White Paper

Log Management
The Foundation
for FederalSecurity
andCompliance

White Paper

Table of Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Log Management Fundamentals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Practical Applications and Issues: When Vendor Promises Fall Short . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Use case #1SIEM product deployed but with no foundational logging module. . . . . . . . . . . . . . . . . 4
Use case #2Logging search tools: some assembly required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Use case #3The Microsoft Windows host logging quandary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
There Is a Better Way. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
McAfee Enterprise Log Manager for Integrated and Highly Scalable Log Management. . . . . . . . . . . . . . . 6
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Log ManagementThe Foundation for FederalSecurity andCompliance

White Paper

Executive Summary
Log aggregation, analysis, storage, and lifecycle management are foundational to any US federal
agencys security and compliance program. But more traditional, manual log management processes
are very labor-intensive, often costly, and dont scale well. Log search tools serve some of the
smaller scale requirements, but those often require both high skill investments and onerous and
escalating licensing costs.

The majority
of responding
organizations are
leveraging security
event data for the
following:

Detecting and
tracking suspicious
behavior.
Supporting forensic
analysis and
correlation.
Achieving/proving
compliance
with regulatory
requirements.

SANS 8th Annual Log

Management Survey

In this paper, we will explore the fundamental requirements for a sound log management solution
and review some examples of less than optimum product deployments. Finally, we will examine
what a US federal agency should be looking for in an extensible log management strategy, and
propose a workable solution for tighter integration into and support of an organizations applicable
and prospective security and compliance programs and initiatives.

Log Management Fundamentals

Log management is essential to ensuring that computer security records are stored in
sufficient detail for an appropriate period of time. Routine log analysis is beneficial for
identifying security incidents, policy violations, fraudulent activity, and operational problems.
Logs are also useful when performing auditing and forensic analysis, supporting internal
investigations, establishing baselines, and identifying operational trends and long-term
problems. Organizations also may store and analyze certain logs to comply with federal
legislation and regulations, including the Federal Information Security Management Act of
2002 (FISMA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the
Sarbanes-Oxley Act of 2002 (SOX), the Gramm-Leach-Bliley Act (GLBA), and the Payment
Card Industry Data Security Standard (PCI DSS).
NIST SP800-92 Guide To Computer Security Log Management

Log management has traditionally been the neglected stepchild of information security. Logs can
be perceived as tedious and mundane, especially if there are a lot of repetitive log messages. And
if the logs are regarded as hard to read, or involve a lot of superfluous data, they just may end up in
the proverbial bit bucket. Unfortunately, proprietary logging formats are the norm. Additionally, if
significant logging performance hits are incurred, logging for certain systems (such as databases)
are often turned off completely. Bottom lineif log data isnt actively managed or maintained, it will
often be ignored, disabled, or just sequentially stored away to avoid someone having to deal with it.
Manual log aggregation of servers, network devices, and applications can, and sometimes is, a shortterm remedy to impending security review or compliance audit requirements. But this piecemeal
approach is often surprisingly costly and is only a stopgap measure for a larger and growing set of
federal security and compliance requirements. What is needed is a way to satisfy fundamental log
management requirements in an automated and sustainable manner.
So lets take a look at those fundamental requirements. The log management solution should have
the following capabilities:

Ability to provide full log indexing and high-speed search.

Ability to collect all logs from any host or application.

Ability to search stored raw data: both structured and unstructured data.

Ability to pinpoint attack source by scouring log data storage pools for alerting and
reporting.

Log ManagementThe Foundation for FederalSecurity andCompliance

White Paper

 bility to take the indexed and normalized log data and conduct activity/event
A
correlation bidirectionally with SIEM, providing security information that can be alerted
and reviewed in near real time.
Ability to produce reports verifying and validating security and compliance posture.

Clearly, all this is far beyond what can be achieved with anything other than an automated log
management system. But while having automated processes built in is a necessary solution
attribute, it is not sufficient for a fully functional log management platform.
In the following section, well take a look at a couple of use cases that illustrate some common
pitfalls that have been experienced by organizations using products being marketed as log
management solutions.

Practical Applications and Issues: When Vendor Promises Fall Short

Use case #1SIEM product deployed but with no foundational logging module
Years ago, many organizations recognized that they needed to adopt more automated and policydriven log management strategies supported by new and evolving tools and systems that could
adapt to a rapidly changing threat landscape. And increasing regulatory environments meant that
they would regularly be asked to prove their continual respective compliance postures. So cutting
edge projects were launched to explore these new technologies.
Some early legacy SIEM vendors sometimes provided customers with their affiliated SIEM
product(s), advertising that all underlying log management could be accomplished within their
product environment(s). However, after having experienced some rather painful constrained
deployments and having incurred very expensive component customization and licensing charges,
they discovered that they still required an additional logging module for these critical functions.
And that additional logging module does not come cheap. Consoles are specific to the involved
modules, making visualization difficult. Licensing is complex, with each module requiring an
annualrenewal.
Use case #2Logging search tools: some assembly required
Alternatively, new log search tools were being marketed as the universal remedy for log
management. Unfortunately, these tools were largely confined to searching on indexed data. Those
limitations were fine for smaller-scale operations or application development teams that used
these tools to debug and troubleshoot, but they were found to be inadequate for normalizing the
wide range of aggregated log data and providing automated event correlation required by federal
agency security operations.
Other issues included:

Some queries need to be created manually and could get quite complicated.

