100 Log Management uses #7 Windows lockout

A couple of days ago we looked at password resets, today we are going to look at something related – account lockouts. This is something that is relatively easy to check – you’ll see many caused by fat fingers but when you start seeing lots of lockouts, especially admin lockouts, it is something you need to be concerned about.

[See post to watch Flash video] -Ananth

Learning from Walmart

H. Lee Scott, Jr. is the current CEO of WalMart. On Jan 14, 2009, he reflected on his 9 year tenure as CEO as a guest on the Charlie Rose show.

Certain basic truths, that we all know but bear repeating, were once again emphasized. Here are my top takeaways from that interview:

1) Listen to your customers, listen harder to your critics/opponents, and get external points of view. WalMart gets a lot of negative press and new store locations often generate bitter opposition from some locals. However the majority (who vote with their dollars) would appear to favor the store. WalMart’s top management team who consider themselves decent and fair business people, with an offering that the majority clearly prefers, were unable to understand the opposition. Each side retreated to their trenches and dismissed the other. Scott described how members of the board, with external experience, were able to get Wal-Mart management to listen carefully to what the opposition was saying and with dialog, help mitigate the situation.

2) Focus like a laser on your core competency. Walmart excels at logistics, distribution, store management — the core business of retailing. It is, however, a low margin business. With its enormous cash reserves should Wal-Mart go into other areas e.g. product development where margins are much higher? While it’s tempting, remember “Jack of trades, Master of none”? 111th Congress?

3) Customers will educate themselves before shopping. In the Internet age, expect everybody to be better educated about their choices. This means, if you are fuzzy on your own value proposition and cannot articulate it well on your own product website, then expect to do poorly.

4) In business – get the 80% stuff done quickly. We all know that the first 80% goes quickly, it’s the remaining 20% that is hard and gets progressively harder (Zeno’s Paradox ). After all more than 80% of code consists of error handling. While that 20% is critical for product development, it’s the big 80% done quickly that counts in business (and in government/policy).

The fundamentals are always hard to ingrain – eat in moderation, exercise regularly and all that. Worth reminding ourselves in different settings on a regular basis.


100 Log Management uses #6 Password reset

Today we look at password reset logs. Generally the first thing a hacker does when hijacking an account is to reset the password. Any resets therefore are worth investigating, more so multiple password resets on an account.

-By Ananth

100 Log Management uses #5 Outbound Firewall traffic

A couple of days ago we looked at monitoring firewall incoming traffic. In many cases outbound traffic is as much a risk as incoming. Once hackers penetrate your network they will try to obtain information through spyware and attempt to get this information out. Also, outbound connections often chew up bandwidth — file sharing is a great example of this. We had a customer that could not figure out why his network performance was so degraded — it turned out to be an internal machine acting as a file sharing server. Looking at logs discovered this.

By Ananth

100 Log Management uses #4 Solaris BSM SU access failure

Today is a change of platform — we are going to look at how to identify Super User access failures on Solaris BSM systems. It is critical to watch for SU login attempts since once you are in as a SU or Root level the keys to the kingdom are in your pocket.

-By Ananth

100 Log Management uses – #3 Antivirus update

Today we are going to look at how you can use logs to ensure that everyone in the enterprise has gotten their automatic Antivirus update. One of the biggest security holes in an enterprise is individuals that don’t keep their machines updated, or turn auto-update off. In this video we will look at how you can quickly identify machines that are not updated to the latest AV definitions.

-By Ananth

100 Log Management uses – #2 Active Directory login failures

Yesterday we looked at firewalls, today we are shifting gears and looking at leveraging those logs from Active Directory. Hope you enjoy it.

– By Ananth

100 Log Management uses – #1 Firewall blocks

…and we’re back, with use-case# 1 – Firewall Blocks. In this video, I will talk about why it’s important to not just block undesirable connections but also monitor traffic that has been denied entry into your network.

By Ananth

100 uses of Log Management – Series

Here at Prism we think logs are cool, and that log data can provide valuable intelligence on most aspects of your IT infrastructure – from identifying unusual patterns that indicate security threats, to alerting on changes in configuration data, to detecting potential system downtime issues, to monitoring user activity. Essentially, Log Management is like a Swiss Army knife or even duct tape — it has a thousand and one applications.

