100 Log Management uses #21 File deletes

Today’s use case is a good one. Windows makes it very hard and resource expensive to track file deletes, but there are certain directories (like in our case, our price and sales quote folders), where files should not be deleted from. Making use of Object Access Auditing and a good log analysis solution you can pull a lot of valuable information from the logs that indicate unwarranted file deletions.

– By Ananth

Famous Logs

The Merriam Webster dictionary defines a log as “a record of performance, events, or day-to-day activities”. Though we think of logs in the IT context, over the years many famous logs have been written. Here are some of my favorites:

Dr Watson who logged the cases of Sherlock Holmes

The Journals of Lewis and Clark, one of the greatest voyages of discovery in human history.

The Motorcycle Diaries: Notes on a Latin American Journey

Fictional Prof. Pierre Arronax chronicled the fantastic travels of Capt. Nemo in Jules Vernes’ 20,000 Leagues Under the Sea

Diary of a Young Girl by Anne Frank, a vivid, insightful journal and one of the most moving and eloquent documents of the Holocaust.

Personal logs from captains of the Enterprise (Kirk, Picard, Janeway).

Samuel Pepys, the renowned 17th century diarist who lived in London, England.

The record by Charles Darwin, of his trip on the HMS Beagle

Bridget Jones Diary by Helen Fielding


100 Log Management uses #20 Solaris BSM system boots

Today is another Solaris BSM example. The Basic Security Module of Solaris audits all system boots, and it is good practice to have checks in place to ensure that these critical systems are only being restarted at the correct times. Any unexpected activity is something that should be investigated.

– By Ananth

100 Log Management uses #19 Account Management

Today’s look at logs illustrates a typical use case of using logs to review for unexpected behavior. Within Active Directory you have users and groups that are created, deleted and modified. It is always a good idea to go in and review the activities of your domain admins just to be sure that it matches what you feel should be occurring. If it differs it is something to investigate further.

– By Ananth

100 Log Management uses #18 Account unlock by admin

Today we look at something a little different – reviewing admin activity for unlocking accounts. Sometimes a lockout occurs simply because a user has fat fingers, but often accounts are locked on purpose and unlocking one of these should be reviewed to see why

100 Log Management uses #17 Monitoring Solaris processes

The Solaris operating systems has some interesting daemons that warrant paying attention to. Today’s log use case examines monitoring processes like sendmail, auditd and sadm to name a few.

Security threats rise in recession Comply secure and save with Log Management

How LM / SIEM plays a critical role in the integrated system of internal controls

Many public companies are still grappling with the demands of complying with the Sarbanes-Oxley Act of 2002 (SOX). SOX Section 404 dictates that audit functions are ultimately responsible for ensuring that financial data is accurate. One key aspect of proof is the absolute verification that sufficient control has been exercised over the corporate network where financial transactions are processed and records are held.

Where do auditors find that proof? In the data points logged by today’s SIEM tools, of course.

The logged data is a pure treasure trove of information that provides insight into every aspect of an organization’s information technology (IT) operations. As a compensating / detective control, the data is an integral part of an organization’s overall system of internal controls. Moreover, depending on the tools being utilized, the data also can be the starting point of a preventative control.

The proper distillation of critical log data is a bit like looking at a very large haystack and helping the auditor determine if a needle (i.e., a violation of a control) is buried within. A perspective of what guides the audit function as it pertains to SOX will help to explain the search for the elusive needle, if it even exists.

The COSO control framework guides the SOX audit function

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) is a U.S. private-sector initiative whose major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. In 1992, COSO established a common definition of internal controls, standards and criteria against which companies and organizations can assess their control systems. This widely used framework provides a corporate governance model, a risk model and control components that together form the blueprint for establishing internal controls that minimize risk, help ensure the reliability of financial statements, and comply with various laws and regulations.

COSO is a general framework that is not specific to the IT area of a company— or to any other functional area, for that matter. However the COSO framework can be, and often is, applied specifically to IT processes and controls that are governed by SOX Section 404 compliance, the Assessment of Internal Control for all controls related to financial data and reporting.

According to the COSO framework, internal controls consist of five interrelated components. These components are derived from the way management runs a business and are integrated with the organization’s management processes. The components are: the Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring. And, as described below, log management has a crucial role in each of them.

  • The Control Environment – Coming from the Board of Directors and the executive management, a company’s control environment sets the tone of how the organization will conduct its business, thereby influencing the control consciousness of the entire workforce. The control environment provides discipline and structure, and includes factors such as corporate integrity, ethical values, management’s operating style, delegation of authority systems, and the processes for managing and developing people in the organization.

Log management aids corporate management in designing, implementing, and refining controls via its ability to establish a baseline, or snapshot, of an organization’s IT infrastructure and its activities; for example, knowing what devices exist, what applications are running on them, and who is accessing the applications.

  • Risk Assessment – Every organization has business objectives; for example, to produce a product or provide a service. Likewise, every organization faces a variety of risks to meeting its objectives. The risks, which come from both internal and external sources, must be identified and assessed. This risk assessment process is a prerequisite for determining how the risks should be managed.

Log data/management is a starting point of the iterative IT risk management process by providing baseline and near real-time insight into the condition of an organization’s infrastructure. This helps the company identify and assess the risks that may threaten the business objectives and provides the opportunity for the revision of an organization’s acceptable risk posture. And then with a continual feed, log data can be used to ascertain current conditions and to alert someone to the need for appropriate corrective action to mitigate a risk if one arises.

