New NIST recommendations; Using Log Management to detect web vulnerabilities and more

June EventSource Newsletter
By Brian Musthaler

Log and security event management tame the wild west environment of a university network

Being a network administrator in a university environment is no easy task.  Unlike the corporate world, a university network typically has few restrictions over who can gain access; what type or brand of equipment people use at the endpoint; how those endpoint devices are configured and managed; and what users do once they are on the network.

A university network often has a higher volume of traffic than a private sector network does, as well as more wireless connections.  Rather than looking at faculty and students as users whose computing can be managed or dictated, university administrators must view them as customers whose needs must be met.  And the needs can be quite varied – everything from financial transactions at the campus bookstore to large file transfers for university research projects.  Needless to say, security for the network can be quite a challenge.

“In many ways, a university environment is much more complex than a corporate environment,” according to James Perry, the Information Security Officer at the University of Tennessee.  A university IT department almost functions more like an ISP than as a traditional IT department that sets computing standards and dictates how a network can be used.

Morris Reynolds, the Director of Information Security and Access Management at Wayne State University, echoes Perry’s comments.  “The students are basically our customers,” says Reynolds.  “Their computing needs present challenges, but if they complain, the IT group has to acquiesce.”

This requires a delicate balancing act.  On the one hand, the IT operations and security teams need to ensure the well being of university computing resources, as well as compliance with regulations such as HIPAA, PCI and the Family Educational Rights & Privacy Act (FERPA).  On the other hand, universities must be careful to avoid control procedures that may be viewed as violating student privacy, suppressing the right of free speech, or stifling to research programs and innovation.

In this “almost anything goes” environment, log and security event management are a boon to the university network administrator.  By correlating and analyzing log data from a wide range of devices, the admin is able to “see” so much more of what is happening on his network.  This helps him be more proactive in managing the operations and more effective in identifying security breaches based on university policies.  It’s a bit like bringing some semblance of order to the “Wild West” atmosphere of the college campus.

Log management helps bring order to chaos

For instance, Wayne State University has 33,000 students and 10,000 faculty members.  There are 10,000 concurrent users physically located on campus, and another 50,000 concurrent users coming into the network remotely.  The university network has more than 1,200 servers, 30,000 wired ports and 1,000 wireless access points.  The students provide their own PCs.  There’s no central control for the configuration of these endpoint devices, and they are largely unmanaged.

In this environment, a network firewall can easily experience more than 50,000 events per day.  When you take into consideration all the disparate event logs from all the devices, the total number of events logged in a single day is staggering.  And this is typical for many university networks.  Capturing the log data from all the network devices, normalizing it into a standard format, and correlating events can help to identify problems and lead to remediation.

For example, unmanaged endpoint devices like the students’ laptops are highly susceptible to viruses and malware that turn the PCs into nodes of a botnet.   When a botnet infection occurs, there is often a huge uptick in client-to-client session initiation.   As a result, there can be a major rise in the network bandwidth consumption by the infected machines.  There also may be an increase in the number of attempts to connect to the Internet.   These events are captured in device logs and can then be detected by a SIM/SIEM by correlating events across different devices such as routers and firewalls.  The SIM/SIEM can issue alerts and can remediate by restricting the students’ network access until their PCs have been cleaned.  This helps to limit further exposure and infection.

Logs also provide specific insight into changes to network resources, such as updates to Active Directory or modifications to a server’s registry and .ini files.  The changes recorded in the logs can be cross-referenced to the university’s change management logs/system to assure the change was expected and approved.   When an unauthorized change has been detected, the appropriate alerting and remediation can take place by backing out unauthorized changes.

From a network operation perspective, logs can provide insight into operational reliability problems, such as when a device becomes “noisy” – in other words, it generates many log entries.  This usually means that there is a problem such as an imminent device failure, the need for a software patch, or a misconfiguration.  These events can trigger an alert to a technician who can tend to the device’s needs before a complete failure.

In a university network environment where configuration standards and usage control just aren’t possible, log management and SIM/SIEM provide network administrators with a measure of control.  These tools help in identifying the root cause of issues by providing a holistic view into the network’s operational, security and audit logs in a centralized management tool, which in turn can assist in the detection of security breach, unauthorized change and operational events.

Compliance requirements also drive the need for log management

There is one way that university networks are similar to corporate networks.  A multitude of regulatory requirements is common in many large university environments, making compliance another driver for log and security information management.  Such regulations often dictate that logs be captured and monitored for events that violate a regulatory statute.  The University of Tennessee network is a typical example.

The UT network spans five campuses.  In addition to supporting the needs of the students and faculty, the network serves about 160 merchants, including bookstores, coffee shops and other sales operations.  Because these merchants accept payments via credit cards, this segmented portion of the network must meet PCI DSS compliance requirements.  Two of the UT campuses work with medical data, so HIPAA compliance is a must.  There’s financial data, meaning GLBA compliance, and student information that is governed by FERPA.  Log management is a vital tool in meeting compliance requirements and validating the efforts.

It’s a challenge to oversee the operations and security of a university network environment.  Perhaps that’s why so many university network administrators use their log management and SIM/SIEM tools to take the environment from “wild” to “mild.”

Brian Musthaler, CISA – is a Principal Consultant with Essential Solutions Corp.  A former audit and information systems manager, he directs the firm’s evaluations and analysis of enterprise applications, with a particular interest in security and compliance tools.

Industry News

Federal IT Security recommendations released in final NIST draft

The National Institute of Standards and Technology has collaborated with the military and intelligence communities to produce the first set of security controls for all government information systems, including national security systems.

Did you know? EventTracker offers a comprehensive solution that enables compliance with multiple regulations, standards and guidelines including NIST recommendations, FISMA, PCI-DSS, Sarbanes-Oxley, HIPAA, Consensus Audit Guidelines (CAG) and others

T-Mobile net reportedly hit by hacker/extortion attack

T-mobile customers are awakening this morning to reports that hacker/extortionists have victimized the cellular carrier through a massive network breach resulting in the theft of untold amounts of corporate and customer data, which they’re threatening to sell to the highest bidder.

Did you know? EventTracker provides 24/7 insight into enterprise networks and detects security threats/breaches in real-time for immediate remediation before costly reputation-damaging consequences occur

Hackers hit US Army websites

A group of computer hackers based in Turkey breached the sites of two U.S. Army facilities, leveraging SQL injection attacks, according to reports. “The question of vulnerability to SQL injection attacks has come up frequently… “The number is rising dramatically. SQL injection is a serious threat. Not enough organizations are paying attention to it.”

Did you know? Log Management can help you detect and prevent web attacks including SQL injection attacks

Revamped EventTracker KnowledgeBase

The EventTracker KnowledgeBase, a free repository of detailed descriptions and information on over 20,000 event logs, has a new look! The revamped web portal now provides easy Google-like searching and options for advanced search to quickly pinpoint specific events.