Webinar Recording

The Business Value of Log Management Best Practices

Log in and watch the full video!

Kuppinger Cole Webinar recording

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Good afternoon, ladies and gentlemen, this is Martin Kuppinger of KuppingerCole welcome to our call webinar business value of enterprise lock management, or even more complete business value and best practices for enterprise lock management seminar will be held me Martin Kuppinger and by PA of Noel, the webinar is support by Moel and we will start right now very quickly around keeping a colder coal as an Analyst and research organization, focus on enterprise it research, advise decision support, networking prior it professionals through a subscription services and our research through our advisory services and through our events. Our main event is the European identity conference, which will be held again May, 2011, 10th to 13th of May co-located as the cloud 2011 conference. And those conference are focusing on saw leadership and best practices and our leading events in Europe registration, and all the other information is available@ourww.id com.com. And up to see you in Munich in may regarding the webinar, some guidelines for the webinar, you will be muted centrally, so you don't have to mute around yourself.
We are controlling these features. You don't have to do anything around this. And so you are all unmuted in that case. The other point is we will record the webinar. So if you're not happy with this, then you have to leave right now. But I think other problem, because we are only recording speakers and we will provide the recording and our website usually by the next day, so that you can look at the replay of the recording Q and a will be at the end. So you can ask questions using the Q and a tool at any time. It's the, in the go-to webinar control palette panel at ride side of the, the area questions where you could end the questions. And I strongly recommend to use it sort of any time in the sense of once a question comes to your mind, you really should enter the question directly so that we have comprehensive list of questions at the end of the webinar, when we will do our Q and a session.
In some cases, we might also pick a questions during the webinar, but in most cases we do it at the end. So if there is a question just Android in the questions tool, and then I can, or we can pick the question at the, by the end of the webinar. Okay. The that's it, the next point is our trend. The end trend like usual, this called webinar split into three parts. First part is my presentation around enterprise lock management, put into context, and some look at business values. Second part then will be past or of navel who will talk about enterprise lock management, best practices. And finally, we will do our Q and a session. And I start directly with this topic. So enterprise log management, I think it's a little bit more than just looking at log. So what, what does it really define enterprise log management from my perspective is that we really have a central approach for on looking at locks in heterogeneous environment.
So it's really about supporting heterogeneous environments, not only focusing on a specific system environment, but really dealing with locks in a heterogeneous environment, because that enables you to really look at things across the entire business process, which might span different environments and all that type of stuff. And you frequently have done things like the databases on a unique system, but the front windows system or something like this, which requires you to support a genius environment. It should support standards like Swisslog windows event monitoring. And for sure, a custom interfaces to logs, which aren't in the standard format, strong mapping correlation, analyze analyzes features. So really also supporting you in analyzing what is in these logs, because the obvious problem with locks is always, it's a massive data and you have to find the relevant pieces within, and it should also act somewhat automatically on this log.
So there's a, there's a, let's say some border line between the pure enterprise log part, the theme part, but from my perspective, these things are, let's say moving closer together. And I think there's also a lot of sense in having these things integrated to some part. So it's part of security management. It's really about looking at logs from a security perspective. It's part of operations management as well. So really let's say the acting automatically on these logs to, to really do operations management efficiency efficiently, simply yes, you have to have a complete log because then you have the best foundation to do things, to automate things. And it's part of enterprise GRC stretch. So I'll talk about most of these parts, these parts later on in my presentation. And if a look at it from a security perspective, then locks provide current security related information who have logged on when, who has accessed what, and a lot of other things are in these logs, depending on the systems you're getting these logs from.
And especially if you look at it from, from a security breach perspective. So more from a forensic perspective, for example, it might occur that you really can detect the breach. Only when you look at combined information out of multiple systems. So there's someone who gained access and who has performed actions on systems. And only in let's say in the combination, things become really critical because he has access systems. He shouldn't access, but some things might have been, let's say sort of legal or ative made at some other point. And so in many cases, it's really about looking at different also when it's about what has happened by this user, by this attacker, then there might be act have, might have been actions on many different systems. And it's important to understand where has it been to have a comprehensive and a complete look at these systems, firewalls servers applications, what happens where it's about efficient alerting again, which requires an integrated approach, not many alerting systems.
