100 Log Management uses #32 Detecting insecure object references

Continuing on our OWASP series, today we look at Vulnerability A4, using object references to grab important information, and how logs can be used by Admins to detect signs of these attacks. We also look at some best practices you can employ on your servers to make these attacks more difficult.

By Ananth

100 Log Management uses #31 Detecting malicious file execution in the web server

Today’s video continues our series on web vulnerabilities. We look at OWASP A3 — malicious code execution attacks in the web server — and discuss ways that Admins can help both prevent these attacks and detect them when they do occur.

-By Ananth

Compromise to discovery

The Verizon Business Risk Team publishes a useful Data Breach Investigations Report drawn from over 500 forensic engagements over a four-year period.

The report describes a “Time Span of Breach” event broken into four stages of an attack. These are:

– Pre-Attack Research
– Point of Entry to Compromise
– Compromise to Discovery
– Discovery to Containment

The top two are under control of the attacker but the rest are under the control of the defender. Where log management is particularly useful would be in discovery. So what does the 2008 version of the DBIR show about the time between Compromise to Discovery? Months Sigh. Worse yet, in 70% of the cases, Discovery was the victim being notified by someone else.

Conclusion? Most victims do not have sufficient visibility into their own networks and equipment.

It’s not hard but it is tedious. The tedium can be relieved, for the most part, by a one-time setup and configuration of a log management system. Perhaps not the most exciting project you can think of but hard to beat for effectiveness and return on investment.


100 Log Management uses #30 Detecting Web Injection Attacks

Today’s Log Management use case continues our look at web vulnerabilities from the OWASP website. We will look at vulnerability A2, or how injection techniques, particularly SQL injection can be detected by analyzing web server log files.

By Ananth

100 Log Management uses #29 Detecting XSS attacks

Today we begin our series on web vulnerabilities. The number 1 vulnerability on the OWASP list is cross site scripting or XSS. XSS seems to have replaced SQL injection as the new favorite for web attacker. We look at using web server logs to detect signs of these XSS attacks.


EventTracker gets 5 star review; 100 Log Management uses and more

Have your cake and eat it too- improve IT security, comply with multiple regulations while reducing operational costs and saving money

Headlines don’t lie. The number and severity of security breaches suffered by companies has consistently increased over the past couple of years and statistics show that 9 out of 10 businesses will suffer an attack on their corporate network in 2009. At the same time, there is growing pressure to comply with regulations and standards such as PCI-DSS, HIPAA and Sarbanes-Oxley, non-compliance of which can result in large fines and cause costly long-term damage to corporate reputations. However, in the midst of an economic recession when companies are tightening their belts, reducing headcount and scrutinizing project costs, it is getting difficult for IT professionals to get the funding they need to meet their goals. The silver lining is that SIEM solutions allow you to reduce security risks, comply with multiple regulations all the while helping you save money – a win-win situation in the current environment.

The new IT landscape

From inside theft to highly-targeted malware and zero-day attacks, Cyber crime is evolving rapidly and what was secure last year is not necessarily secure this year. With the proliferation of mobile devices, the new avenues for data theft are plenty –  USB thumb drives, PDAs and iPods are easy to conceal and copying confidential data onto these devices often takes just a couple of minutes. And with corporate networks accommodating not just employees, but also outside contractors and third-party providers across multiple locations, the risk is real, serious and extremely hard to minimize without clamping down on productivity.

On the other hand, cyber crime has evolved from a hobbyist occupation to a multi-billion dollar industry. Organized profit-driven groups use automated processes and highly targeted attacks to infiltrate networks in very little time and surreptitiously siphon off enterprise data. Certainly the threat to critical IT assets is only increasing in volume and sophistication. And with the global meltdown, the impetus behind data theft has grown multifold – From both disgruntled ex-employees who have been victims of layoffs, to desperate people willing to take desperate measures for financial gain. With the capabilities of IT departments being pushed to their limits, the recession has led to a perfect storm in the world of IT security, and criminals are taking advantage of this storm to attack. It is no longer a question of if but when and how – when will an attack occur and how costly will it be.

While dealing with this widening threat landscape, IT departments are still tasked with maintaining compliance with regulatory standards and government stipulations that are often vague and difficult to translate into implementation guidelines. Non-compliance is not an option since the potential for costly repercussions, whether in the form of fines, lawsuits, litigation or corporate reputation damage, is high.

The challenge 

So the challenge for IT lays in managing multiple requirements in the face of budget cuts, increasing layoffs and shrinking resources. As companies scrutinize every investment, fear factor arguments for funding security projects are waning because of a number of reasons including:

  • “We have not been attacked so far, therefore we must be immune” syndrome
  • Absence of a widespread, debilitating (9/11 style) malware attack
  • Absence of hard figures on the economic impact of a security breach
  • Measuring ROI on security investments is difficult to do because it is based on a company’s tolerance for risk, the money “saved” is intangible.
  • It can be difficult to prove that the organization would have been attacked without the solution in place.

It is no wonder then that compliance remains the main driver for many security solutions. However, because of the recession, compliance projects are facing increased competition from other business and revenue generating initiatives. So while companies understand that compliance is mandatory, a security professional may only get 30% of the funding requested. This gives rise to 2 challenges:

  1. Minimizing the cost of compliance
  2. Justifying expense

And the best way to minimize cost and justify funding is by demonstrating that that the solution in question will address multiple requirements, outside the limited scope of regulatory compliance, and provide a clear and tangible ROI.

