Smart Value: Getting more from Log Management
Every dip in the business cycle brings out the ‘get more value for your money’ strategies, and our current “Kingda Ka style” economic drop only increases the strategy implementation urgency. For IT this usually means either use the tools you have to solve a wider range of problems or buy a tool that with fast initial payback and can be used to solve a wide range of other problems. This series looks at how different log management tasks can be applied to solve a wider range of problems beyond the traditional compliance and security drivers so that companies can get more value for their IT money.
Login attack identification is a common use of log management. Most folks monitor and analyze login failures from a security perspective. They use reporting and policy engines to identify anomalies in user login patterns multiple login failures with different user names in a short amount of time, as indicators of security attack or for forensic or auditing purposes. Others are taking this one step further to apply this analysis to recognize the specific devices a customer uses to login as a means to prevent fraud or lower attack risks. However, these login analysis and reporting tasks can have uses beyond this traditional security driver.
Performance problem resolution
Login failures can also be an indicator of server or database misconfigurations, particularly since modern applications and databases depend on a complex collections of software modules. Those modules depend on login permissions to communicate just as much as we depend on login permissions to check our email.
Sometimes error messages about unknown login types or missing database connections are the result of duplicate installations of a particular module or slight variances in permissions within a database server cluster. Depending on where the error sits it may be fatal to the performance of a critical business service or it may fly under the radar — until a specific set of circumstances causes service performance to rapidly unravel.
These types of performance problems will also be occurring more frequently because:
- Security and compliance concerns: Many companies are requiring more frequent password changes for both users and communicating software modules. More frequent change means more opportunities for problems which creates more problem resolution work which eats up IT admin time that they should be spending on problem prevention.
- Virtualization: If misconfigurations get baked into virtual machine templates that are deployed over and over again, then the situation definitely gets worse. You end up with a template which causes the same performance problems which have to be solved over and over again.
These types of performance problems require log analysis solutions to identify error patterns and uncover unsuspected relationships between production environment deployment choices and error occurrences.
Login failures could also be a customer service indicator as well. For example, you can analyze the number of users that request password reminders that actually login a few minutes later. If your analysis shows that most users do not login successfully after a failed login then you have an indicator that a particular business goal is not being met. The business is missing opportunities to connect with those users — and you have an opportunity to engage/align/interact with business managers to figure out how to positively impact the business.
That’s the type of “tech hero” I think most IT managers aspire to be. The guys and gals that go beyond their day-to-day tasks to find ways to lighten burdens their colleagues didn’t know they were carrying. The data to do this type of hero-work is in the logs. It just needs to be surfaced in a way that makes sense to business managers, web designers and application developers.
Doing more with the same
If you already have tools to consolidate and analyze log data for login failures for security breaches you also have tools to prevent login misconfigurations from causing application performance problems, prevent login misconfigurations from creeping into VM templates, and provide insight into lost customer opportunities. It is simply a matter of applying the tools to these additional situations. However, we all know that just because something seems simple doesn’t mean that it is easy to achieve. It’s when you apply a solution to multiple problems do you really put the claims of flexibility and usability to the test. A good analysis tool should help you uncover patterns and relationships without creating a whole lot of extra work to bring in new data sources or run ad-hoc reports.
If you are trying to justify log management and analysis tools specifically for identifying login-based attacks don’t forget to include an ROI roadmap that shows a timeline for benefits beyond security attacks. The reason I like ROI roadmaps is that they get business folks thinking about IT solutions and IT time saved as assets to be leveraged in the next round of efficiency and productivity improvements — instead of thinking about IT time as only a maintenance cost that should be eliminated.
The most effective roadmaps would show how the solution will initially be used, the resulting benefits and the initial payback period as the first phase. Subsequent phases would show how you would leverage the time saved to apply the solution to other areas and the resulting benefits. These subsequent phases don’t have to be completely fleshed out, but should include enough substance to demonstrate that you are doing one of the fundamental laws of good business execution — thinking strategically while acting tactically.
4th of July hacker jailed after hospital hack
A Dallas hospital guard was ordered to jail following his arrest on charges of breaking into computers, planting malicious software and planning a massive distributed-denial-of-service (DDoS) attack on the Fourth of July.
Related Resource Read how Lehigh Valley Hospital uses EventTracker to get real-time alerts on unauthorized access, detect suspicious activity and security threats, and conduct forensic investigations.
Microsoft confirms another zero-day vulnerability
The vulnerability resides in Microsoft’s Office Web Components, which are used for publishing spreadsheets, charts and databases to the Web, among other functions. The company is working on a patch but did not indicate when it would be released, according to an advisory. “If exploited successfully, an attacker could gain the same user rights as the local user”
Did you know? EventTracker’s powerful integrated Change Monitoring module detects zero-day attacks and prevents costly damage from these new attacks types.
Insider arrested for stealing critical proprietary code from Financial Services Company
Wall Street is abuzz with news that a computer programmer has been arrested for stealing top-secret application code that drives his former company’s high-speed financial trading platform. Blogger says stolen code might have been Goldman Sachs’ ‘secret sauce’
Did you know? Log Management can not only proactively detect and help prevent incidents of insider theft, but also provide evidence to catch a culprit after the fact
EventTracker 6.3 review
IT Pro Magazine review of EventTracker 6.3 : “It [EventTracker] also provides a range of features not found in standard log management products…”