Log Management & SIEM for Security, Compliance, Operations | the dialog

Another meeting or WebEx demo is scheduled - things are busy for me six months in as Sales Engineer for LogRhythm in the UK.  I dial into the conference call and off we go.  The first question that normally gets asked by one of my enthusiastic sales colleagues is "what's the driver for the project...?"  To date the answer is usually "compliance".

I've worked with enterprise networks for over 10 years now and was responsible for designing, deploying and managing a large network for a leading Managed Security Services provider. When I designed the network, I paid no attention to log and event management. I knew that each of the products and technologies created logs and had their own management interface to allow me to view that information if needed. From what I've seen, this isn't an uncommon approach. It then happened......

... Friday night @ 17:00hrs, my phone rings and it's one of the sales managers on the phone: "Hi, can you create a report showing when John Doe has logged into the network over the past two weeks?"  Ok, this isn't too much of a task for me I think, I can simply log into the domain controller and take a look at the security logs, export the information to excel, manually edit it and create a report. Then the same sales manager asks "I also want to know what websites John Doe has visited whilst logged into the corporate network.  Oh, and can you tell me if they have also logged in remotely over the VPN?  If I can have the reports on my desk Monday morning, that would be good." All of a sudden the fairly simple task becomes more complicated and will require the use of various different GUIs, tools and lots of my weekend!

...Back to the demo: As I walk through the console showing the customer how easy it is to run an investigation against any or all of the log sources, showing how to use the common events and classifications to apply filters (Origin Login = John Doe, Classification = Authentication Success) to the log data that LogRhythm has enriched and normalized, I then show how easy it is to use the displayed data

and create a graphical report.

I continue to demonstrate the power of tail in a troubleshooting or activity monitoring scenario and apply a filter showing URL and Origin Login = John Doe and we sit there in real-time watching the user's activity.  It's about this point that the pin drops.

Yes the driver might be Compliance, but it's the additional operational features and visibility that LogRhythm provides that gets the technical operations team excited and actually sells the product more often that compliance on its own.

I wish I had paid more attention to my SIEM requirements when I designed the MSSP network all those years back. If I had I would have made it home much earlier that Friday night!

He's having the worst day of his life... over and over again.'

Ring any bells? It's the strap line from the film Groundhog Day which sees Bill Murray's character, Phil Connors, caught in a time warp - repeatedly waking up to find that things are exactly the same as the day before.

The film charts Connors' frustration at being faced with the same situations every single day and seemingly unable to start the next day afresh.

Whether it's travelling the same daily commute, or having repeated discussions about the latest information security regulation directive, I'm sure we've all related to that character at some point. Particularly if you are a miserable old curmudgeon like me (in fact I think you will find that Bill Murray based his screen persona on yours truly....)

With a seemingly endless list of new or amended regulations being introduced, it's no wonder that IT security professionals can often feel like they're stuck in their own Groundhog Day.  No sooner does an organisation achieve compliance for one regulation, than another comes along, often bringing with it a sense of déjà vu for all involved.

Take the Payment Card Industry Data Security Standard for example. The first standard was introduced in December 2004, with the most recent revision in 2008, and an updated version due this October.  As such, the regulation seems to have been around for an eternity and it's no wonder that mentioning the subject will trigger a glazed response from many in the industry.  

This rings even more true in the public sector where there seems to be a never ending stream of new initiatives and guidelines relating to information management and technology infrastructures. In the UK alone, organisations are faced with, for example, GSI/GCSX, CoCo compliance and latterly Memo 22 replacement, Good Practice Guide 13 (GPG 13.)

Information security is an ever changing beast. As technology evolves, so do the risks posed which is why it's imperative that organisations -public and private - don't become complacent when it comes to compliance.

As Bill Murray found in Groundhog Day, the only way to escape the monotony of his time warp was to re-assess his attitude to life. Of course I'm not suggesting for one minute that we turn our lives upside down, but there's a lot to be said for taking a proactive approach when it comes to guarding against risk.

In every information security related regulation, there's a requirement in some shape or form to protect the information being held by the organisation - from credit card details to children at risk records.  Despite this, all too often security incidents are discovered after the event, once the damage has been done.

Protective Monitoring tools such as LogRhythm's bring a new proactive dimension to information security-fulfilling multiple compliance requirements in the process.  By centralising and automating how log data is managed, organisations can gain a clear insight into network and user behaviour.  Any irregular activity is automatically flagged in real-time while reporting for compliance purposes is simpler and less time consuming.

As with most Hollywood films, Bill Murray's ultimate goal was to get the girl. While I can't guarantee that LogRhythm will bring similar results, it will help ease the Groundhog Day frustrations for those facing the continued compliance struggle.  

Unless you're happy living in Punxsutawney of course....

The Wall Street Journal published an article this week titled "Grid Is Vulnerable to Cyber-Attacks."  It focused on a recently published report by the US DOE that very candidly admits to specific and significant vulnerabilities in our nation's power grid.  The report is based upon data collected between 2003 and 2009 from 24 separate assessments of computer control systems.  The gaps highlighted in this piece are similar to those presented in numerous news reports over the last year, including a sobering 60 Minutes episode titled "Sabotaging The System."  

Public acknowledgement of these gaps by the DOE may surprise many, and media depictions of the potential ramifications of these gaps may cause many to break into panicked recitals of slightly modified Talking Heads lyrics "My God, what have 'they' done?"  But this acknowledgement should by no means be considered an indication that information security professionals at the DOE and our nation's utilities are asleep at the switch.  In fact, I suggest just the opposite is the case.   

