Posts tagged: 'log management'
The following posts are associated with the tag you have selected. You may subscribe to the RSS feed for this tag to receive future updates relevant to the topic(s) of your interest.
http://blog.logrhythm.com/tags/log-management/feed
Why SIEM? A Retrospective
Ten years ago, I was put into the position of having to figure how to manage a serious gap in enterprise security for a vitally sensitive environment. The problem was introduced to me like this: “The team can read 3,000 pages of logs per day but they receive 55,000 pages.” Adding more heads to the problem wasn’t the right solution- they were losing context, were inaccurate, under-trained, and bored. The success stories from this team were few and the needle-in-a-haystack factor was high. This process needed to be automated.
There was another serious problem besides log volume. I explained the systemic issues to my supervisors like this; “The security controls in our organization are like musical instruments in an orchestra. We have firewalls, anti-virus, intrusion detection devices, file integrity monitoring, content filters, anti-spam, host security, and application security. But right now each does security ‘solo’.”
Each control was managed by a different group. Reporting was all hand constructed and carried to the security team. The firewall manager would deliver the firewall report daily, intrusion detection was handled by the incident handling team once a week, anti-virus reports were delivered monthly by the IT staff, and so on.
The whole of the system was as reliable as clockwork: each piece did its part exactly as planned and yet each was still ineffective. The whole process was too high-level to determine if a problem existed, too low-level to see the problem as it happened, incomplete because not all data was reviewed, and lacked the context to determine if a threat was real even if it was suspected.
The bottom line? All controls play a different piece in the same symphony. They need to work together to turn noise into music.
The promise of SIEM was that computers can solve large, complex and tedious problems faster and more accurately than people; as such they are the ideal tool to police themselves and their users. We wanted the entire system of security controls in the enterprise working cooperatively, in harmony, and armed with the intelligence needed to protect the organization.
The emerging SIEM (SIM, SEM, or ‘master console’) technology was often focused on specific tools such as Intrusion Detection or Host Security that ‘extended’ into logging. Many critical systems had no logging whatsoever and companies withheld such features in an attempt to keep their proprietary systems closed. It would take most of the 2000′s to get the message to vendors that 3rd party auditing was a requirement. Now SIEMs can be practical and more creative means of using them can be applied.
Once the orchestra is together, the Conductor can lead. It’s of utmost importance that the managers, investigators, analysts, engineers and operators hear the same song. What SIEM needed and has achieved today the ability to connect logs to organizational regulations, policy, plan, procedures, organizational divisions, and even by individual project requirements. Alerts can be tailored to correlate between identified events, known threats, and critical assets. Reports can be automated and customized to fit any manner of output requirements rather than being limited hand-made spreadsheets. And valuable metrics can be mined from the official record of events that the SIEM establishes.
Thanks to SIEM technology, logs can be reviewed properly, human resource requirements to review them are less, and can handle volumes that now may exceed tens-of-millions of pages of data per day rather than just 55,000. Coverage now extends to the entire networked enterprise and information can be presented in a timely manner and in ways that are useful to all stakeholders. There is no doubt to me, SIEMs are a key innovation for information technology and will be critical for what is shaping up to be a brutal future for security problems.
Tags: enterprise security, information security, log management, siem
NT & 2000. You’ll need more than a pocketful of posies…
Trust. The internet simply can’t afford it. I’m not talking about notional trust, or any form of technical trust. I’m talking about actual trust. Users of the internet can do without it.
Why the cynicism? Well, you can’t possibly sit pontificating on 21st Century computing without at least skimming over social networking, and before you know it you’re at trust. I was ruminating on such things and it struck me how Web 2.0 and 3.0 have brought trust back to an area of human endeavour where we should be innately mistrustful. Don’t get me wrong. The democratisation of the internet through such channels ranks for me as a crowning achievement of humankind, but let’s not be naive. Your friendly neighbourhood knee cappers, drug runners and extortionists now see the internet as fertile ground for the exploitation of new markets. Further to this, the advent of weaponised, state-sponsored malware like Stuxnet reiterates the fact that none of us are in Kansas anymore.