Over the next 100 days, as the new administration takes over here in Washington DC, Ananth, the CEO of Prism Microsystems, will present the 100 most critical use-cases of Log Management in a series of videos focusing on real-world scenarios.

Watch this space for more videos, and feel free to rank and comment on your favorite use-cases.

By Ananth

The IT Swiss army knife EventTracker 6.3 and more

Log Management can find answers to every IT-related problem

Why can I say that? Because I think most problems get handled the same way. The first stage is someone getting frustrated with the situation. They then use tools to analyze whatever data is accessible to them. From this analysis, they draw some conclusions about the problem’s answer, and then they act. Basically, finding answers to problems requires the ability to generate intelligence and insight from raw data.

IT-related problems are no different. The only twist is that IT problems are growing in number, size and complexity at a faster rate than the budgets and resources targeted at those problems, even during good economic times. This means a lot of people (from CIOs to CFOs to security to operations managers) are frustrated with this situation. However, they lack a solution designed to analyze raw data and report intelligence and insight needed draw conclusions. What they need is a cost effective way to find answers from the available data.

The case for log management
Given this backdrop, it is fairly straightforward to see the logic behind my article title:
Step 1: Logs are a source of raw data for IT
Step 2: Log management solutions can make it easier to extract intelligence from IT data
Step 3: IT managers can use extracted intelligence to find answers to problems

Logs are a record of what a system is doing minute by minute. Each system log by itself is only mildly interesting (usually only to a technician when troubleshooting a problem). However, the aggregate of all logs contains more treasure than a Nicolas Cage movie. With the right search, query and reporting tools this raw data can turn into detailed understanding of most aspects of your business, from how consumers use your systems to purchase goods, to how the company’s risk profile changes over time, to how bottlenecks slow automated workflows, to identifying unusual patterns that indicate security threats.

The raw data for all of this understanding is already there. It is distributed on every IT asset with a log file because log files often contain electronic traces of interactions between assets and between users and assets. By examining these traces you can see patterns, by understanding patterns you can draw conclusions and plan actions. That is what it means to be proactive. That is what it means to work smarter not harder.

However, to turn gold ore (IT logs) into gold treasure (actionable answers) requires the ability to search, query, report, analyze the vast and restless sea of data generated by IT assets running your business’ operations to generate intelligence and insight. With that solution in place, it becomes a matter of applying that ability to generate intelligence to the specific scenario.

The gold coins for IT Operations include answers to questions such as:
• Have there been any unauthorized configuration changes? With this answer staff can act to prevent service outages, data leaks, SLA penalties and compliance issues.
• How many VMs are deployed right now and who owns them? With this answer staff can act to increase resource utilization and minimize capital costs.
• How is the new load-balancing policy actually allocating workloads? With this answer staff can act to ensure capacity is allocated according to business priorities.

For security teams, the treasure chest contains real-time gems and forensic jewels. Since enterprise environments are getting more complex and more dynamic, it is more difficult to rapidly investigate cause/effect during the crisis without automated correlation of configuration changes and events that logged by systems, applications, and network infrastructure. Forensic analysis of IT data allows staff to test potential answers (such as changing an operational policy, adding a new configuration check, or implementing a new correlation rule) to the “how do we prevent this from happening again” question.

Compliance officers can swim away with multiple gold medals because most analysts believe more regulations are coming, even if their computing environment remains relatively unchanged over the next 18 months. These new regulations are likely to involve analyzing and reporting the same raw IT data different ways to answer questions about:
• The integrity of systems, applications and processes,
• The ability to differentiate between good and bad interactions between systems and between employees and systems,
• The process for preventing and mitigating unauthorized changes, etc.

The effort involved in answering those management, security and governance questions could be days worth of remotely accessing systems and copying data into spreadsheets – or could be a mouse-click to view a dashboard or report generated by a log management solution. Similarly, each group could purchase separate solutions to generate their intelligence treasure – or could use an enterprise-wide solution flexible enough to address their critical needs in each area. It’s up to the company to decide by focusing on their needs.

