Security Log Management

If your unit (including Michigan Medicine, UM-Dearborn, and UM-Flint) manages systems, devices, or applications that are classified as mission critical or that create, process, maintain, transmit, or store sensitive data classified as Restricted, High, or Moderate, please work with Information Assurance (IA) to set up and manage security logs in accordance with Security Log Collection, Analysis, and Retention (DS-19).

The ultimate objective of security logging is to provide an institution-wide view of system events to more effectively detect threats, anomalies, and other compromises to campus systems and data and to provide for earlier alerts of such threats. Information captured by logs can be critical in supporting incident response or a forensic analysis in the event of a suspected data breach, IT security incident, or other legally mandated investigations. In addition, U-M is required to maintain security logs as part of its compliance with certain federal and state laws and regulations.

Information Assurance (IA) uses Splunk—the Information and Technology Services (ITS) log collection and aggregation engine—to identify and monitor potential IT security threats. IA has begun working with a small number of UM-Ann Arbor units to help them set up appropriate security logging that is sent to its secure and centralized Splunk security log repository for IA analysis and retention. There is no charge to units for participation in the Splunk security logging service.

Support for Your Unit

Every unit is different, so IA will walk unit staff through the process of identifying needed security logs and getting them into the IA security log repository. IA staff will hold discovery meetings with each U-M unit to begin the process and provide documentation and support to help bring all units into compliance with the standard by the end of 2020.

Setting Up Your Unit Security Logs

  1. Each unit's Security Unit Liaison (SUL) is asked to provide contact information for a person(s) who is familiar with unit systems and will work with IA to coordinate the unit's security logging. Please send this information to ITSSplunk@umich.edu by the end of December 2018.
  2. IA will hold discovery meetings with each unit by summer 2019. Participants in these meetings will review the security log standard, begin to work through a spreadsheet for identifying relevant logs, and plan next steps.

Questions?

  • First, check with your SUL. For questions about security logging in your unit, start with your SUL. SULs are being asked to coordinate the process in their units and designate someone to work with IA.
  • Contact the IA security logging project team. To provide your unit's contact person or ask questions, send email to the team at ITSSplunk@umich.edu.