API Security adds Continuous Discovery and Risk Scoring PLUS a Free Version | LEARN MORE>

The Graylog blog

C-Suite Reporting with Log Management

When security analysts choose technology, they approach the process like a mechanic looking to purchase a car. They want to look under the hood and see how the product works. They need to evaluate the product as a technologist. On the other hand, the c-suite has different evaluation criteria. Senior leadership approaches the process like a consumer buying a car. They want to know the problems the technology solves, basing decisions on capabilities like return on investment or key performance indicator (KPI) improvements. All of this makes sense. After all, the two groups have different objectives. When senior leadership teams evaluate a centralized log management solution, they need to know how it solves their security, audit, and reporting challenges.

Enhanced security with high-fidelity alerts

Security is a business-critical objective. Companies need to ensure that they mitigate all risks to maintain their financial and reputational status. Security teams need high-fidelity alerts that give them better detections to more rapidly respond to new threats.

For the c-suite, high-fidelity alerts are like having a reliable car. No one wants to have a car that constantly breaks down or has random “check engine soon” notifications. In security, high-fidelity alerts give senior leadership a similar barometer.

Alert Fatigue Leads to Security Issues

Most security teams are overwhelmed by the number of alerts they need to investigate on a given day. For example, research shows that:

  • 70% of security operations center (SOC) teams surveyed investigate 10+ alerts every day
  • 78% of SOC teams surveyed take 10+ minutes to investigate each alert
  • 38% of SOC teams surveyed turn off high-volume alerting features or hire more analysts

In other words, SOC teams are overwhelmed, and to reduce the overload, they tend to turn off features that provide low-quality alerts.

Unfortunately, this places a company’s data at risk.

High-Fidelity Alerts Mitigate Security Risks

A quick look under the hood of a centralized log management solution built for security teams gives insight into how high-fidelity alerting works and can mitigate risk.

High-fidelity alerts give security teams the reliability they need. They don’t need to spend time responding to excessive “check engine” alerts. They can focus on the real work of security. High-fidelity alerts reduce key cybersecurity metrics like Mean Time to Detect (MTTD) by aggregating and correlating events across the organization’s systems, networks, and users. Bringing various data types gives them better visibility and detection, ultimately reducing security risks.

Faster investigations with parameterized searches

With cars, people want to know how rapidly they can accelerate. Many people look for a car that can go from 0-60mph in the shortest time possible. From the security perspective, parameterized searches do the same thing.

Slow Investigations Increase Data Breach Costs

Advanced persistent threats (APTs) may now be the norm. Even ransomware attacks go beyond encryption to include exfiltration. Researchers found that by the end of 2020, fifteen different ransomware families employed double-extortion approaches.

The more time a threat actor spends in the organization’s systems and networks, the more data they can steal. The longer it takes to investigate a data breach, the longer it takes to eradicate the threat actors. The longer it takes to eliminate the threat actor, the more money the data breach costs.

According to the 2021 Cost of a Data Breach report, a data breach lifecycle of fewer than 200 days costs an average of $1.26 million less than a data breach lifecycle lasting longer than 200 days.

Getting to 1-10-60 and Complying with Mandates Using Parameterized Searches

One way to measure a security team’s effectiveness is the 1-10-60 Rule:

  • 1 minute to detect
  • 10 minutes to investigate
  • 60 minutes to remediate

While this may seem like the Impossible Dream in a digitally transformed world, it remains an ideal goal. Centralized log management with data parsing done on the front end, parameterized searches, and an easy-to-use interface can help the security team get closer to achieving these results.

From the senior leadership perspective, this reduces data breach costs by reducing dwell time and helps meet security compliance best practices.

Most compliance mandates focus on taking a proactive approach to security. Parameterized searches also allow the organization to engage in threat hunting, looking for threats that might exist even if nothing has been detected yet. With parameterized searches, security teams can take the “assumed breach” approach, assuming that systems and networks are compromised already, to look for threats. Since centralized log management acts as the documentation necessary to prove compliance, organizations can secure data, establish proactive practices, and provide assurance with a single purpose-built solution.

Better governance with visualizations and scheduled reporting

Documenting processes and practices is only one part of the compliance puzzle. Senior leadership and Boards of Directors also need to prove governance over their security programs. In many ways, this is like having the rear-view camera in a car. The visibility is greater than with just side- and rear-view mirrors. Having a “backup camera” in a car provides additional risk visibility when someone is backing out of a driveway or parking spot.

Technical Reports Do Not Meet C-Suite Needs

Problematically, most security reports are technical. Senior leadership and Boards of Directors may not need to know the security technical details, but they do need to understand how those translate to risk.

Additionally, reading through these is time-consuming – both for the security team that writes them and the leadership team that reads them. Security teams need to provide regular updates showing that they adequately mitigate risk, which means providing regular reporting. Senior leadership needs to review these reports regularly.

When the security team needs to write reports using manual processes, it often takes time away from doing security work, like detecting, investigating, and responding to threats. Similarly, when the leadership team needs to read these reports, they often scan them and then “rubber stamp” them. While meeting the “letter” of the compliance mandate, this may not meet the “spirit” of the mandate.

Visualizations and Scheduled Reporting for Governance and Compliance

Visualizations, like charts and graphs, enable meaningful governance. For example, senior leadership may not need to know what the malicious IP addresses are, but they do need to know that the security team was able to block them appropriately.

Visualizations give the at-a-glance visibility necessary for senior leadership to govern risk and meet compliance mandates.

At the same time, centralized log management is purpose-built to enable security teams to build in scheduled reporting capabilities. Instead of manually setting reminders, the team can automate report generation and delivery. This reduces the time they spend on compliance, provides the c-suite the documentation necessary to fulfill their duties, and enhances security all at the same time.

Reduced Total Cost of Ownership with Centralized Log Management Done Right

A centralized log management solution purpose-built to enable c-suite and security teams equally ultimately reduces the total cost of ownership (TCO) associated with security. For example, a centralized log management solution built with all end-users in mind can reduce TCO for security.

Many tools are rigid and inflexible, requiring security teams to have specialized skills. This increases the financial and human resources costs. With purpose-built centralized log management, organizations get the security solution they need without requiring them to increase the number of security team members or provide additional specialized training.

Further, security teams can more efficiently and effectively investigate incidents with features like drop-down menus. This again reduces TCO by increasing productivity and gaining additional visibility into the organization’s environment. Ultimately, these benefits enhance the company’s overarching bottom line.

Finally, companies using a purpose-built centralized log management solution gain efficiencies. Teams no longer need to export data to spreadsheets to create visualizations. They can use them directly in the solution. Further, they can share the data more effectively so the senior leadership team can enhance its decision-making capabilities.

By utilizing a purpose-built centralized log management solution, security teams can better secure an organization’s data. Equally, if not more importantly, senior leadership teams get the capabilities they need at a reduced cost when compared to other security tools.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog Blog delivered to your inbox once a month.