As an IT administrator, I'm often considering how to make the most of all security solutions that my organization needs to run smoothly, especially given the cost of compliance solutions. One item I'd like feedback on is how I can leverage the log-management product I've bought for compliance to protect the network against insider threats as well. If I have a log management solution in place, will that be sufficient to protect my sensitive data? What other best practices are there, and can you provide a few real-world examples?

Information security tools are often split into two categories - detective and preventive. The latter should help prevent attacks, as the name implies, while the former gives ways to monitor and find security events. Log management is a detective control only, so it is not sufficient on its own to protect sensitive data. You still need things like access controls and authentication to prevent unauthorized access and stop attacks. However, detective controls significantly enhance preventive controls because they warn of impending attacks (e.g., suspicious activity and surveillance) and alert you to attacks even if they are failing. Log management therefore has both direct and indirect applications that will help with compliance as well as insider attacks.

A direct method of log management usually involves collection of known logs into a centralized and secure space with long-term retention capabilities to satisfy requirements like "Secure and Central Log Collection" (PCI Requirement 10.5). Indirect methods can involve anything related to monitoring or auditing activities. This means everything from authentication and authorization to encryption to change management could benefit from log management. File Integrity Monitoring, for example (PCI Requirements 10.2.2, 10.5.5 and 11.5), depends on a log management back-end. Some may be surprised that virtually all encryption has a significant log-management component, but monitoring access and change related to keys and signatures is essential to good encryption management. Take, for example, an insider who modifies or replaces a key. Even the reverse can be important; a key that has not been rotated in a timely fashion (some rotations are meant to happen weekly) indicates a potential exposure or suspicious activity.