So I think it it's really annoying if you get a lot of alert from a lot of different systems, because you have to handle too many different things. You can reduce a lot of alerts because if something let's say cover or, or something is happens at multiple systems in a very close period of time, sufficient to alert you once instead of multiple times and historical data is also the foundation for forensics. For sure. So if you look, if you look at it from security management perspective, it's a very important thing to have an enterprise lock management approach, because many things you have to do in security management in day to day security management, as well as when an incident occurs are related to having centralized logs, things become much easier once you have the type of log. So there's, there's a business value, obviously improving security management.
If I look at it from an operations perspective, it's about log collection, analytics, correlation, and automated activities. And as I've said before, it's better to have a centralized instance. One lock collection, one analyzes, one correlation makes things easier, makes things more, much more efficient in administration. So it definitely makes sense to do it that way. And you also have to interface with operations and management tools at one point, instead of having multiple interfaces. And it's definitely easier to, to make things work in the area of operations management. If I look at it from a PRC perspective, this slide is from our research node on a standardized GRC architecture from let's say sort of a big picture perspective. And I think it's a research, not very diverse to read. Then, then we have a lot of things to do. So we have preventive activities which are requirements modeling, which is the RC status investigation, which is the improvement activities.
So requirements modeling is about all the rules and policies and that pile of stuff. The status investigation is really looking at what has happened and improvement is them intering for example, enterprise log management theme and access governance tool and other things to really make it easier to, to work with the controls you have defined. And for sure, you have also reactive part, which is the crisis of incident management, which happens when something happens. And so you have to thing, and it's about reducing risks. You have threats, you have assets, which can't be affected by these threats and you have to minimize the business impact. And that's where if you look at it from a per, at this, from a perspective of enterprise lock management, then in these dark career areas, that's where the enterprise lock management comes in. So it's the status investigation part it's around risk and threat situation analyzes it's around control status collection from automated sources.
So enterprise log management helps you to do a lot of things in an automated fashion, using automated controls, using an automated reaction on things. You also might have some manual controls in the sense of you have someone who is analyzing specific output of these things, but then it's still based in automated sources. So then stress. Then you have to have stress threshold based alerts to crisis and incident management. So if things happen, some events occur, some combination of events occur, a number of events is above a defined level or something like this. Then it's obviously an incident. Then you have to act on this and doing this risk and threat situation analyzes doing this core part of every GRC implementation you have an organization really means that you have to be able to, or that you really need the tool, which is enterprise stock management.
That's one part of the story. It's not the only one, but it's a very important one. So if you look at it from a, from a high level perspective of GRC initiative, so you have your business GRC, some vendors also call it enterprise GRC, which is from my perspective, somewhat arrogant because that sort of some parts aren't enterprise. But in fact, the entire picture building here is the enterprise GRC. And one part is the business view, the business GRC, which is for example, rock operational risk. So also the financial area, the manual controls you have there looking at specific things, high level dashboards. And then you have the continuous controls monitoring, which is very business process focused. So are your goods received? And you purchase all the created dates in a logical synchronization. So purchase all the created before the goods were received or after, after isn't that good from a compliance perspective.
So it's looking at these things more automated controls, and sometimes, sometimes it's also focus on specific system. Then we have this, it let's say more. It centric part. She really looks at the things which have on the it systems where we have, for example, access governance, which is really around do the right people, have the minimum of rights they need and that more and other kind of stuff. And then we have these parts of theme and the pure lock part, which is, which are, as I've said, somewhat related and somewhat tightly related. And I think also if you look at theme doing typically theme things without an enterprise lock, the, our somewhat difficult service, controlling service management and other things, and then below this, we have all the systems. So within the big picture of GRC of this, let's say enterprise GRC, picture enterprise log management has a very important role.
