, and it helps us stay in good standing with our key regulator, the Office of the Comptroller of Currency (OCC)." Potts says that the log management system also helps in forensics and in proactive system management. As an example, he says, "We use hardware VPNs here, and looked back through the logs to see who was connecting remotely using the hardware tunnels. We could say that if they hadn't used a tunnel in 90 days we could go ahead and disable it."
With the FSM, all log files are continuously analyzed by customer-specified rule sets and then retained for reporting and forensics. Detected policy violations or activities of interest result in alerts on the unified management console for further analysis, incident response and ticketing. According to Paley, "Based on the ticketing system we can go out to one of their devices where the issue is taking place, and we can take action based on rules we see. We tend to work with the large to medium enterprises most often and they don't want you to block users without talking to them first, so we do that or act automatically depending on the circumstances."