Skip to content

Falcon LogScale

(formerly known as Humio)

BEST PRACTICES ​
Based on Vijilan’s proven approach to log analytics and security operations

Overview

Log management, analytics and SecOps

Effective log management is a critical element of Security Operations (SecOps), yet it is often challenging to achieve. It plays a vital role in successful incident response. However, the task of handling logs from multiple devices, users, applications, and other sources can pose a significant challenge for SecOps teams.

Falcon LogScale offers a solution by providing real-time, large-scale log analytics. However, implementing Falcon LogScale requires a focused and meticulous approach. To address this, Vijilan, a long-time Falcon LogScale partner, has developed a set of proven best practices based on their extensive experience with various client engagements over the years. In addition, Vijilan incorporates its own proprietary technology to enhance these practices. This paper explores Vijilan’s best practices for implementing Falcon LogScale and highlights their significance for SecOps teams seeking to improve their log analytics and incident response capabilities.

3528471 blue
hero home
Overview

Log management challenges in SecOps

Log management presents several challenges to SecOps teams. In terms of requirements, log management demands fast ingestion of large amounts of log data from a variety of sources at great velocity. This is easier said than done, and some solutions may require SecOps teams to set up server clusters to handle the growing number of log data sources.

As the volume of log data grows—and it usually grows exponentially—it may also be necessary to deploy indexing farms. Storage requirements balloon the process too. Performance can lag, which may negatively affect the security analysis that is the point of the whole endeavor. SecOps may need to assign engineers solely to managing and updating the infrastructure that supports log management.

Overview

Abstract ​

Falcon LogScale (formerly Humio) provides a solution for effective log management. It enables real-time, large-scale log analytics, which is a necessity for Security Operations (SecOps) and DevOps. Vijilan, a long-time partner of Falcon LogScale, offers a unique implementation process based on best practices and its own proprietary technology developed to optimize Falcon LogScale. This paper explores these best practices and highlights their significance for SecOps and DevOps teams seeking to enhance their log collection, storage, and analytics. While this paper focuses on SecOps, the methodology for logging and storing logs in Falcon LogScale for DevOps follows a similar approach.

abstract
hero vps hosting

Falcon LogScale: Solving log management challenges

Falcon LogScale is a modern log management platform designed to handle the scale and complexity of today’s log management workloads. It incorporates two key differentiators that enable real-time analytics at scale: data-streaming in an index-free architecture and high compression storage. These two factors synergize to empower Falcon LogScale users to query log data and receive instantaneous responses.

Best practices for
Falcon LogScale
implementation

Best practices for
Falcon LogScale
implementation

shield
Vijilan has assessed and validated Falcon LogScale as a log management solution for applications and security across over four hundred organizations in finance, healthcare, government, manufacturing, legal, and education sectors. From these experiences, a growing set of best practices has emerged. When Falcon LogScale is deployed in accordance with these best practices, clients experience optimal utilization of Falcon LogScale, resulting in improved SecOps outcomes, efficient utilization of IT assets, and enhanced team productivity.
Line 205
Files
Vijilan utilizes Falcon LogScale for long-term storage, analysis, and reporting of log data. By leveraging Falcon LogScale as a Security Information and Event Management (SIEM) solution with advanced analytical capabilities, Vijilan is able to offer a comprehensive, end-to-end SIEM solution. This partnership enables Vijilan to provide seamless integration of log collection, parsing, normalization, real-time detection, analysis, and reporting functionalities.
Line 205
Timer
Falcon LogScale can execute ultra-fast searches and queries against raw log data within seconds, presenting the information visually to users. The query window generates results swiftly, ranging from a simple text-based search to a complex structured query involving multiple variables and billions of records.
Line 205

Core processes

Some of these aspects are not directly tied to log management and analysis. However, considering the broader context of Security Operations (SecOps) is crucial to ensure the effective implementation of Falcon LogScale. Implementers of Falcon LogScale should have a clear understanding of how log management aligns with the mandates and obligations of the SecOps team. For instance, if real-time ransomware detection is a priority, the decision-making process regarding which logs to integrate into Falcon LogScale should be aligned with that priority. By aligning with the SecOps team’s strategy and goals, the Falcon LogScale implementation project can establish a solid foundation.

Best practices for Falcon LogScale integration start with a series of core processes:
BLACK FALCON

Determine log integration requirements: current and future

Determine alerts and align with SecOps staffing and workflows

Operationalize log collection

Document Falcon LogScale log analytics solution for specific SecOps parameters

abstract
Core Processes

Determine log
integration requirements:
current and future

The Vijilan approach to Falcon LogScale implementation encompasses the development of an architecture definition that incorporates project requirements. Within this architecture definition, the Falcon LogScale implementation team must ascertain the log integration requirements. This involves determining which logs will be integrated, identifying the necessary connectors and other technologies, and defining the parameters for log data parsing and normalization.

This thoughtful process and requirement development should apply to both current and future log integrations. While it may be challenging to predict future requirements with certainty, it is a best practice to consider likely scenarios for future integration. This foresight will prove beneficial as the Falcon LogScale instance inevitably evolves over time.