It's one of the things you definitely need. And if I look at, for example, what currently happens at customers, especially in the finance industry too, but also in many other regulated industries and increasingly in the, in the rest of the, let's say rest of the world, we see that, that there are three areas where, where companies are currently really looking at very heavily, besides for sure it's a big cloud. But if I look at it from a GRC perspective, that it's one thing which is, is very high at very top of the edge of the agenda. That's definitely access governance, it's ed, whatever management, user identity acted, however you'd like to call it. And it's the entire area of Siemens and prevention, because these are the three areas which truly have to be addressed to fulfill the needs and the requirements from the regulatory compliance side.
We have also an interesting point and I've, I've just mentioned the term cloud, the cloudiest thing, how to deal with logs in the cloud. First of all, the logs, the logs are better, big questions. Can you access it? Enterprise log management potentially can deal with any type of logs, but the problem there is more cloud providers not necessarily provide sufficient logs. So the problem is more around, I personally convinced that this will change because if you look at the larger organizations which are consuming cloud services, they are for sure pushing the vendors, the cloud service providers, in that case to provide an acceptable level of locks, they can access. So things are changing there. The pressure is high on the, the, the cloud providers. And also you have the environments which are sort of a step between this, where also things become much more complex.
If you look at the virtualized environment, you can't say, okay, I look at the lock of server one in sense for physical server, but you have to deal with much more logs and much more virtual machines. And I recently heard a number that sometimes last year, the, the number of virtual machines in production has, has become higher than the number of physical servers in production. So virtualization is just reality. And we have in fact, a very large number of personal machines out there. So we have to do it there as well. And we have to do lock management at all levels. I think that's a very important point, host, hypervisor gas, and we have to do it in a, in an integrated way. We can't do a little bit log management at the host and the hypervisor intended all the gas. We actually do it also integrated.
And the same is true with the cloud. We need something which allows us to look at these things in an integrated way. Think also about the cloud, you have services from different providers. It's essential to be able to have an integrated view, also from a log perspective on these providers, what does lock management or what should log management provide for flexible interface to lock customer of new interfaces? So you need to interface incoming or outgoing the systems that should be easy correlation, analyzes historical data. And that's very important because you have this forensic thing, you have a lot of regulatory compliance issues where you have to hold log data for a pretty long time. And it's also about alerting automation support outgoing interfaces. When I finally look at the business values again, I think there are three major areas from a business value perspective where enterprise log management comes in.
One area is risk mitigation. It's a part of the risk management operations and doing a lot of things in this area of risk mitigation and thus doing a lot of things around the RC requirements is in fact, based on the ability to deal with that type of technology, to access a lot of logs and to do it this sufficient, you need to integrate it to centralize it to, to it on an enterprise or an enterprise style regulatory compliance. For sure, some cases it's just the must to do. And it doesn't really help you to, to work with workaround a little bit of doing slog at the, the units or Linux environment, other things there, it's doing it in a standardized way that might also mean starting relatively small, but starting in a way where, you know, okay, this one can be expanded to whatever I need in my organization and other systems and natural change environment increase the number of, of, of data and all the stuff.
This system will support micros in that area. The first thing you can do is starting with a solution which can't grow with your needs. And so even when you start relatively small, it should be something which can grow to whatever you need. And finally, it's about cost and manageability. So standardization centralization definitely helps you to make a lot of things better to avoid point solutions, to avoid disinvestment by point solutions. So there are obvious business, well use, I, for sure, it's sort of an infrastructure thing, which does mean, okay, I might have that much of cost I can directly calculate against, but it's something which definitely works to look at and to on it. As I've said, we currently see very strong trend in this area. So that's what I'd like to talk about. I will right now hand over to Pascal of Nobel, who will then do the second part of the presentation, talking about enterprise lock management, best practices. Pascal's your term.