Requires highly skilled individuals to write search queries.

Often requires custom application development for use as a larger-scale security event
search tool.
Real-time attack and high event logging occurrences can overwhelm these tools (for
example, a. network attack that generates 100 times the events per second [eps] on
thefirewall).
Dont scale well to large environments.

Log ManagementThe Foundation for FederalSecurity andCompliance

White Paper

They inevitably involve manual assembly. You must build it yourself, on your own
hardware and operating environments.
One log search vendor even charges by the indexed MB, a data consumption revenue
scheme that becomes increasingly expensive when the operational logging universe
inevitably expands and when re-indexing of data recurs.

Use case #3The Microsoft Windows host logging quandary

Microsofts Windows Management Instrumentation (WMI) is the infrastructure for management
data and operations on Windows-based operating systems. It can potentially provide a great deal
of important information regarding Windows hosts, but there are issues involved with using WMI.
Many organizations cant choose WMI because it does not comply with the NIST Federal Information
Processing Standards (FIPS).
A much more alarming and often precluding issue with WMI is the fact that it runs on top of another
of Microsofts proprietary protocols, Distributed Component Object Model (DCOM), which requires
receiving systems to open all ports 1024 and above. Organizations refuse to open that kind of
gaping hole in their network firewall(s) to accommodate another monitoring and collection system.
Alternatively, to obtain this vital Windows event log data, some organizations have briefly considered
adding an agent-based log collection system, then abandoned the idea because of the additional
operational burden (and additional costs) of deploying and managing yet another endpoint agent.

There Is a Better Way

Fortunately, all of the three aforementioned log management conundrums can be effectively
addressed with an integrated log and security management solution from a single vendor: McAfee.
Theres no longer any need to continue down the path of unending licensing and professional
services proliferation, increasing deployment complexities, and having to tolerate a platform with
performance bottlenecks and forklift upgrade requirements. McAfee offers a significantly more
straightforward, higher performing, and cost-effective solution.
Rather than limiting its customers to a log indexing and search tool that requires a tremendous
amount of highly specialized query and application development, inevitable integration with a
number of third-party vendor products and platforms, and a vendors escalating per indexed MB
licensing costs, McAfee provides a better way. McAfee offers a fully integrated, ready-to-deploy, onetime licensing pricing model that extends your threat protection and situational awareness without
requiring constant, and often painful, tradeoff considerations when it comes to operational costs.
Instead of forcing you to choose between two unattractive, even prohibitively costly, choices for
collecting Windows host log data, McAfee has a much better option for that too.
Through a bidirectional integration between McAfee ePolicy Orchestrator (McAfee ePO) software
and McAfee SIEM products, you can use the same McAfee agent that manages your endpoint
security to deploy a McAfee SIEM plug-in that can collect your Windows logs. The policy-based
McAfee ePO software management environment minimizes the learning curve and the overhead of
managing host log collection policies and processes.
The McAfee ePO agent can install the McAfee SIEM plug-in quickly, so that within minutes, you
can start collecting Windows logs for viewing within the McAfee SIEM console. Once you have
collected the Windows logs, you have all the convenience, scale, and analytical power of McAfee
SIEM to help you correlate data and mine the logs for meaning. This integrated, high-performance
log management system enables you to securely and reliably preserve and quickly retrieve the
specific logs youll need to support affiliated incident response, evidentiary search, and compliance
programrequirements.

Log ManagementThe Foundation for FederalSecurity andCompliance

White Paper

McAfee Enterprise Log Manager for Integrated and Highly Scalable Log Management
McAfee Enterprise Log Manager automates log management and analysis for all log types, including
Windows event logs, database logs, application logs, and system logs. Logs are signed and validated,
ensuring authenticity and integritya necessity for regulatory compliance. Out-of-the-box
compliance rule sets and reports make it simple to prove your organization is in compliance and
policies are being enforced.
McAfee Enterprise Log Manager collects logs intelligently, storing the right logs for compliance, and
parsing and analyzing those logs for security. You can retain logs in their original format for as long
as you require for specific compliance needs. Since we do not alter the original log files, McAfee
supports chain of custody and non-repudiation efforts.

McAfee Enterprise Log Manager allows you to:

Meet federal compliance log retention requirements.

Collect, sign, and store any log type in its original format for as long as you require to
support your specific compliance and evidentiary needs.
Adapt storage and retention to each log source.
Use easily customizable storage pools to ensure that your logs are stored correctly and
for the right amount of time.

Analyze and search logs conveniently and appropriately.

Differentiate logs stored for compliance from logs to be parsed and analyzed for security.