Social networking – almost all of us do it. Many of us do it online. We now have potentially lifelong connections with school friends, work colleagues and even casual acquaintances. We spin up webs of dozens or even hundreds of people that we ‘presumably’ know and ‘presumably’ trust. Indeed, the recent push on Facebook for everyone to choose https as the mechanism for delivery of social content has not helped. Because now, in combination, you’re in perpetual touch with these people, in an SSL secured environment. What could possibly go wrong? Facebook apps are safe, right? Wrong. In fact, malware originating from social networking channels is the next big attack vector. If your organisation has a liberal policy to social networking in the workplace, then you are potentially asking for trouble.
Unless you have a very sophisticated next generation firewall infrastructure and a culture of continuous education for your users on social networking hygiene in the context of the modern organisation, then things could go very badly awry. Visualise; a piece of malware sent from a trusted friend and confidant of one of your employees hits their Facebook inbox. A couple of clicks, your firewall doesn’t even blink at the traffic whistling across port 443, arriving on the user’s desktop and spinning up a nasty piece of proliferative, zero day malware. No problem, right? Your desktop scanners do heuristics, and the IDS system will pick anything else up.
Well, what about the legacy NT systems, typically performing tasks of quasi-SCADA level criticality? What about the 2000 systems housing legacy applications that are too costly to migrate, but too valuable to retire. Sophisticated modern malware will make a beeline for these systems. So, how can you get an early view of compromises, non-intrusively? How can you make statefully based correlations between changes in behaviour in your legacy systems and possible compromised user credentials? How can you take metrics from all around your infrastructure about the security of your people, your processes and your systems and view them in a normalised, human readable, business meaningful way?
You don’t need a log management solution. You need a REALLY GOOD log management solution.
For further insight on zero day exploits, and how a next generation SIEM will help, see our use case resources on our website.
Tags: log management, logrhythm, malware, siem, zero day exploits
Patience is a virtue….. but not with organisations taking a lax approach to data security
Here in the UK over the last few weeks, there’s been a number of warning shots fired across the bows of those people that aren’t taking data security all that seriously.
To start with, in November the UK Information Commissioner’s Office (ICO), which makes sure organizations comply with our Data Protection Act, issued its first financial penalties since it gained the power to levy fines of up to £500,000 back in April of this year.
Getting their fifteen minutes of fame (for all the wrong reasons) were Hertfordshire County Council, which was hit with a penalty of £100,000 for faxing sensitive information to the wrong recipients, and A4e, an employment services company, which was fined £60,000 for losing an unencrypted laptop, along with the personal details of 24,000 unsuspecting souls.
However, it’s not just the ICO which is losing patience with data loss incidents, the natives are getting restless too. In a OnePoll survey of 5,000 UK consumers, four out of five people said that the Government should take a tougher stance on data security by introducing US-style breach disclosure laws. Such ‘name and shame’ legislation is still very thin here in Europe, although the European Commission is currently weighing up whether it should enforce mandatory data breach notifications.
The problem as it stands is that we citizens simply haven’t got a clue whether our personal information has been lost or stolen, and until organizations are forced to disclose data breaches, we’ll probably only find out when money starts leaking out of our bank accounts.
However, even without a change in law, it’s a total no-brainer that businesses should do all they can to keep confidential information safe. This is the same the world over, not just in the UK. You don’t have to look any further than the latest WikiLeaks’ revelations to understand the damage that can be done if data falls into the wrong hands.
So what can be done to prevent data breaches (not to mention the fines and public outrage that increasingly accompanying them)? A good starting point is turning on the logging systems in your network and actually monitoring them using log management and SIEM solutions. By generating real-time alerts, these technologies flag up suspicious behaviour as and when it happens, be it files being copied to a flash drive, hackers trying to crack a firewall or an employee trying to access payroll records.
It’s only by attaining this level of insight into what’s happening across the entire network that organisations can keep all their data assets safe, regain the public’s trust and avoid ever more severe penalties.