Thank you, Martin. Let me just share my screen here. Okay. So in the second half of the webinar, I'll be talking about log management, best practices. My name is Pascal. I'm a security management specialist at Noel. So why are we here today? Why are we talking about log management? Well, first of all, you think about the most valuable piece of information within your company. You usually put controls in place to protect this information. So what is very importantly that it could be nearly impossible for a malicious party to access. So you're protecting that, that asset, but for information to be useful, somebody, somebody must be able to access it. Think of you're protecting your SAP environment with your customer information in there. But if you cannot, if your operation cannot access that data and you know, you, you, you're not in business. So internal users are very commonly the weakest link in this, in this access chain.
And what we see is that attackers are exploiting internal access to agree that we've never seen before. Very common way of getting to your information is by convincing one of your internal users with access rights, to provide that information that is usually done by tricking people into providing that information. So how do we address this fundamental challenge that we face? So let's look at the insider threat. First of all, if you look at that graph on the left side here, you will see in information from the 2010 Verizon data breach investigation report. And in there it's becomes clear that there's an increase in breaches caused by insiders. So although the Verizon investigation report has better information year over year and more information, there's a clear growth in insecure endpoints bribes, or as we call people who actually are taking care of shipping, the, the stolen information to criminal organizations, mules or mistakes in configurations or mistakes in, in where you send your data or who, who you give information to external threats are still there. The, what is happening is that it outside of reliance on some insiders is, is still going up. Most of the insider threats are caused by outsiders.
So what we also see is that all those, these threats are, are actually getting stronger and, and more targeted and more in volume. We also see that the I infrastructure is under undergoing dramatic shift. We see that companies are shifting their capital expenses to operational expenses. We see growth managed services, more mobile devices and endpoints. And as Martin already pointed out, they moved to first, first virtualized environments and then into cloud computing environments. So the question is then, you know, how do we feel about cloud and, and are, you know, are we prepared to extend it controls to cloud services? Do we still have the same level of control when we move into these cloud services? So new technologies like social networks and, and, and endpoint devices like the smartphones and all kinds of tablets and, and things like iPhones, they actually come with new complexities at the same time.
We also see that these insider techs are going up. The intelligence of the attackers is actually going up and the techs are getting more, more targeted. And at the same time, there's a lot of pressure from regulations to, to secure environments and to prove that we are actually still securing the environments that are more threatened nowadays. So that, that's a very interesting pressure to so new insecurities, when we talk about the cloud, interesting thing is there for, for companies, a cloud could be very interesting proposition because there's there's uptime. When you don't have to care about your own uptime, the cloud provider provides this to you. It seems seamlessly scalable. If you need more power, you get, you buy more power, but there's also shared resources. There is logical separation. There is, you know, it doesn't matter where it happens. That could be a threat too.
You know, where, where is my data going? Is it, is it shifting from data centers? Is it crossing border borders? There's so many different things. And if you talk about these local logical separation of data on cloud systems or cloud based systems, I have no idea if my competitor is actually hosting their data next to me, or maybe there are multiple companies with their data on the same disc that my data is on. This is great for hackers. They want to get their hands on these, on these assets, on this information. And they break into these cloud environments. They can probably get a lot of valuable information.
So for the cloud consumer, it is basically the cloud provides hosted applications that are always available. It's easier to manage you. You have service level agreements with the cloud provider. So you kind of cover all the operational type of, of, of issues that you usually would take care of within your it service services department. The trouble is you don't see the infrastructure behind it, the virtualization that's going on, the workloads, the, the way that the billing is happening and audit and log monitoring, there is also not transparent at the moment. How do these cloud providers, first of all, inspect their own logs for security and operational reasons. And, and why do do we not have insight into these, into these logs? Also things like, how can I prove my compliance to certain regulations in terms of data protection, privacy, those kind of things, and how do, how do we guarantee high availability?
So these are things that we don't have much control around as cloud consumers. So in, in the old security strategies, we would basically put walls around our security infras around our infrastructure and build a security infrastructure around the it. So basically, and protect sensitive systems and networks put firewalls around them and then put intrusion detection around those firewalls, just to know if somebody is actually attacking or going through those firewalls or trying to attack those, those segments. We found out that none of these actually solved the problem of malicious inside access because the insider already has the access to the excess two valuable information from the inside. And the only thing the hacker or an attacker needs to be doing is convince this person to, to cough up that information. So that's pretty much accurate for, or in inadequate for dealing with cloud security challenges.
