Few network, security or compliance managers would dispute that log management formats and standards are in a "state...
of chaos," as Anton Chuvakin, director of strategic alliances at Qualys Inc., asserts. "You're looking at perhaps the least standardized area of IT."
There's room for improvement, and a significant need. According to a February report from Burton Group Inc., large enterprises "typically generate 2 billion [logged] events every month, and, by some estimates, 25% enterprise data is log data."
The Open Group Security Forum hopes to change that with a new update to its log standard, distributed audit service (XDAS). The Security Forum has also announced work on a new compliance standard, automated compliance expert markup language (ACEML). Finally, The Open Group last week released a guide for risk assessment methodologies.
All are the result of a risk initiative that The Open Group has been working on for months. The group is a vendor-neutral body that defines standards and guidelines that address emerging security risks and compliance issues related to them.
Organizations struggling with risk management will find the new Requirements for Risk Assessment Methodologies useful in meeting their regulatory compliance challenges, said Jim Hietala, vice president of security at The Open Group.
The goal of ACEML and the risk taxonomy is more cost-effective compliance automation tools, he said. "We think there's a clear need for more automation applied to the problem of enforcing compliance and documenting or reporting on compliance," Hietala said. "ACEML will allow compliance automation software to work with a given standard."
Chuvakin, an advisor to the Open Group, said, "the idea that you could convert a compliance-relevant document into XML that's universally usable is sensible. ACEML solves some of the tasks currently covered by commercial vendor tools."
First, however, the ACEML standard would have to be adopted by these same vendors and an application developed to parse the XML itself. "Imagine if you invented TCP/IP but there was no Internet?" he said. If this standard is adopted by vendors in the industry, Chuvakin said he sees it solving a major headache for whoever is entrusted with compliance: checking multiple platforms.
"Compare the situation today: If you have to check for an eight-character password length, you have to go to multiple systems," he said. "If ACEML is adopted, you could create an XML document, feed it into a tool and then check across the enterprise. For a CISO working with Unix, Linux and Windows, ACEML would provide a uniform way of quickly ensuring compliance. There's a big efficiency improvement, if implemented."
The update to XDAS would make audit records more "descriptive, useful and easier to consume and understand," Hietala said. Like ACEML, however, the XDAS standard will need to be adopted to have any significant impact on the industry or the daily cycles of compliance officers. The Mitre Corp. has also released a log standard, the Common Event Expression (CEE), though the standard is not complete.
According to Chuvakin, "there is a flow of information between the creators of XDAS and CEE" that holds the potential to keep the standards interoperable in the future. XDAS has a strong vendor supporter in Novell Inc., which is trying to write the specification. ArcSoft Inc.has also created a standard, the common event format (CEF), which it has held up as a means to derive interoperability of event- or log-generating devices and applications.
Dan Blum, a senior vice president and principal analyst at Midvale, Utah-based Burton Group, noted that "there is a good community effort at the CEF Group, which will act as an umbrella group to fill in the complete standard. Each type of IT facility, like an operating system or firewall, need information about what it should log as well as a syntax."
You're looking at perhaps the least standardized area of IT.
Anton Chuvakin, director of strategic alliances, Qualys Inc.
Hietala said, "Log management vendors say a significant part of their development cycles is spent parsing different standards." He believes that standardization of log formats throughout the industry will produce substantial efficiencies and cost savings for vendors, compliance officers and chief information security officers (CISOs) who need to rapidly demonstrate compliance, he said.
As security analyst Andrew Hay noted, however, "the biggest issue with log standards is that if no one uses one, it's not that great, just like university research projects. With XDAS, people will have to implement it. I'm 100% for it -- if people are using it -- but you have to ask, which vendors have signed up? Is there a benefit, for instance, to Cisco to create logs that allow Juniper to correlate them on their products?"
If you're a CISO looking to buy log management software, compatibility requirements won't be an issue -- just yet. "Some of the pieces are developed, but there's plenty of work left to be done," Blum said. If you're in charge of purchasing in 2010, however, you may want to start evaluating tools that are compatible with CEE and XDAS, he said.
As Chuvakin noted, however, "just because there are two standard efforts today, it's a huge improvement. If people can offer feedback to the standards bodies, they'll definitely get better and have a chance at interoperability."
Let us know what you think about the story; email firstname.lastname@example.org.