That way, when I see money leaving my account, I can be sure that it’s because my wife is down the shops, rather than some hacker making hay while the sun shines.
Tags: data protection act, data security, log management, siem
Prevent your organization from being the next Wikileaks headliner
Recently, the web site “Wikileaks” released over 250,000 classified U.S. State Department documents containing correspondence from diplomats and many allies. The result has been embarrassing for world politics and highlights the many reasons for maintaining tight security.
One of the most commonly ignored reasons for improving computer security is “loss of customer confidence”. But consider the effects of this exposure: foreign contacts that worked closely with the United States are now afraid that intelligence they provide will be made public thereby putting their lives at risk. This breakdown in security will have long term effects to international diplomacy due to fear of information leaks. If the United States can lose that much information, how could a smaller country prevent the theft of their classified information?
Another serious issue this leak highlights was instruction to U.S. Diplomats to “collect basic contact information about U.N. officials that included Internet passwords, credit card numbers and frequent flyer numbers.” (NBC, November 29, 2010.) Provided this is a real document, these pieces of information aren’t typically acquired by a casual conversation, so presumably cyber security has to be breached in order to accomplish this. Alternatively, this information could be attained by leaked information from other insiders. This conjures ideas of a network of individuals, all of whom may profit from releasing confidential information to governments.
This may seem too big of a problem for an individual or small organization to handle, but it concerns us all nevertheless.
By now most organizations have firewalled their networks and put intrusion prevention systems in place to monitor for attacks. However, data leaks are often caused by employees that won’t be detected by those systems, so how can an organization prevent loss of confidential data?
Full compliance with regulation is the first step. If you are handling information that is confidential and potentially hazardous to disclosure, it is probably regulated already. FISMA, PCI DSS, and HIPAA are just some examples. Standards for security have been defined by organizations such as the National Institute of Standards and Technology and are very comprehensive. Security standards have been expanding in breadth and depth so any organization that is not compliant now needs to plan not only to catch up but to stay ahead.
Tending to organizational security is as important as the computer systems, so don’t overlook the personnel, their access to sensitive information, and ensuring the company management follows the “principle of least privilege” so employees have just enough access to fulfill their responsibilities. Employees need to be trained to identify threats, report suspicious activities, and be able to properly respond to incidents.
Strong encryption prevents the wrong hands from accessing data, even if they managed to compromise the system or eavesdrop on network connections. Although management of encryption technologies is often a challenge for organizations that never used them in the past, the benefits of preventing data leaks by using encryption outweigh the cost of training employees to use it.
Security Information Event Management maintains the official record of use for the organization’s information resources. This record provides the evidence used by network forensic experts to determine the nature of an incident. Centralization also provides the most effective way to monitor anomalous activities, correlate events to spot adverse activities, and to diagnose error conditions that lead to vulnerabilities.
Fear of legal reprisal prevents most people from releasing stolen information. Hacking computer systems with the intent of committing espionage has severe consequences if the culprit is caught. If a person wouldn’t knowingly shoplift in front of a camera, they wouldn’t steal information if they were being heavily monitored by proven technology.
Data Loss Prevention is another known and proven technology that can prevent removable media from being used by a computer. By preventing flash memory, writable optical media, or other USB connected mass storage from being used, large amounts of information will not be able to leave the organization undetected. Efforts made to bypass DLP technology would raise additional alarms that signal intent to steal information, easily identified by a SIEM.
Malware Heuristics provides an alternative to signature-based malware detection. As a collection of different types of tools, anti-virus packages offer ways to locate one-off or custom malware based on behaviors, functionality, and other conditions that are highly suspicious. While anti-virus is required for most organizations, many leave heuristics turned off. If you’ve wondered how to protect against custom malware that doesn’t have an anti-virus signature, heuristics is the best solution.
Network Content Inspection is a genre of security products that can examine the contents of e-mail, web accesses, instant messaging, and peer-to-peer transfers for violation of a predetermined policy. Large e-mails can be identified and can be stopped pending management approval, communication to non-approved sites banned, or even key words can be found inside content of mail or attached documents.