So why would you do log management? And Martin already gave a lot of reasons in terms of compliance and security and operational health, basically log management. If we look at the mechanisms allows you to easier collect and understand it, and security log data basically makes data manageable. And also it, it should help to store log data more efficiently, not only effectively getting all the logs in and storing them, but efficiently in terms of lowering the cost of storage. Also the ability to quickly look up important data in case of an incident in case things, I think where you can do all these things, you can store it, you can filter search and report, but really make it understandable. Do I really understand what's going on? Even if there are no incidents occurring, if there's no security breaches whatsoever do, actually information is in there, what kind of value?
And then also put to put the infrastructure in place to step up to realtime correlation, realtime security analysis log management can be a very good mechanism to actually make sure that you have clean data that you're on the of logs. So if we look at the, a set of best practices, I just wanna run through these quickly. There's a couple of important things that we've, that we see in that, that you know, that I think we should talk about. When we talk about log management, basically garbage in garbage out. If you collect the wrong data or too much data, then they might, that might not support your outcomes. So a good practice is to look at first at the outcomes. What do I wanna reach? What is, what are the goals that I wanna wanna reach? And then what data do I need to, to log and what data can control away.
Also too much data does not solve the data overload problem. A lot of companies start a log management and see projects to cope with data overload. But, you know, if you're putting too much data in there and out, especially outputting too much data like a hundred reports every day, you, you're not solving that data overload problem. Also filtering data before it gets to the seam. One of the worst practices of sea could be okay, send all the data into your correlation engine or into your analytics engine. And then, you know, the, the machine will automatically tell you what the problems are in your environment. It just doesn't work like that. That is a myth and it's, it just doesn't happen. So log management allows you to very clearly understand your data and filter it before it actually gets to your analytics engines, understanding the environment.
What, what do you expect from the data? I think it goes back to the first point as well. And then also very important when you go through project security information event management and log management projects, focus on solving immediate tactical needs. So you have probably a very immediate need where, you know, the, the priority where you wanna start with this. This can be a small project where you can have a very quick gain and it's much easier usually to get the budgets to solve that initial tactical pro problem, instead of defining a, a long-term project upfront and trying to get the budget for that one, if you do that the right way, you can stage the approach, evaluate the value of this tactical first step or the first couple of steps you've taken, and then always test them against your, your long-term strategic goals. So that allows, that always allows us to, to find out, are we still in the right way?
What were the wins that we had? What were the best and worst practices that we learned? And also what's very important. You can use similar log management to provide value to other areas of the business. One of the things that we like to talk about is how we can help chief information security officers provide information about the it security environment to the C level executives without talk, talking the technical talk. So providing some kind of business level reporting, business level intelligence, or security intelligence to these people at the risk level. So they can actually understand what it threats are going on without understanding all the technologies. And then another thing that's very important is keeping an eye on privacy and data protection requirements, collecting large amounts of data into a centralized location and storing them and creating reports and things like, like, like that can actually have some generate some issues in with regards to privacy and data protection.
So that's, you know, every step you take very important, look at that. And again, start small scale up wisely and choose technologies to allow for the scalability, very important, keep the, in the longer term strategic project in mind or the goals, and then, you know, take your small tactical steps by solving problems one by one and choose the technology that allows for that. So that, that also requires a conversation with the technology vendors about the roadmaps. And how do you scale up not only in technology, but also in cost, do you have, can you provide us with the cost effective scalability? So let's talk about a couple of bad practices and, you know, they may differ for everybody, but one of the bad practices here that, that we identify is basically skipping the requirement definition stage. What we have seen is with companies, especially when there's a large pressure from a compliance point of view, skipping the requirement definition stage, and just implementing a log enterprise log management or SIM environment will probably get them through the first audit because they have taken action and they have a process in place.