Get started by focusing on critical needs
Financial crises tend to cut through the hazy grind of daily business operations and to focus people on critical needs. This global credit crunch is no different. For business executives, the two critical needs are:

  • protecting what they have by keeping service performance stable while lowering operational costs; and
  • adapting to unexpected situations and problems by increasing business agility while lowering risk management costs.

For business technologists, the two critical needs are meeting those business demands and holding onto their jobs.

The margin for error is very slim. Businesses that allow service performance to disintegrate during tough times or take risky actions to deal with market fluctuations, unexpected service problems or malicious attacks rarely make it through economic downturns in any shape to compete effectively in the future. Typically, survivor companies do not cut costs blindly. Instead they use tough times as a mandate for projects that dramatically improve the competitive value of their staff’s daily activities.

There is only one way to do that when your business services and competitiveness are IT-dependent – skyrocket productivity with a proactive approach to managing, securing and governing technology assets delivering business services and agility. Since there can be hundreds of technology assets per business employee, the only way operations, security and compliance staff can become more proactive is to get better intelligence, knowledge and insight.

This brings us right back to where we started. Having better intelligence is a key part of dealing with every IT-related issue and every additional demand that business executives challenge IT to meet without increasing its staff. Therefore, it is time to get IT intelligence (aka log management) solutions off of the wish list and into the hands of the staff that need it.

Jasmine Noel is founder and partner of Ptak, Noel & Associates.  With more than 10 years experience in helping clients understand how adoption of new technologies affects IT management, she tries to bring pragmatism (and hopefully some humor) to the business-IT alignment discussion.  Send any comments, questions or rants to

Industry News

Lock down that data
Another example of the insider threat to personally identifiable information has surfaced. In December, an employee in the human resources department of the Library of Congress was charged with conspiring to commit wire fraud for a scheme in which he stole information on at least 10 employees from library databases.

Did you know? EventTracker not only enables insider threat detection, but also provides a complete snapshot of a user’s activity including application usage, printer activity, idle-time, software install/uninstall, failed and successful interactive/non- interactive logins, changes in group policy, deleted files, websites visited, USB activity and more to deter unauthorized access

In the Vault
When it comes to protecting financial info, IT security professionals can never rest on their laurels. These organizations must adopt new technologies, ramp up online banking options, and deal with employee turnover. That’s why these firms continually need to review the security measures in place.

Did you know? EventTracker provides you with scheduled or on-demand reviews of security measures allowing you to proactively address potential weaknesses in security controls, while reacting to security incidents.

EventTracker melds Smart Search with Advanced SIEM capabilities
Best-of-both-worlds solution combines free-form, intuitive searching with intelligent analytics, correlation, mining and reporting in one turn-key package

What’s new in EventTracker 6.3 ? 
Free form Google-like search, user profiling and more… Watch video for detailed information.

Extreme logging or Too Much of a Good Thing

Strict interpretations of compliance policy standards can lead you up the creek without a paddle. Consider two examples:

  1. From PCI-DSS comes the prescription to “Track & monitor all access to network resources and cardholder data”. Extreme logging is when you decide this means a db audit log larger than the db itself plus a keylogger to log “all” access.
  2. From HIPAA 164.316(b)(2) comes the Security Rule prescription to “Retain … for 6 years from the date of its creation or the date when it last was in effect, whichever is later.” Sounds like a boon for disk vendors and a nightmare for providers.

Before you assault your hair follicles, consider:
1) In clarification, Visa explains “The intent of these logging requirements is twofold: a) logs, when properly implemented and reviewed, are a widely accepted control to detect unauthorized access, and b) adequate logs provide good forensic evidence in the event of a compromise. It is not necessary to log all application access to cardholder data if the following is true (and verified by assessors):
– Applications that provide access to cardholder data do so only after making sure the users are authorized
– Such access is authenticated via requirements 7.1 and 7.2, with user IDs set up in accordance with requirement 8, and
– Application logs exist to provide evidence in the event of a compromise.

2) The Office of the Secretary of HHS waffles when asked about retaining system logs- this can be reasonably interpreted to mean the six year standard need not be taken literally for all system and network logs.