Core Processes

Operationalize log collection

deploying threat sensors and cloud connectors. Functionally, this step creates a data lake that will receive a vast and diverse amount of log data. The successful execution of this process requires ingesting and normalizing all the different log data streams and subsequently transmitting them into Falcon LogScale. Vijilan offers a pre-built solution for both on-premises and cloud log collection. As a best practice, it is recommended to collect historical log data in addition to real-time and recent data flows. Analyzing older logs forensically can uncover valuable insights about past attacks that may have gone undetected. Access to historical log data in Falcon LogScale can also facilitate predictive threat detection in the future.
hero home

Vijlian’s toolset offers a range of security analytics capabilities integrated with Falcon LogScale functionality, including

icon bell

Determine alerts and align with SecOps staffing and workflows

Vijilan closely collaborates with clients to determine alerts for Falcon LogScale users. It is crucial that these alerts align with the staffing and workflows of the SecOps team. For every alert generated, there should be a dedicated SecOps team member assigned to handle it, or the alert should be integrated into an automated incident response system, such as an ITSM solution. This consideration is vital because alert fatigue poses a significant challenge in SecOps. Overwhelming the team with excessive alerts is never optimal and can lead to the oversight of critical threats. Therefore, it is a best practice to carefully map the staffing and workflows and design alerts accordingly to ensure they align with these parameters.
icon chat

Run test cases and provide feedback to SecOps team

Setting up Falcon LogScale is not a push-button process; it requires tuning. Therefore, the best practice is to establish a continuous and iterative process with well-defined milestones and goals. As Falcon LogScale processes the test cases, Vijilan provides feedback to the SecOps team. This approach allows Vijilan to effectively fine-tune Falcon LogScale while simultaneously mentoring the SecOps team on enhancing their log analytics and incident response processes.
icon options

Design a log analytics dashboard in alignment with SecOps staffing and workflows

Visualization plays a crucial role in enhancing SecOps effectiveness and team productivity within Falcon LogScale log management. Vijilan collaborates with Falcon LogScale implementation clients to design and deploy personalized dashboards. Following a best practice approach, a dashboard development process is recommended, encompassing widget design, log source mapping, validation, and documentation.
icon chat

Identify and train key personnel

Once Falcon LogScale is deployed, individuals will be required to ensure its functionality. If the client lacks personnel already trained in Falcon LogScale, it is advisable to utilize the implementation project phase to identify and train key staff members. Management and administration of Falcon LogScale do not necessarily have to be full-time positions. They can be incorporated as part of someone's role within the SecOps team. However, it is essential for an individual to assume responsibility for monitoring Falcon LogScale and its supporting infrastructure.
icon log

Document Falcon LogScale log analytics solution for specific SecOps parameters

Documentation often gets overlooked in IT projects, but its importance cannot be underestimated. It is crucial to document the implementation of Falcon LogScale to a certain extent. Since Falcon LogScale already provides documentation for its solution, there is no need to create an extensive manual to accompany the implementation. However, a concise document that outlines the implementation parameters will prove immensely valuable as the Falcon LogScale instance grows and evolves over time.
icon personnel

Assess the suitability of outsourcing log monitoring

Outsourcing log monitoring can be a best practice for certain organizations. The decision to collaborate with an external service provider for this workload may stem from a shortage of personnel or a desire to allocate human resources to other areas. Considering the challenges faced by SecOps staff and the inherent difficulty in finding skilled employees for this specialized work, entrusting log monitoring to an outsourced provider can be a wise decision.

About Falcon LogScale

Falcon LogScale is a modern log management platform that is purpose-built for today’s complex systems and scale.
Falcon LogScale is designed with two key differentiators that enable real-time analytics at scale: a data-streaming and index-free architecture, as well as high compression storage. These features empower customers to pose any query and receive instant responses. Furthermore, the Falcon LogScale platform boasts a robust ecosystem that seamlessly integrates with various technologies, including Vijilan. This integration enables Falcon LogScale to serve as a security solution for large-scale enterprise and educational institutions.

About Vijilan

Vijilan Security has over fifteen years of experience specializing in monitoring, detecting, and responding to information security incidents.
Vijilan, a US-based Limited Liability Company in Aventura, Florida, operates 24/7 primary Security Operations Centers (SOCs) collecting events from global private and public networks. The company prioritizes security by storing customer information exclusively within the United States. Led by a team of skilled professionals, including engineers and developers, Vijilan takes pride in their expertise. Their leaders possess prestigious CISSP certifications and degrees from esteemed institutions like Carnegie Mellon University. With this exceptional background, Vijilan delivers high-quality security solutions and services. Serving over 900 organizations in sectors like Banking, Health Care, Government, and Education, Vijilan's reach extends to clients in the United States, Australia, South Africa, Brazil, and the UK.

Conclusion

Get a demo

Contact Information

Fill out the form below and our team will get back to you within one business day

  • 954-334-9988

  • https://www.linkedin.com/company/vijilan-security-llc/

  • info@vijilan.com

  • 20803 Biscayne Blvd #302 - Aventura, Florida 33180