LogLogic Delivers Fine-Grained User Activity Monitoring
October 23, 2007 Alex Woodie
LogLogic delivered a new release of its user activity monitoring appliance this month that delves much deeper into the actions of individual users than previous releases. With the capability to track and correlate all user actions across all major platforms–right down to which files they accessed–LogLogic version 4.2 helps organizations not only by collecting detailed forensic evidence in criminal cases, but by serving as a virtual surveillance camera that (hopefully) deters users from stealing information in the first place.
LogLogic is a San Jose, California, company that sells log collection and reporting software pre-loaded onto inexpensive, rack-mountable X86-based appliances. More than 400 organizations have purchased LogLogic appliances, company officials say, and the company has recently enjoyed a good deal of success among retailers needing to protect (and document their protection of) credit card data as part of the Payment Card Industry (PCI) compliance initiative.
Practically any server, database, application, or network device that generates a log message is supported by LogLogic. This includes Windows, Unix, and Linux servers, which support the industry standard “syslog” format, as well as IBM System i and System z servers, which use a proprietary log format that LogLogic must first translate into the syslog format (this has been available for about two years). LogLogic has two lines of appliances, including the ST line, which provides near real-time analysis for operational security initiatives, and the LX line, which is used for long-term storage of log data and for performing historical and forensic analysis.
With LogLogic version 4.2, both the LX and ST appliance lines have received the capability to track user activities at a much more detailed level than previously offered, says Anton Chuvakin, who holds the title of chief logging evangelist at LogLogic.
“The main things that we built for this release is we now have native ways to collect information from more esoteric sources,” Chuvakin says. “For example, most Unix systems have the capability to record every single operation run by the user, in addition to the standard system log. So we always collect the syslog, and now we can collect all this other type of information.”
Obviously, tracking every move by every user can eat up the storage in a hurry–to the tune of 1GB per day, according to Chuvakin. So LogLogic had to come up with better analysis tools. “On the analysis side, we have new reports and new ways to present this information, so administrators can track a single user across multiple data sources, such as John Smith did something on the Solaris machine, then he did something on a Linux machine, and then he went to a database and extracted information. So there’s a way to have a single inquiry executed that will show you the information from all those domains.”
The big deal is not that LogLogic can track users as they move from machine to machine. “We had that capability before,” Chuvakin says. “But now we can track them all the way down to which file they read.”
The new capability will prove useful in three ways, including for security and forensics, for complying with rules such as PCI, and for general operational needs, Chuvakin says.
On the security side, LogLogic 4.2 can play a powerful role in helping administrators to track down potential security breaches. The product won’t automatically alert administrators when anybody has done something wrong–no product is that powerful. But armed with the first piece of information, such as the observation that an IP address is exhibiting odd behavior, then administrators can use LogLogic to connect certain activities to users, and then look closer into those users’ specific actions. “You need that first piece of evidence,” Chuvakin says.
As a compliance tool, LogLogic’s capability to track activity back to individuals–or at least their user ID–makes it a powerful tool for PCI compliance. Chuvakin is a big supporter of PCI because it offers very specific requirements that organizations must tie events back to people’s identities. “If somebody’s stealing credit card numbers, it’s a person, it’s not a computer,” he says.
The user tracking capabilities in LogLogic 4.2 will also help boost IT shops general operational fitness, according to Chuvakin. Because most downtime is caused by human error–by administrators making configuration mistakes or users abusing applications, not by hackers, evil internal users, or the weather–tracking down exactly which actions led to computer crashes or other problems can help IT shops deal with the aftermath of the event, and possibly prevent it from happening again, he says.
Protecting intellectual property and data about customers and employees is the fiduciary responsibility of executives, says Dominique Levin, interim CEO at LogLogic. “Delivering the means to monitor this activity goes a long way to protect information–both as a deterrent to users who know they are being watched, to safeguarding against the unknown predator of information theft,” she says. “With log data serving as the digital equivalent of a surveillance camera, log management and intelligence with fine grain monitoring capabilities serves as both deterrent and immutable legal evidence that can be used to prosecute violations as powerful evidence to safeguard corporate reputation.”
LogLogic version 4.2 is available now. Pricing starts in the $10,000 to $20,000 range for smaller appliances, and ranges up to more than $70,000 for the largest boxes. For more information, visit www.loglogic.com.