But on the long term, they will probably not be able to actually implement the right security management practices, postponing environment sizing until the purchase. It is very important to understand what for size, what kind of sizes you you're looking at in terms of your deployment and how much hardware costs you will have software costs in terms of licenses and all that. Also price is not, not a good indicator for the quality of your cm or lock block management deployment. It might be very attractive to buy a one box hardware appliance that will solve your enterprise needs. But very often, if you, you know, if you do this for a low price, you will run into scalability issues and the cost comes afterwards. So low prices usually means it's cheap now. And in the future, you you're going to pay more. Also do not expect vendors to tell you what you need to log.
They, they will, you know, there's, their vendors will sell you technology. It is very important to have a party in the mix who can advise you on where, where to focus. And then I'm just skipping a few here. You, you can replay this. What what's very important is also deploy, deploy in phases, not, not everywhere at the same time. I already spoke about that. Don't don't, don't do a big bang rollout. It, it will, it's usually a setup for failure. And one of the final things is some things we hear a lot is the companies think that an interface is intuitive, so they don't need training. So let's skip the training for our people because it's so easy to use training and enablement is very important, not only in understanding security analytics and understanding how to deal with incidents, but growing my team, how am I growing my in-house security intelligence and, and creating best practices? In-house so it's not all technology. That's solving the problems there.
So very quickly compliance reports, a thing to look at if we talk about best practices is not the number of reports, but it's very clearly how easily can I create a report that is important for me, right? If you have a thousand reports, what are the chances that your report is in there that, you know, numbers don't gen actually is important, is to be able to define relevant events, format the data the right way, and then customize the reports for specific needs to the organization using filters, refining. So again, the value of information is much more important than the million, the, the large amount of tools to get to, to any information log management can be used for prevention. What it actually provide is a lot of visibility across systems that helps, and it helps discover weaknesses. So if you inspect the logs in a certain way, and you have, you provide the right reports to your operations, it can really help get this fill visibility and find out where the weaknesses are, not just security weakness, but also day to day operation weaknesses and things.
Things like if devices or softwares are software is misconfigured can be, can be discovered who's accessing data or files in general. What my, what are my top 10 users and files who's changing configurations, who's accessing sensitive data and systems, or maybe even whether administrators are sharing passwords or me using their elevated permission. So things like privilege privilege to use data access. And those kind of things are, are, are very easily to discover with log management and also detection. Things like detecting a breach can be very important. So log management can help you with finding out if a new user was unexpectedly created. Maybe that creates some, some security issues who has elevated permissions, volumes of attack, increasing or volume of specific actions, vulnerable systems targeted with an exploit, things like configurations, people are changing configurations, and it could be malicious behavior. It could be mistakes.
We still wanna lock this, or maybe even higher privileges we're assigned to users or entire groups by mistake or, or on purpose, and also investigating after the fact. So if you wanna reconstruct how a breach was actually actually occurred, log management can be a very good tool set to provide visibility across the infrastructure because it's collecting from so many different sources and then helps you allow, helps you to analyze root cause of, of security incidents. So things like what systems were compromised, the attack factors, how, how were they compromised? What security systems failed, what, what didn't we have in place? What should we invest in the future? How was the, did we actually detect the attack? Were, was our I security infrastructure effective or not? Was it external, or did we have an insider who was threatened or, or maybe bribed or to, to, to provide information.
And then finally, of course, and we see it as a lot log management for compliance. There is, there is a whole set of regulatory pressure in, in many countries in, in Europe that drives customer companies to actually become log management customers of, of the security of security vendors through. And they basically consume things like customizable pre-packaged reports, things like storing events for a long time, providing search capabilities, et cetera, et cetera. So these are really the, the, you know, the drivers that drive companies to do something around collecting, centralizing, storing logs for longer time, and then being able to run reports of those.
