Log Management & SIEM for Security, Compliance, Operations | the dialog

A number of last week’s media headlines seemed to follow a common thread – companies joining forces in the fight against cyber crime. Hackers have long been working together to infiltrate target companies so it makes perfect sense that, in a bid to fight back, corporations take the same approach.

The most recent call to action came from NATO, which called for improved collaboration when it spoke about its own struggle against cyber crime. NATO faced a staggering 2,500 attempted security breaches in 2012, although it did only consider around ten attacks per month serious enough to mention. We can only presume that NATO’s IT infrastructure has all the fortifications money can buy, but it should still consider itself pretty lucky that none of these attacks have been successful. The ramifications of a successful hack for an organization like NATO would be disastrous. It’s perhaps no wonder it’s calling for better information sharing and pre-emptive action.

NATO isn’t the only one which has been calling for collective effort. BskyB also announced plans to share intelligence with law enforcement agencies and even some of its competitors. Similarly, the FBI and Microsoft joined forces to take down the Citadel Botnet, which is thought to have exfiltrated $500m from bank accounts. New allegiances like these recognize that knowledge is power – even if it that does means working alongside competitors for the greater good.

Today’s cyber criminals take time to gather and share intelligence before singling out specific targets, leaving lone organizations – even those with the might and resources of NATO – struggling to fight back. If organizations are to stand a fighting chance, they must start working more closely, sharing information about the attacks they’ve been subjected to, so everyone can learn from each others’ experiences.

BYOD concerns continue to escalate as the growth of smart devices, including smartphones and tablets, continues to rise and invade the enterprise.  Wireless access and remote access are eroding the network perimeter.  Many companies I speak with are still grasping with how to gain better visibility and insight to edge activities.  Instead of IP addresses, administrators are looking for identities.  Instead of MAC addresses, administrators want recognition of the device type, including  make, model, OS, and security posture, among other attributes.  This pursuit for greater contextual information to drive more insightful security policy, has led LogRhythm to integrate with Cisco’s Identity Services Engine (ISE).  LogRhythm is able to collect and process a rich set of detailed and contextual information regarding edge device activity from Cisco ISE.  Not only can LogRhythm provide a centralized, easily searchable repository for ISE data, but LogRhythm’s advanced AI Engine capabilities allow for real-time analytics leveraging data across any other log source to solve critical use cases to provide that sought-after edge visibility.

Mobile devices
For example, Cisco ISE can identify which devices are actually smartphones, and which types of smart phones, are participating on the network.  LogRhythm can learn several behaviors of smart phones;

• How many connections externally and internally do smart phones generally make?
• How much bandwidth do smartphones generally consume, over which applications and protocols?

LogRhythm can build out a histogram on each phone type and if an individual phone begins to act very different from its peers (high number of connections, traffic across different set of applications, etc.) alert you to it.

Guests
Every day, a small percentage of network activity is generated from people who do not even work for your organization; Contractors, long term consultants, daily visitors from vendors, etc.  Cisco ISE can identify which users are participating on the network are guests.  LogRhythm can observe guests’ interactions with the network.  For example, LogRhythm can detect if any one guest creates too many failed access attempts, an indication a guest account may be probing the network to see what holes may be available for further access.

Remote users
Cisco ISE can identify which users are participating on the network remotely through the VPN.  LogRhythm can build out a whitelist of all the countries users authenticate to the VPN.  If a new country is discovered, this in itself may not be concerning.  However, LogRhythm look for highly corroborated events such as a user who not only authenticates from a new country, but accesses different systems or applications, representative of a compromised account.

Cisco ISE helps provide LogRhythm a platform to gain identity and device-aware contextual information regarding network access and activity.

It’s never quite the case that ‘one size fits all’. Yes, sometimes it can be true, but for those of us who have specific requirements it can be a hard promise to live up to – and most of the time, we have to settle for slightly less than what we were looking for.

But what does this have to do with logs?

The requirements for log collection and correlation are broad, and vary from organisation to organisation – not to mention the number of ways we choose to consume, process and visualise that information. In response, our latest LogRhythm console offers more ways of presenting analytics than you can shake a syslog at, whether it is our inbuilt visualisation tools, our dynamic tabular data layouts or the hundreds of inbuilt reports – but, what if you demand more?

The answer is among many of the new features introduced in LogRhythm 6.1, specifically our Application Programming Interface (API), which lets you develop custom solutions to leverage your LogRhythm solution with <<insert programming language of choice>> and consume all of that enriched, correlated data in a format limited only by your imagination (or programming capabilities!)

