Managing the virtualized enterprise, historic NIST recommendations and more

August EventSource Newsletter
By Jasmine Noel

Smart Value: Getting more from Log Management

Every drop in the business cycle brings out the ‘get more value for your money’ strategies.  For IT this usually means either use the tools you have to solve a wider range of problems or buy a tool that with fast initial payback and can be used to solve a wide range of other problems. This series looks at how different log management tasks can be applied to solve a wider range of problems beyond the traditional compliance and security drivers so that companies can get more value for their IT money.

Log Value Chain: data loss prevention, email trending for cost reduction and problem identification

The bubbling acronym soup of compliance regulations (HIPAA, PCI-DSS, FRCP, etc) are putting more focus on data loss (leak) prevention (DLP).  In other words, preventing users from unintentionally giving out too sensitive corporate information.

Computing gives us many ways to share data — USB drives, email, online file synchronization services, blogs, browser-based desktop sharing, twitter — the list can seem endless.  Every new innovation in data sharing creates a new way for employees to leak sensitive information.  User education alone is not going to cut it.  Most people know they shouldn’t send financial and medical records to people outside the company just like they know they should eat fewer snack foods and more vegetables.  But its hard to have good eating habits when grocery stores have most of their shelf space dedicated to snacks (as I know so well!).  Similarly, the wide variety of data sharing mechanisms makes it hard for users to be responsible with business information all of the time.

Needless to say, every security vendor on the planet has unveiled their ‘comprehensive solution for DLP’  — oh great — this is just what cash-strapped businesses need — another suite of security products (with one module to address each of those data sharing mechanisms)  that they have to purchase just to keep a chip in the compliance game.

Well, maybe not.

Companies looking for a quick and cost effective way to start addressing DLP should to look at extending their log management solutions.  Computing devices, for the most part, are capable of logging everything that is going on.   It is analysis of that log data that helps knowledgeable people understand what is happening.  Want to know what files were uploaded to a USB drive — look at the logs for file writes.  Want to know which users are using browser based desktop sharing services — look at the browser history logs.  Want to know who is downloading specific files after hours — look at the server logs where the files reside. Want to know if employees are emailing files to their personal GMail accounts, look at the logs for specific IP addresses and correlate it with logs about email attachments. Alternatively you can look at email trends for suspicious activity — a sharp spike in activity in the middle of the night is  often evidence of a security attack or the malicious behavior of disgruntled  employees.

If you have a scalable log management solution with analytics that make it easy to correlate events, and reporting capabilities that can easily group issues into top ten lists, then you have the makings of a DLP solution that can investigate any current (and future) data sharing mechanism.

But more than that — you also have an email trend analysis solution which can save you service or storage costs. I quick look at my own desktop email client, shows email archiving files doubling every six months.  Why? Because there are hundreds of internal emails with 4MB Word and PowerPoint attachments that never get removed.  I shudder to think of businesses with hundreds or thousands of employees with my email habits.

So if these businesses could prove that 70% of your email storage is large attachments sent between remote employees, they could come up with a more cost effective internal file-sharing mechanism or automate a process to eliminate the attachment overkill. Proving these email trends should be just another job for your log analysis and reporting  solution.

Speaking of analyzing email trends, I often have days when I seem to get very little email and I always wonder if everyone is on holiday, or nobody wants to talk to me, or something is really wrong with my email service. So I spend time doing personal checks, can I get email from my hotmail account or from a coworker, is my router working, is Vista downloading a massive patch, then I call my ISP who runs their tests tells me “our service is working” — at which point I give up because I’ve spent an hour of problem resolution for a problem that ‘doesn’t exist.’  But sometimes a chunk of email the next day that clearly was supposed to be delivered the day before, so I know the problem was real and I wonder what got lost in the process.

I suspect that a little trend analysis of my email logs would help with these transient customer service problems.  In my case, since there is no evidence that I typically get 50 non-spam emails per day but today I got 5, my ISP doesn’t know what to do with my call so they close the ticket probably with a ‘couldn’t replicate problem’ tag.  Would email trend analysis prevent the problem — maybe not . However, if these type of customer service calls can be tagged with ‘abnormal email trends’ I’d bet they would identify issues faster and I would get my chunk of email later the same day instead of 24-36 hours later — better customer service powered by log analysis.

My point is that the business requirements will always be adding more and more analysis tasks to IT’s to-do list. Most of the time the raw information to complete those tasks is buried somewhere in the logs. By leveraging a flexible reporting and analysis solution, IT can respond to these new tasks — and automate them if they are recurring — without ponying up more of ITs precious budget for new solutions for every new task.

Industry News

Tenenbaum hit with $675,000 fine for music piracy
In another big victory for the Recording Industry Association of America (RIAA) a federal jury has fined Boston University student Joel Tenenbaum $675,000 for illegally downloading and distributing 30 copyrighted songs.

Did you know? EventTracker’s advanced network connection monitoring feature allows you to monitor network activity including web surfing, file sharing traffic, incoming network connections and more

NIST Issues Final Version of SP 800-53; Enables Rapid Adoption of the Twenty Critical Controls (Consensus Audit Guidelines)
The new version of 800-53 solves three fatal problems in the old version – calling for common controls (rather than system by system controls), continuous monitoring (rather than periodic certifications), and prioritizing controls (rather than asking IGs to test everything). Those are the three drivers for the 20 Critical Controls (CAG)

Did you know? EventTracker supports all 15 automated security controls outlined in the Consensus Audit Guidelines (CAG)

Customer review of EventTracker
Northgate Minerals Corporation uses EventTracker for compliance with Sarbanes-Oxley and overall security.

Detecting ‘bot rot’ using Log Management and SIEM
There are many kinds of tools that can help detect the presence of a bot…Once a PC has been turned into a bot, it will begin exhibiting specific behaviors that include communicating with a command and control (C&C) master. This communication typically follows a pattern that is detectable by analyzing and/or correlating logs and looking for activities that stand out as “not the norm.”

Free Windows Security tools every admin must have
Since security and limited budgets are all the rage these days, here’s a set of free Windows server security tools you need to check out.