U of Tennessee finds 'bonus benefits' in log management

* Log management can help with security and compliance

The University of Tennessee installed a log management tool last summer to address PCI and HIPAA compliance requirements. Since then, the university is finding other uses for the log data that are improving network security and operational efficiency.

In last week's newsletter I told you about a survey about log management uses that SANS Institute is running this month. SANS wants to know how organizations are making use of device logs in order to help vendors shape and improve their solution sets. You still have time to contribute your information to the survey during the month of January. Results will be published in April.

Meanwhile, I recently talked with James Perry, the Information Security Officer at the University of Tennessee about his use of log management. His department has been using ArcSight Logger since July 2008, and he’s still finding interesting use cases. Here’s a look at some of them and how his organization is benefiting from log management.

In many ways, a university environment is much more complex than a corporate environment. Perry’s team has responsibility for security and operations at five campuses. He says they act almost like an ISP because they can’t dictate what products, technologies and applications are used by students, professors and campus departments. For a university network manager, there’s a strong need to balance student freedom with network security.

At the same time, the environment can’t be a free-for-all. The university network serves 159 merchants such as bookstores, coffee shops and other sales operations. This means there is a requirement for PCI compliance. Two of the campuses work with medical data. That means HIPAA compliance. There’s financial data, meaning GLBA compliance, and so on. As you can see, the need to log and monitor all activities for compliance purposes was a big driving factor in the university acquiring a log management product. What’s more, like most organizations today, the university is experiencing budget cuts, so Perry was forced to improve security and operations with fewer resources. Log management has helped to achieve the latter objective as well.

Perry’s team selected ArcSight Logger as their tool for two reasons. First of all, they were already using the ArcSight SIEM Platform to collect filtered security event information. Using the log management product from ArcSight meant that the two tools could easily use the same data for different purposes. Second, ArcSight Logger allows the university to collect data from many different types and brands of devices, bring it together in one place and normalize it for detailed reporting and alerting mechanisms. He calls ArcSight Logger “a Syslog-type tool on steroids.”

Prior to installing the log management tool, the university just had the SIEM solution. This tool would filter out extraneous data and look only for security events. When they added the log manager, the “extraneous” data that used to be discarded began to reveal lots of very useful compliance and operational information. For example, Perry says they can now see the signs of a pending device failure by reading specific events. These events trigger an alert to a technician who can tend to the device’s needs before a complete failure.

Log management has helped with security, too. If there is a security breach from within, the log data helps pinpoint the source within minutes. Previously, security analysts could spend upwards of 45 minutes to find the source. That time is now down to two to three minutes.

Perry expected they would address their compliance requirements with the log management system. He's pleased to see there are “bonus benefits” that are making his team more efficient, and he expects they will find more uses for log management as time goes by.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.