Some impressive features of the API:

- Create custom dashboards for SOC/MSSP environments
- Populate LogRhythm Entity configuration from central workflow processes
- Geo-plot real-time security events
- Consume LogRhythm’s correlated and enriched log information via third party systems

So, it turns out one size can indeed fit all – at least when it comes to log management. Get in touch if you’d be interested in hearing more about upgrading to LogRhythm 6.1.

It’s not just about security when it comes to SIEM. There is a vast wealth of other information that can be gained from monitoring, collecting and analyzing log data.

I was recently helping a maritime organization with a compliance requirement to collect and monitor its log data. During the initial days of the deployment, just as the firewall logs where starting to be collected, we spotted a large amount of log traffic relating to general network firewall noise. The impacted firewall was one of the shore-based devices; while the log data was being generated as a result of high levels of data traffic coming from one of the ships. This data traffic turned out to be noise or, when applied to ship-to-shore satellite links, a considerable amount of wasted bandwidth.

Ships use satellite links to establish or maintain communications with their shore-based counterparts. Voice and data, broadband, video and other essential communication can be vital to the safety and effective running of the ship and its operations. Just like with your cell or landline phone bill, using satellite links come at a cost, only it is much more expensive. At an average cost of around $2 per megabyte on one satellite band, it would not be uncommon for a ship’s satellite ‘call costs’ to be in the thousands of dollars per month. A very busy commercial or passenger vessel would soon have a bandwidth cost in excess of $10,000 to $20,000 per month!

Based on the volume of log data we analyzed, we estimated that about $4,000 of the firm’s monthly ship-to-shore comms bill could have been attributed to the data noise coming from the ship. The customer has now established the cause as a misconfigured firewall on the ship and the wasted bandwidth or noise stopped instantly once the ships firewall was updated.

So it really isn’t all about security. Operational cost savings as well as the ROI on both your infrastructure and your SIEM solution all go into the pot for that next IT budget!

Is there noise on your infrastructure burning away at your budget? The answer will be buried in the logs.

It’s amazing how often that maxim applies in life, and information security in 2013 is no exception.  The 2013 Verizon Breach Investigations Report had a lot of interesting info, but one fact really stood out for me: 76% (80% if you round up) of network intrusions exploited weak or stolen credentials. This should be a wake-up call for anyone responsible for information security.  It’s also a guidepost as to how to best allocate resources.

If I were a CISO armed with this information, I would be allocating a material amount of staff time and budget on new techniques and technologies for detecting compromised credentials in real time. I’d also be looking at processes and policies around credentials. Ensuring a heightened level of priority to these activities likely would provide my organization the best ROI for security….by far.  Detecting compromised credentials in real time is tricky but not as hard as one would think.  You just need the right tool and the right processes.

Imagine this scenario.  A privileged user named Charlie at a large bank in Chicago logs in at 8:00 AM CT and starts work as he normally does.  Charlie’s credentials are subsequently used to log-in 3 hours later from Shanghai.  We all know that time travel doesn’t work yet and the log-in from Shanghai is very likely from someone we don’t want having access to the bank’s system.  If you knew this was happening, you would immediately disable Charlie’s account, avoid any damage and investigate from there.  At that point, you just want to stop any potential damage and you can find out how the credentials were violated later.  The challenge here is that the log-in from Shanghai is using authorized credentials and will not be blocked.  It’s the combination and timing of these two log-in activities that is suspicious.  Evidence of this is clearly in the log data and easily discovered if you’re looking for it with the right tool.

First generation SIEMs focus their correlation and analytics on a small subset of “interesting” log data in an enterprise.  By doing so, there are many things that will be missed and how do you always know what is “interesting?” Next generation SIEMs like LogRhythm, apply multiple analytic techniques to the entire population of log, flow and machine data. That is the best way to ensure you are capturing a much suspicious activity as possible — even when you don’t know what to look for.  With this approach, you can easily know, in real time, that Charlie is not simultaneously in Chicago and Shanghai and you can shut his account down.  Next generation approach enables behavioral analytics that establish a baseline profile of normal activity for a user, host application network, etc. and flags deviations of a certain magnitude.  This enables you to see anomalies that you couldn’t predict.  Combine advance correlation (where you know what you’re looking for) with behavioral analytics (where you don’t necessarily know what you’re looking for) and automated remediation (the ability to take action in real time)… and you’ve got some very significant weapons to detect and defend against compromised credentials, the culprit for almost 80% of network intrusions.  If you’re only allocating a small amount of resource and attention to detecting compromised credentials, you’re missing a tremendous opportunity to defend. The 80/20 rule: apply it to your security strategy.