So finally, what Noel offers in this area log management that we offer that we offer to a whole, a large set of customers nowadays allows us to manage risk and cost of log management. So it's very important to do something like a enterprise log management and security information event management at a controlled cost with very good visibility into the future costs and, and you know, how, how you can then grow your, your infrastructure. So what we then offer is very good visibility, and it related activities, proactively monitoring of security violations, you know, applying rules and things like correlation. And, and we always try to do this leveraging existing hardware where we're not hardware vendors. We try to work with the customer almost in a partnership to help them leverage their existing hardware and, and storage infrastructures to make a very, you know, build a very cost effective lock management infrastructure.
Also very important. One of the things that we try to do is to simplify compliance requirements. It should be very easy and, and people should be able to quickly create formatted reports from search results. Everybody's used to searching using Google type of, of technologies who doesn't go onto the web daily and uses go and use Google or Yahoo or another search engine to find their information. You know, we try to do something similar. And once we have that information and try to convert that into reusable reports, that can then be, you know, distributed to a, a group of users who have, who see value in these reports. And then of course, yes, the reports arm raised hundreds of reports available. What I always like to say is, you know what, we have all these templates, it's all very nice, but the tools that we have around offering the flexibility to, to create reports on the fly, as you see fit, that's, that's really where the value is and then easy to use and scalable.
Yes, I, I, you know, I already said training is still important. Although tools can be very easy, but it should be easy. Even if, even if you have to train your people, you can increase productivity by actually using the log management tool and not just letting it sit there and then using it. Once you have a security incident, this can be a proactive process that you can use every day. Not only for security, for security reasons, I already spoke about operational reasons. So it should be very important that this can also be a productivity tool. We offer this in, in, in several flavors, we can start very small with 500 events per second, and then scale up to twenty five hundred and seventy five hundred events per second. Nice thing is that we can then combine multiple of those boxes. If they're running in production, why would we rip 'em out? We can just leave them, leave them there, upgrade them and place multiple ones in the environment and scale up very, very cost effectively. And that brings us to the end of, of the second part of the, of this webinar. The I'll hand it back to Martin now for questions and answers.
Yes. Thank you. And thank you for the mass of information you've provided. So I think that we directly should dive into the Q and D part. And as I said, thank you for this. First of all, I I'll start with, let's say organizational question, which is around, will the slides be available? The slide X will be available as well. So if you look at all the webinar recordings done before, there's usually recording itself and there the slide X as a PDF file. So we will provide them for download together with the recording. That's one thing. And then as I've said before, under your questions, using the questions tool and go to webinar control levels that we can pick them. The first question I'd like to pick is around who, who, who's the one who should be responsible for the project around enterprise log management or team. So, and I think that's a very interesting question. If, if I look at what you've told, talked about, so you need someone who really understands what to log, you need reports for, for business users who are understood by them and all that type of stuff. So, so who are the, for our organizational perspective and from your experience, the ones who should be in charge of that type of project.
And so as you already, as we already indicated, heterogeneous environments, you, you based talking with many teams, but of course, one, one team or one person should drive the initiative. And what we've seen is that the most successful projects in, in log management and also in steam are basically coming out of the it security department. So it's usually not the it management side, but on the, it security again, the phase approach, what they, what they are good at is first of all, understanding the perimeter security and also things like access rights and access controls. And, and that's usually the heart of the log management in steam deployment. Whereas at a later stage, it, it, it might be, it might be expanded to other areas so most in most situations it's, it's usually the security management.
Okay. Another question is, you've mentioned in your presentation that you also could use enterprise lock management to analyze, for example, who has elevated privileges on specific systems. However, it's sort of, if you look at access governance, where, where, well, for example, a solutions it's sort of, that's also an area where you can do this. So, so how would you say relate these, these things and, and do they, they really overlap or, or is it a very small overlap?
Yeah, so that's a good question. I, I always use the analogy of driving a car. When you drive a car, you, you wanna be able to use your eyes to look at the road and, you know, your dashboard should not be blinking all the time. So the, the fact that you can actually drive the car and that you have the ability to, you know, to, to use all the controls in the car and to use all the basic controls, that is your, you know, that's your ability. So these are the access rights that you have. If you look at access governance, we could say those, you know, access governance will help us govern and control all the, and, and man manage and report on all the rights that people have, but it doesn't necessarily say what people use and, and consume. Now, if you take the lock management, you know, that that takes, that manages and, and provides insight into how people actually use the environment.
