You can’t secure what you can’t see goes the saying in cybersecurity. That’s why holistic visibility is so crucial for organizations tasked with staying safe in the evolving threat landscape, as it gives you full visibility into your environment. But there’s another adage that matters even more, because without access to log sources and the proper ingestion of their data, you can’t see the forest for the trees.
But what are log sources? What does proper ingestion look like? And why are these such vital pieces of the holistic visibility puzzle?
What Is a Log Source?
Every day your tech stack is creating a wealth of information; both writing it and collecting it. To ignore that information is to waste it. In today’s technologically advanced, interconnected business world, everything that could be seen as a device on a network can generate an event log, data log or security log. These logs both document how the device is running and detect any unusual activity, two factors which make these logs a rich source of threat detection.
Think of log sources as evidence of a crime. Picture them as stacks of manilla folders packed with information that might be crucial — or might be a lot of red herrings. Now keep that image in mind as we discuss ingestion.
What Is Ingestion?
Ingestion is the comprehensive collection of every source of telemetry, including log sources. Every security tool records data, generates alerts, and creates logs. Ingestion is moving all that information — all that evidence — to a central location for analysis.
Think of ingestion as the bulletin board in the police station, covered with evidence and red strings connecting the dots. The Arctic Wolf® Platform, for example, ingests log sources and all additional available telemetry data to create cross telemetry detections based on anticipated behavior.
Ingesting log sources from endpoints, network devices, and infrastructure, as well as from cloud resources ensures that your organization can see threats from all angles.
Why Log Sources and Ingestion Matter
Think of a security tool like a security camera, one pointed at the computer and recording everything that happens on it. That’s telemetry; unfiltered raw data. Now imagine that a crime has been committed, and a security guard needs to watch every single second of that recorded footage to find out what really happened and write up a report. The report? That’s a log source.
A security camera that’s always on and always recording will include a lot of unnecessary information. There may be 23 hours and 45 minutes of absolutely nothing and then 15 minutes of essential information. An event log, for example, looks at all 24 hours of footage, then distills that 15 eventful minutes into actionable information that your IT team can use.
However, a log source on its own is just as incomplete. Imagine the flip side of our analogy: You’re handed a report about an event but it’s merely a distillation of what happened and what seems to be important. It lacks the deep, contextual insight you can only get by pouring over the footage yourself. That’s why log sources are a crucial part of holistic visibility, but far from the only crucial part.
Where organization’s efforts to gain visibility and insights into their environments fall flat is when they focus on telemetry but neglect log sources, or vice versa.
Consider two popular security solutions: SIEMs (security information event management) and EDR (endpoint detection and response). A SIEM will trigger an alert on the ingested event logs, but it lacks rich contextualization. EDR will trigger an event but there is a lot of data to fight through. Neither gives you the complete context. Neither let you see the whole picture.
Gain Holistic Visibility with Arctic Wolf
Holistic Visibility is the only path forward for organizations looking to end cyber risk.
The Arctic Wolf® Security Operations Cloud ingests 2 trillion alerts every week from customers all over the world. In addition, the platform creates cross-telemetry detections, and engages the human element of the Concierge Security® Team and escalates, on average, just a single alert per customer per day. That is the power of holistic visibility.
Learn more about telemetry with “Holistic Visibility: An Introduction to Telemetry.”
Take a deep dive into holistic visibility with our webinar, “Leveraging Holistic Visibility in an Unpredictable Threat Landscape.”