Cloud based Log Management - Good or bad?

Are cloud based application services something that would suit well for a SIEM solution as well?

This is not an easy question to answer, since there are many things to consider when going towards a cloud based solution.

IT Managers are aware that Log Management is not an easy task, but taking the extra step and handing over sensible data to a 3rd party and on top of that, having to rely on that the data is available when it is needed.
It is almost as difficult a decision as the first time you let your oldest daughter sleep over at a friends house after a party.

I guess it all comes back to the reasons why you need a Log Management tool and some common drivers are:

• IT Operations needs it for rootcause analysis and problem resolution
• Security uses the information to monitor events and suspicious user behavior
• Audit and Compliance officers are worried about sensible data and who has access to it.

Apart from Audit and Compliance, most other use cases need log data to be immediately available for event processing and alerting purposes. So I guess it comes back to service that the vendor is offering and some of the things that should be checked are:

• Application availability
• Timeliness of log data storage and analysis
• Device support
• How long is log data stored and searchable
• Backup and redundancy

Most of the vendors of cloud based solutions all have good explanations to above mentioned points, but by choosing such a solution, it is very likely that after the first internal hype, it's not going to be used actively and only seen as a place to store the log data and possibly for compliance reporting.
Therefor the money spend on implementing a cloud based solution, is more or less wasted and the time spend setting it up, could be used much better in other ways.

Integration to other applications
If you plan on integrating a solution in-house, you get the benefit of integrating your solution with your other management tools and this assures that the Log Management solution is very much an integrated part of your day-to-day operations, whether it's operation, security or compliance related.
The system can generate events that can help you with the following:

• Triggers scripts like shutting down a firewall port
• Executes applications
• Sending alerts via text messages
• Integrating into help-desk systems like Remedy

All these functions are just samples of how to get the most out of your Log Management system, by integrating seamlessly into, as well as enhancing, your existing application infrastructure.

Summary
So if you need Log Management for storage and occasional searches, a cloud based solution is the right fit for you.
But if you want to prevent your solution from becomming a stand-alone application, and you want to use the valuable information contained in logs, to improve your day-to-day operations, you are better off with an in-house solution. For now, you definitely get the most out of every dollar you spend.

Log Management and Compliance

LogInspect can help you achieve a complete insight to your network, and help meeting common regulations such as PCI, Sarbanes Oxley, HIPAA, Basel-II, ISO-17799 (auditing and monitoring) and ISO27001 which includes DS-484:2005. The LogInspect provides prebuilt templates for most common use-cases like compliance and security reports. But reports can also be custom made with the modular report engine so it matches your needs.

Reports on Asset Security Modifications. Security changes to a system asset is registered in a "Security Modification" category.

Reports on User Authentication. User authentication are stored for reporting in administrator successful and failed attemps, plus user successful and failed attempts.

Reports on Security Incidents. Security Incidents and system errors are automatically detected and reported by the LogInspect intelligence.Besides presentation the findings in easily to read reports we also meeting other requirements put forward by the regulations such as.

Integrity of Logs. Log data collected are stored in a secure archive which protects against data modifications and audit logs disappears (with checksums and double timestamps).

Access to Original Log Data. The original log format is accessible for backup, forensic usage and statistical usage. This gives a big flexibility when integrating with third party vendors or investigators.

Asset Owners. Each asset defined can have a primary owner and a list of secondaries. This makes the process of incident respond and incident management more smooth since there can be set a default assigned person (or group).

Role Based Access. LogInspect has a very complex Role Based Access model which can be used if needed. Every view can be defined whether they are allowed to be presented or not for a user and each object can have its own settings too. A good use-case example of this is; to let a user view (but not modifiy) all pages, and only present the systems which he/she is responsible for.

Audit Logs. Every authentication attempt and user action made which results in a modification is logged in an audit log. This audit log can be used to track changes to discover errors based on configuration, who made the changes and from where.

Automated Log Management

COLLECT – STORE – ANALYZE – REPORT

Collection of logs is demanded by regulatory or security requirements. Log data is collected from any number of devices on a network and is created in the millions every day resulting in a staggering volume that in itself is a huge task to manage.

Secure storing of the massive Log data is imperative for IT controls and compliance. The LogInspect architecture ensures that any IT environment, whether local or distributed worldwide, can scale to fit even the most demanding IT infrastructures.

Analysis remains the most sophisticated part of LogInspect. Different devices generate logs in a distinct, inconsistent and often cryptic format that is difficult to analyze without in-depth system specific expertise. Also, many of the conditions that indicate issues can only be detected when logs are correlated or associated with logs happening on other systems and devices. If caught in time, these signs can alert personnel to take necessary actions before security is compromised.

LogInspect analysis is done in real-time for immediate insight into unusual and suspicious user/network activity - a task that is impossible to do manually in even midsized companies.

Once a given task is defined the best management tool for control is reporting. LogInspect include a powerful report generator that makes it easy to define and schedule relevant reports based on standard compliance or fully customized requirements.