IT administrators struggle to see the overall picture when they're faced with heaps of operational logs and plenty of false alarms.
Basic log management tools provide enough functionality to reduce the amount of collected operations data into a common, manageable format, and then into a set of useful reports, alarms and warnings. The classic log parsers are now in an evolve-or-die situation, with a wealth of log management systems and features that include AI and methods to view and manage large volumes of data.
Bringing AI performance and intelligence gains into log management systems opens up a range of opportunities to data-rich IT operators. Log management isn't only for IT management and reporting: logs inform inventory management, performance analysis, and security and server reporting.
The addition of AI into security allows almost real-time detection of vulnerabilities and attacks. This can effectively turn log analysis into a near-real-time monitoring system. For example, logging systems paired with security information and event management (SIEM) tools make threat detection and analysis -- as well as prioritizing items that need urgent attention -- easier.
To understand why these tools work so well together, consider the many forces at play: humans handle voluminous data inefficiently, threat landscapes evolve rapidly, disconnected information might not clearly show the incoming threat until it's viewed together, different information is important to different people, and losing data is undesirable.
Traditional log management systems don't deal with these sophisticated threats well. Potential attackers are aware of how log management servers modify the baseline over time. Increasing activity slowly gives potential attackers the opportunity to mask their visibility. Determined attackers will usually find a way, but the right log monitoring tools can decelerate or even discourage them enough to cause a change of target.
However, the combination of SIEM tools and deep learning capabilities makes these tools better able to detect these threats. Standard baseline tracking would likely miss a skilled and determined attacker deploying baseline hiding techniques. The new intelligence built into tools from companies such as LogRhythm and Splunk Enterprise examines what is happening from one or more logs, what value is placed upon the event that creates the entry and what these values mean in the context of security.
AI is also more effective at minimizing trivial entries in log management systems. AI can detect suspicious patterns and deviations from norms, such as malware signatures, unscheduled network scanning, and unusual login patterns and times.
Individual entries aren't always reported, but the log management system's AI allows it to correlate apparently unrelated items and provide more confidence in the generated alarms. An operations professional could easily overlook all of these seemingly insignificant events.
Once the tool collects operational data, it allows the user to drill down into information to see why the alarm is important.
AI has changed the way that information is consumed. The sheer volume of data generated in large-scale IT environments is difficult to consume for humans. Threat categorization and prioritization can become impossible. How can an operator differentiate between the importance of several different, yet critical alarms?
One of the tenets of threat management is a prompt reaction to mitigate the threats. AI can step in and conduct preprocessing for the security operations center and provide a categorized threat assessment. This enables the operator to delve into the threats.
AI can even make better decisions than humans when provided with enough information. AI is not subject to the same bias as humans. AI makes better decisions faster when given more information at a larger scale. Humans can then determine the final triage of an issue and take the appropriate action.
At the most fundamental level, AI shortens reaction times. This can mean the difference between a data breach and pre-emptive detection. Additionally, it presents a trove of information to security personnel regarding the source of the looming breach.
AI-enhanced log management tools can form part of the arsenal of security detection and response tools in enterprise IT departments.
A range of tools previously unavailable or too slow to generate reports can now offer real-time log monitoring and reporting built using AI. The possibilities are limited only by the user's imagination. As AI integration improves, the range of features and functionality available will, as well.
Get a grip on machine learning
The current state of machine learning in IoT tools
Transforming security with machine learning at Keen