Store logs locally on appliance and/or via storage area network (SAN) or networked
attached storage (NAS).
Get up to 14 TB (uncompressed capacity) of usable HDD storage on the appliances, and
optional fiber channel cards for high-speed SAN storage.
Access original log files and even the specific log record from any point in the event
management processwith only one click.
Leverage use cases.
Provide log management and retention capabilities to support advanced use cases,
including:
Establishing and automating compliant data/log retention.
Establishing non-repudiation of evidence.
Establishing an audit trail for administrator activity.
Establishing an audit trail for user account activity and changes.
Establishing automated reporting.

Simple, straightforward one-time perpetual licensing

Can be implemented in a single appliance or in a distributed fashion using a flat or
hierarchical model.

Log management is tightly integrated with event correlation, situational awareness, advanced
analytics, alerting, and rich reporting capabilities provided by integration with McAfee Enterprise
Security Manager, McAfee ePO software, McAfee Vulnerability Manager, and McAfee Global Threat
Intelligence (McAfee GTI).

Log ManagementThe Foundation for FederalSecurity andCompliance

White Paper

Using this tightly integrated log collection, management, and analysis environment will both
strengthen your agencys security profile and dramatically improve its ability to comply with more
than 240 standards, mandates, and regulations, such as FISMA, CAESARS, the DHS Continuous
Diagnostics and Mitigation Program, Executive Order 13396: Improving Critical Infrastructure
Cybersecurity, HIPAA/HITECH, NERC-CIP, FedRAMP, PCI-DSS, and GLBA.
McAfee Receiver
Third-Party Log/Event/Flow Collection
and Correlation Engine

McAfee Enterprise Security Manager + McAfee

Enterprise Log Manager Appliance
McAfee Enterprise Log Manager +
McAfee Enterprise Security Manager +
McAfee Receiver

AES Encrypted
Channel

Receiver

Receiver

Receiver

McAfee Enterprise
Log Manager

CIFS
NFS
SAN
NAS
iSCSI

McAfee Enterprise Log Manager

Fully Integrated Log Management
Figure 1. Distributed flat or hierarchical deployment models.

Visualize, Investigate, Respond

See log frequencies

Advanced Correlation Engine

Search for logs

Correlate events
Wha t data is involved?

GLOBAL THREAT
LANDSCAPE

ENTERPRISE RISK
LANDSCAPE

Who is doing it?

Threat intelligence feed

Vulnerabilities

Are they a bad actor?

Immediate alerting

Countermeasures

Wha t is the ris k of the system?

Historical Analysis

Individuals

Wha t is the ris k of the user?

Risk
Advisor

ePolicy
Orchestrator

Dynamic Content
Content Aware
Traditional Context
Log Management
Figure 2. McAfee Enterprise Log Manager + McAfee Enterprise Security Manager = Deep investigative capacity, broad event
correlation/visualization, and fast response.

US federal government relevant certifications and validations for McAfee SIEM solutions include:

FIPS 140-2 certified.

Common Criteria certified.

UC-APL certified.

DITSCAP certified.

DoD CCRI validated.

AcA audit approved.

Log ManagementThe Foundation for FederalSecurity andCompliance

White Paper

Summary
While there have been significant advancements in recent years in the area of log management,
there still remain many discrepancies in vendors product claims and their corresponding
implementation realities. Reduced time-to-deployment, simplified usability, increased visualization,
automated time-to-protection, situational awareness, flexible distribution models, and much more
cost-effective solutions are required.
If these are important considerations for your organization, investigate the high-performance, tightly
integrated, and cost-effective log and security management solutions from McAfee.
Awards and related deployment examples:

McAfee Positioned as a Leader by Gartner in 2013 SIEM Magic Quadrant.

McAfee Enterprise Security Manager Gets 5-Star Rating by SC Magazine.

McAfee ESM Included in $6B DHS Continuous Diagnostics and Mitigation BPA Award.

McAfee SIEMDoD use cases.

Federal agency, critical infrastructure, healthcare, and financial use cases.

Learn more about McAfee log management solutions:

McAfee Enterprise Log Manager.

Optimize Log Management technology blueprint.

SANS Review: McAfee Enterprise Security Manager 9.2.

McAfee Global Threat Intelligence and SIEM demo.

About McAfee
McAfee, a wholly owned subsidiary of Intel Corporation (NASDAQ:INTC), is the worlds largest
dedicated security technology company. McAfee delivers proactive and proven solutions and
services that help secure systems, networks, and mobile devices around the world, allowing
users to safely connect to the Internet, browse, and shop the web more securely. Backed by its
unrivaled global threat intelligence, McAfee creates innovative products that empower home users,
businesses, the public sector, and service providers by enabling them to prove compliance with
regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and
improve their security. McAfee is relentlessly focused on constantly finding new ways to keep our
customers safe. http://www.mcafee.com

McAfee. Part of Intel Security.

2821 Mission College Boulevard
Santa Clara, CA 95054
888 847 8766
www.intelsecurity.com

Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee, the McAfee logo, ePolicy
Orchestrator, and McAfee ePO are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks
and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and
subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright 2013 McAfee, Inc.
60560wp_fed-log-mgmt_1013B_ETMG