  • Control Activities – Control activities are the policies and procedures that help ensure management directives are carried out and that necessary actions are taken to address the risks to achieving the organization’s objectives. Control activities occur throughout the organization, at all levels and in all functions. Numerous control activities are utilized in the IT area, including access control, change control and configuration control, to name a few.

Log management provides automated event correlation/consolidation and reporting, thereby providing assurance that log data entries are presented to control stakeholders accurately and in a timely fashion. This reporting allows management to take corrective action if needed, as well as measure the effectiveness of designed processes and controls.

  • Information and Communication – Information systems play a key role in internal control systems as they produce reports including operational, financial and compliance-related information that make it possible to run and control the business. An effective communication system ensures that useful information is promptly distributed to the people who need it – outside as well as inside the organization – so they can carry out their responsibilities.

Within log management, this takes the form of automated generation and delivery of detail and summary reports and alerts of key events for appropriate management review and/or action.

  • Monitoring – Internal control systems need to be monitored – a process that assesses the quality of the system’s performance over time. This is accomplished through ongoing monitoring activities, separate evaluations or a combination of the two.

From a log manager’s view, “monitoring” is what he is doing on a daily basis – i.e., performing a “control activity.” From the COSO view, “monitoring” is the assessment of how well the control activities are performing. In other words, the latter is looking over the shoulder of the former to make sure the control activities are effective.

Once an organization has established its control structure(s), an auditor is charged with the independent review of the controls that have been implemented. He is ultimately responsible for assessing the effectiveness of the controls, including those IT controls designed to protect the accuracy and reliability of financial data. This is the heart of SOX Section 404.

A unified and comprehensive log management approach will continue to be the cornerstone of an IT organization’s control processes. It is the best way to get timely insight into all activities on the network that have a material impact on all systems, including financial systems.

Brian Musthaler, CISA – is a Principal Consultant with Essential Solutions Corp. A former audit and information systems manager, he directs the firm’s evaluations and analysis of enterprise applications, with a particular interest in security and compliance tools.

Industry News

PCI costs slow compliance projects in down economy
The economic recession is making it difficult for some information security pros in financial services to get the funding they need to accomplish their goals. A good example of a project that can help both the bottom line and PCI compliance is automated log management

Security threats rise in recession
Threats to data and network security increase during tough times, even as scarce resources make companies more vulnerable to attack.

Did you know? EventTracker allows you to meet a large number of requirements while helping you cut costs and boost productivity. Comply with standards such as PCI-DSS, secure critical servers, protect from inside theft and optimize IT operations while saving money at the same time! Need hard numbers? Take a look at our ROI calculator

Feds allege plot to destroy Fannie Mae data
A fired Fannie Mae contract worker pleaded not guilty Friday to a federal charge he planted a virus designed to destroy all the data on the mortgage giant’s 4,000 computer servers nationwide.

Did you know? Employees, especially disgruntled ones, can significantly increase the risk exposure of a company. EventTracker helps companies minimize this risk by tracking and alerting on all unusual/unauthorized user activity.

Prism Microsystems continues record revenue into 4th quarter
We had a great 4th quarter – get a recap of our performance and key product innovations in 2008

100 Log Management uses #16 Patch updates

I recorded this Wednesday — the day after patch Tuesday, so fittingly, we are going to look at using logs to monitor Windows Updates. Not being up to date on the latest patches leaves security holes but with so many machines and so many patches it is often difficult to keep up with them all. Using logs helps.

100 Log Management uses #15 Pink slip null

Today is a depressing log discussion but certainly a sign of the times. When companies are going through reductions in force, IT is called upon to ensure that the company’s Ip is protected. This means that personnel no longer with the company should no longer have access to corporate assets. Today we look at using logs to monitor if there is any improper access.


100 Log Management uses #14 SQL login failure

Until now, we have been looking mostly at system, network and security logs. Today, we shift gear and look at database logs, more specifically user access logs in SQL Server.

-By Ananth

100 Log Management uses #13 Firewall traffic analysis

Today, we stay on the subject of Firewalls and Cisco PIX devices in particular. We’ll look at using logs to analyze trends in your firewall activity to quickly spot anomalies.

-By Ananth

100 Log Management uses #12 Firewall management

Today’s and tomorrow’s posts look at your firewall. There should be few changes to your firewall and even fewer people making those changes. Changing firewall permissions is likely the easiest way to open up the most glaring security hole in your enterprise. It pays to closely monitor who makes changes and what the changes are, and today we’ll show you how to do that.

-By Ananth

100 Log Management uses #11 Bad disk blocks

I often get the feeling that one of these days I am going to fall victim to disk failure. Sure, most times it is backed up, but what a pain. And it always seems as though the backup was done right before you made those modifications yesterday. Monitoring bad disk blocks on devices are an easy way to get an indication that you have a potential problem. Today’s use case looks at this activity.

– By Ananth

100 Log Management uses #10 Failed access attempts

Today we are going to look at a good security use case for logs -reviewing failed attempts to access to shares. Sometimes an attempt to access directories or shares are simply clumsy typing, but often it is an attempt by internal users or hackers to snoop in places they have no need to be.

100 Log Management uses #9 Email trends

Email has become one of the most important communication methods for businesses — for better or worse! Today we look at using logs from an ISP mail service to get a quick idea of overall trends and availability. Hope you enjoy it.

-By Ananth

100 Log Management uses #8 Windows disk space monitoring

Today’s tip looks at using logs for monitoring disk usage and trends. Many windows programs (like SQL Server, for example) count on certain amounts of free space to operate correctly, and in general when a Windows machine runs out of disk space it often handles the condition in a less than elegant manner. In this example we will see how reporting on the free disk and trends gives a quick and easy early warning system to keep you out of trouble.