Over the last 18 months I've spoken to and met with a number of IT Security professionals from utilities across the country and most of them are on top of it.  At the core of their current security posture is the realization that our infrastructure will NEVER be truly secure.  That's just the reality of it.  The move to "smart grid" technology by many utilities offers tremendous advantages in the areas of overall energy efficiency, cost reductions and increased reliability, but it also opens a whole new spectrum of threats to the infrastructure.  Realizing that there will always be persistent threats both outside and inside the network, utilities are focusing more and more on comprehensive and continual monitoring.  They recognize that every activity that occurs on their network is like the stroke of a brush on a large canvas.  When seen together, those strokes of paint yield an intricate, detailed and complete picture.   When considered separately or in chunks, they're meaningless globs of paint. 

Similarly, capturing log data from isolated bits and pieces of a network simply yields a big pile of meaningless logs.  You never get to see the full picture.  Utilities at the forefront of securing the grid are those that are deploying comprehensive log and event management systems that collect, analyze, report and alert on log data from virtually every log source in the enterprise; from network and security devices to servers, applications and even endpoints.  They're persistently seeing the full picture, which means that when the picture starts to change, they'll see it.  They may not be able to label the change or anomaly immediately, but they know enough to isolate it and investigate further.  And because they have all of the logs and the context in which they were created, they have unparalleled precision, insight and efficiency in their forensic investigations. 

With NERC CIP mandates and pressures shaking security dollars from utility budget trees, more and more utilities are stepping up to the challenge and refusing to accept (to quote the Talking Heads again)"Same as it ever was."    

I have spent the last couple of weeks reviewing some of the RFPs that LogRhythm has answered to get a better idea of how we can streamline the response process.  One of the things that jumped out is the complete lack of consistency from one RFP format to the next.  It seems like each company is reinventing the wheel in every shape but round, even though they are all trying to end up in the same place - with a Log Management/SIEM solution that meets their company objectives without destroying their budget. 

I realize that it must be difficult putting an RFP together. What do you ask and why?  A clear answer is hard to find without asking the question correctly, and after asking how do you score the results of what will most likely be at least a partially subjective response?  Each respondent is trying to win your business, which will almost certainly be reflected in their responses.  Just as important as asking the question is finding a way to filter out the chaff in the response.  This means that you not only have to ask the right question, you also have to have a pretty good understanding of the answer that you expect up front.

This is the same problem that administrators face after the RFP process plays out and a product is selected and implemented.  Once the Log Management/SIEM solution is in place, how do you use it to get the information that you need?  Or more importantly, how do you take what you know and put it in a format that even your boss can understand?  How a question is asked - or how a query is defined - determines what data is returned. If the question isn't clear then the results won't be either.  Having a solution that helps you clearly ask the question makes getting the right response easier. 

Delivering tools that facilitate the query process is one of the things that LogRhythm does exceptionally well.  By providing a wizard-based process to run reports and investigations, LogRhythm both speeds  up and simplifies the process of extracting relevant information.  We also automate the data enrichment process so that the information returned is clearly defined, properly categorized and easy to understand. 

As far as streamlining the RFP process for you?  Well, we can't tell you exactly what you need, but we do have a pretty good idea of the questions you want to ask when evaluating Log Management/SIEM solutions.  Feel free to ask for a copy of our template. 

Ever since Google was hacked by the notorious "Operation Aurora", the term Advanced Persistent Threat has come to the forefront of the computer security challenges organizations must face.   APTs are attacks originating from groups with government-level funding, with considerable patience to wait for an opportunity to exploit, and have a specific mission they are performing.

I've met the whole concept of APTs with personal skepticism.  After all, the analysis of Google's hack did not prove that the Chinese government was directly responsible, that the tools used exceeded the complexity of botnets formed by malware such as Bagle or Cornflicker, or that a basic penetration test could not have yielded similar results against any company, let alone an open-architected, public minded company such as Google.

Regardless, there are many respected researchers that do claim the attack was government sponsored and that the attack was carried out with significant sophistication.  They claim far more resources are likely pushed into funded cyber attacks against influential organizations as a result of copycats from other governments and well funded criminal groups.

For those who have been dealing with cyber crime during the last decades, these threats sound similar to threats that have been seen all along.  Criminal profit-motivated organizations have created sophisticated malware with command and control systems that, among other things, search and steal anything of value from an infected computer and send it to data collecting exfiltration servers located in shady data centers all around the world. 

The role of integrated Security Information and Event Management (SIEM) and Log Management products such as LogRhythm are coming to the forefront of APT defense, establishing them as a fundamental element of security that is just as important as the old familiar defenses.  APTs are likely to have a centralized command and control, and the defense is to have at least the same capabilities as the attacker, in the form of a Security Information and Event Manager.

Regardless if you are concerned about emerging threats from cyber crime, insider threat or feel your organization has a direct threat from government sponsored APTs, SIEM solutions like LogRhythm are an invaluable tool to respond to complex and targeted threats against your organization by addressing the following:

1) Event Layer collection, analysis, and reducing log data to highlight events of importance.
2) Automatic notification of compromises and security critical events
3) Robust and deep forensics abilities on a wide variety of log sources
4) Understandable dashboard highlighting activities and trends for the organization
5) Internal / External system awareness and GeoLocation identification of attackers
6) Detection and notification of potential data loss events

Without the right SIEM solution an organization may seem blind to even basic threats.  The illumination provided by a SIEM can expose complicated and unknown threats by tracking information with enough detail to spot anomalous behavior that APTs are not capable of hiding.  SIEMs are the most significant countermeasure against Advanced Persistent Threats available and are critical for stepping up to limit the impact of APTs.