LogLogic MX2010

The shocking number of security breaches involving personal data shows that all too many businesses are still failing to provide adequate measures to stop this information falling into the wrong hands. Fortunately, there are a wide range of standards that aim to prevent this happening by providing best practise guidelines. Developed by all the major credit card companies, the PCI DSS (Payment Card Industry Data Security Standard) is a prime example, which insists that those companies processing, storing or transmitting payment card data must be compliant or they could lose their privileges.

Part of the PCI DSS guidelines are periodic audits carried out by qualified security assessors (QSAs) and this is where LogLogic comes in as its family of appliances aim to provide log data gathering and reporting tools that enable regulatory compliance to be proven.

On review is the latest MX2010 appliance which is aimed at mid-sized businesses and combines the functions of LogLogic's LX and ST appliances into a single solution. It doesn't skimp on features as you get the same choice selection as offered by the larger products and the only payback is a reduced storage capacity for log messages and performance with the MX2010 capable of handling 1,000 messages per second.

The MX2010 can be easily customised to suit requirements as LogLogic offers a range of compliance suites. Along with PCI DSS you have options for SOX (Sarbanes-Oxley), HIPAA (Health Insurance Portability and Accountability Act), ITIL (IT Infrastructure Library) and FISMA (Federal Information Security Management Act). Additional suites cost a shade over 5,000 so can add significantly to the price but LogLogic advised us that most customers only choose one.

The MX2010 accepts log data from a huge range of sources and supports SNMP, HTPP and HTTPS streams, syslog, syslog-ng, Windows drive mapping, JDBC connectors for database logs, FTP, SFTP and SCP. In environments with a wide range of security appliances, servers, firewalls and so on you'd expect deployment to be a lengthy process but you'd be wrong. All you need do is tell each source device where to send its log data and the MX2010 will automatically identify it from its traffic. LogLogic does away with the need for agents as any device that can write log data to any of the supported methods can be used.

The appliance's web interface is very intuitive and the home page provides a rundown on the status of the hardware along with message throughput plus the number of messages and their category. It's easy enough to see the data being provided by a specific device as the appliance automatically categorises it as it is received. You can also approve devices before their log data is accepted by switching off the automatic identification function.

From the real time viewer you can see all log messages being received by the appliance and drill down to specific source devices and types such as firewalls and servers. Filters using phrases and expressions enable you to refine this further and the real time reports can show plenty of activity information on users, connections, databases and access controls plus mail and web servers.

For even more detail you can use LogLogic's advanced reporting facilities. We created a number of custom reports looking at areas such as external users attempting to access personal data. We could select the type of access method such as FTP or SSH, see the physical devices that handled this traffic and list associated IP addresses. If you're enforcing AUPs (Acceptable Use Policy) in the workplace then the web activity reports will come in handy as these can show what sites specific users were accessing.