Operations Risk Management is a broad set of activities that connect the security controls to the way operations are performed in your organization. Use of badges, access key codes, security cameras, guards, perimeter fences, tamper resistant locks, and other such controls will enhance the security of the computer systems by preventing unauthorized access and tracking employees.
These protections are certainly not the only techniques that can be done to protect data in your environment, but they are necessary if you are serious about preventing data leakage. All are known technologies, readily available, and have many case studies as to their effectiveness. You may not be able to stop every instance, but you can take steps to avoid suffering a breach on the scale of the Wikileaks case through preventative measures based on common sense, effective forensics and rapid response capabilities to immediate threats.
Tags: data loss prevention, log management, siem, wikileaks
A Popup Timer for Log and Event Management?
In the spirit of Thanksgiving, I’m going to try to draw a comparison between cooking a turkey and using a log and event management solution to successfully monitor and manage a network.Cooking a turkey isn’t as simple as throwing it in the oven and setting a timer. Nothing wrecks a Thanksgiving meal harder than a dry and tasteless turkey. Sure, getting a quality turkey is important, but it’s not the only factor. Unless you have absolutely no standards, there’s a lot of preparation involved, culminating with cooking it to the proper temperature.
Doing Thanksgiving right involves a combination of preparation, proper equipment, and timing. A breakdown of any one of these factors can completely derail an otherwise well planned event. When Thanksgiving rolled around last year my oven was failing and I had no idea. Despite brine soaking the turkey overnight, getting up early to preheat the oven and make sure that I had plenty of cooking time, I had no idea that the oven wasn’t working right. That left us with a completely undercooked dinner two hours after we were supposed to eat before I realized that something more significant than miscalculating the time was going on. Had I been alerted that my oven was running 50 degrees cooler than the gauge was displaying, I would have adjusted setting to compensate – problem solved, dinner served.
The same thing is true in IT. Something as simple as sending an email can be derailed by a variety of issues throughout the network – without you having any idea why. Even if the mail server is operating properly, numerous things can go wrong that may escape detection without the proper tools in place. The right tool can proactively alert you to let you know that a critical piece of network equipment has failed and is preventing any outbound communication. Without that notification you might have no idea that none of your organization’s communications are getting to where they’re supposed to go. With proper monitoring and notification you quickly isolate the issue and fix the problem.
So what’s the right method to find out when a critical event takes place, like a router failing or your turkey not reaching the proper temperature? In either case, the simplest way is through an automated alert. Set up a threshold or flag an event, and when the threshold is reached or the event takes place, a notification is sent. With a good Log and Event Management solution, that’s easy enough to accomplish. In LogRhythm you open a wizard, take a few steps to define how and when you want to be notified, and activate the alarm rule. The wizard-based approach has the added benefit of making it easy to add enough detail to an alarm to actually make it meaningful for your exact environment. Then, in the immortal words of Ron Popeil, “Set it and forget it!”
But how do you automate notification with a turkey? Sure, you can watch the clock and hope that the turkey is done when you have cooked it a certain amount of time. But if you’re off by a little, you have to throw it back in after you have started carving, or it is overdone. Either way you’re in danger of a dry turkey. No, the simplest way to know when your turkey is done is to use a brilliant invention known as the pop-up timer. As soon as your turkey reaches the right temperature, it triggers the timer to pop up and let you know that it’s time to eat. How is that like an event-based alert? Simple. A pop-up timer works just like a threshold-based alert. A spring-loaded stick is held into place by a soft metal or plastic that is made to melt at a very specific temperature. As soon as the surrounding area raises the timer’s temperature enough, the metal melts and the spring pops the stick. That’s a lot easier than constantly pulling the turkey out of the oven and checking the temperature to see when the meat is at the right temperature to be considered done.
Yeah, that may have been a stretch, but it was an easy excuse to look up pop-up timers and how they work. Happy Thanksgiving!
Tags: log and event management, log management, logrhythm, networking monitoring
LogRhythm wins "Innovator of the Year" from SC Magazine. "This is not your father's log manager."