So if you, if you take back the analogy of the car, that would be the dashboard that start blinking. If some, some somebody uses the car in the wrong way, you know, if, if you are away with your, with your parking brake on there's, there's this little light on the dashboard that will flash, or that will light up, right? So I, I always, you know, we can see access governance as a status it's lies in time of who has access to what, what role are they member of log management will tell you how they are actually consuming these accesses or these privileges and entitlements, and maybe even what is result of, of the consumption of these rights. So provides more of a result of, of access governance.
Okay. I have some other questions here. So what kind of landscapes generally prescribed recommended for a log monitoring system? So two tier three tier, or how do you make it scale level as well in large organization? And let's say you to be able to handle it. So what type of, of the tiered architectures are typical?
So typical tiered architectures are the architectures where you, and again, this goes back to my, to my story about phased approach, where you start with one, maybe one or two instances of a, a log management engine. And the tiered architectures that we usually talk about with our customers are distributed collector engines that do nothing else than just collecting logs. And they will then centralize those logs into a, into the, the log management tool, which provides search and report capabilities and, and compressed storage and those things. So that's already two tier. So you have your collection tier and then your, your storage and analytics tier and, and a typical next tier would be a security information event management, like a correlation engine for real time analytics. And then if you, you know, once companies grow, we can, we can either scale horizontally by providing more of these collection engines and, and centralized log engines, and having them forward their, their data into the, these correlation engines.
Or we could even have multiple correlation engines if the data loads go up that, that then forward forward their data into a, you know, into a third tier. So see, think of it as a pyramid, you can always add, I would almost say to the side of the pyramid and under slice, and what's very important. There is, you know, I think it's very common to, to grow systems that way, but what's very important for our customers is that once you grow, every step that you take in this growth will actually provide value relative to the cost. So that that's what I call cost effects, cost effective scalability.
Okay. Another question is in one of your slide, you management do not forget legal. Why, what role does legal department of the organization have in GRC and lock management?
Yeah, depends on the country. Some of the countries have very stringent rules around centralizing person, person data. So think of centralizing all events caused by several users in a windows environment or in windows, Unix mixed. And these have usernames in there and very often username can be led back to, to persons. So in some of the countries, like for instance, in Germany, it's very important that when you do this, you have the ability to mask those pieces of information from the it administrators or from the security administrators who are administering the tools. If you don't do that, you might actually get into legal trouble and you may have no leverage whatsoever to ever start any investigation against the users. Should they ever violate the policy? So that can be important there. Another example is if you are, if you have a multi-country deployment, some of the countries laws will prohibit you from standing out any personal data or company related data across borders. So there's another thing where you have to be very careful, how do I set up my architecture with my collection and where does the data go once I collect it? So these are I important things. And we, we always have these conversations with cus with customers about how do we go around this with technology?
Okay. One question we have here, just think the last one covered currently have. So if there are any other questions, let send them right now. So the question is you might also answer was simply no. Is there any information about the next generation of mobile Sentinel, which seems to be version seven accessible for public now?
Good question. I think at this stage, I cannot give that we're very close to finalizing this, so that will be very soon. So I think at this point, it's no, I will definitely talk with, with our product managers to see when, when is that date and that will be very soon.
Okay. And probably then also we will, the, the people will find information on the well website then around what's new in the new release.
And as I know, as someone there's done a lot of things in that area, there are sometimes some public features available. So it's always worse to look at in the well website, whether there are things like that. Someone wants to dive into these things very early.
That's a good pointer. I'm, I'm always very interested in, in having beta customers.
Okay. So that's these very questions we had. Thank you for, thank you to all the attendees. Thank you to you, Pascal call for participating in this call, webinar and hope to have you back in another webinar or see you at European at MD conference soon. Thank you and have a nice day. Bye.
Thank you.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00