The pressure is on to do more with less

The solution

The good news is that SIEM solutions like EventTracker can help you do just that – meet multiple requirements spanning compliance and security while providing tangible, demonstrable operational cost-savings. Benefits include:

  • In-depth protection of critical IT assets from both internal and external breaches
  • Compliance with multiple regulatory frameworks including Sarbanes-Oxley, HIPAA, PCI-DSS, FISMA, GLBA and more, as well support for evolving mandates
  • Cost-savings in the form of reduced dependence on existing resources, optimized operations, improved system availability and quick resolution of issues before they escalate into costly disruptions.

SIEM for Security

A comprehensive SIEM solution like EventTracker allows you to:

  • Detect and prevent damage from Zero-Day and other new forms of attack vectors
  • Monitor user activity and USB device usage for unauthorized internal access to sensitive data
  • Monitor networks for suspicious activity that often precedes a security breach
  • Create customized correlation rules to detect common and critical security conditions in real-time.
  • React quickly and early to suspicious activity with instant alerts and automatic remediation for proactive prevention
  • Research the sequence of events that led to an attack and test your security improvements by playing back a saved event sequence.

SIEM for Compliance

SIEM solutions help you wade through the vague guidelines of compliance requirements with predefined reports mapped to specific regulatory requirements. A comprehensive SIEM solution will help you:

  • Automate the entire compliance process from securing your environment, establishing baselines, tracking user activity, alerting to potential violations to creating audit-ready reports
  • Demonstrate to auditors that periodic reviews are being conducted in compliance with internal and external policies
  • Comply with a variety of regulatory standards spanning multiple verticals

SIEM for Operations

SIEM solutions enable you to increase IT efficiency and decrease the total cost of ownership by:

  • Automating routine tasks and decreasing dependence on existing resources
  • Optimizing operations by monitoring, alerting and reporting on disk space trends, CPU usage trends, runaway processes, high-memory usage, service downtime
  • Enabling IT staff to quickly diagnose issues before they excalate into costly disruptions
  • Accelerating troubleshooting and simplifying forensic investigations

SIEM solutions such as EventTracker provide a fast and demonstrable ROI within 8-9 months and help you save on average $100 per server per month in ongoing maintenance and operational costs.

Selecting the right SIEM solution

Now that you are able to justify funding for a SIEM solution, the next step is to identify the right SIEM solution for your environment.  This is no easy task because of 2 reasons. Firstly, there is a large number of products available and vendors have done a great job of making their products sound roughly the same in core features such as correlation, reporting, collection, etc. and secondly, vendors are too busy differentiating themselves on features that in many cases have little or nothing to do with core functionality.

The reality is that SIEM solutions are typically optimized for different use-cases and you need to find a solution that will best meet you own needs. To help define your requirements and determine the best solution for your organization, you should answer the following questions:

  • What is the easiest way to automate the collection of events?
  • How can I store all that data securely and efficiently so it is still accessible?
  • How can I gain actionable intelligence from all that data in real-time?
  • How do I generate reports out of consolidated data?
  • Can the solution handle my unique requirements without expensive customization?
  • How long will it take me to get a solution up and running, and what are my ongoing costs?
  • Which offering has the broadest feature set to maximize my investment

A comprehensive SIEM solution should automate the secure collection and consolidation of all enterprise events to a central point and make them readily available to IT personnel for analysis. The architecture needs to be scalable and highly configurable while still being easy to install and quick to implement. It should provide an efficient, secure, tamper-proof event archive for reporting and compliance requirements, a powerful real-time correlation engine that operates on the event stream, and a reporting and analytics engine for ad-hoc and scheduled querying.

Make sure the solution can receive and process logs from all platforms and sources in your network including Syslog, Syslog NG, SNMP V1/V2, Windows, Solaris BSM, IIS, Exchange, Oracle, SQL Server and has the capability to monitor system thresholds such as CPU, disk usage and memory, as well as USB devices. Look for a solution where the agents can be centrally configured, managed and distributed and can perform sophisticated filtering of the event logs prior to transmission to the central collection point, so if reduction of the event stream is possible, it can be easily accomplished.

A good SIEM solution should allow you to access the data in the way that fits your organizational structure. You may want a single central console which includes a UI for administration, configuration and event viewing, reporting and analysis. Or support for multiple, distributed consoles. Or a role-based web interface integrated with Active Directory for single sign-on support.

For larger organizations that have multiple sites or are organized into multiple units within the same site, it may be necessary for all of the event log data to be consolidated and archived in a single place for compliance purposes, with the correlation and day to day management the responsibility of different, distinct IT groups.

Think about how events are stored – with millions of events generated daily, a database can be an expensive and slow medium for archiving data. Storing even a small time period of event data can require a huge database, a big database server machine and additional expensive database licenses. Databases are also not guaranteed secured storage. Look for a SIEM solution that can archive the original log in a compressed and secured archive optimized for the write-once/read many times nature of event log information.

A robust correlation and analytics engine is critical to ongoing security efforts and enables powerful real-time monitoring and rules-based alerting on the event stream. Rules can watch for multiple, seemingly minor unrelated events occurring on multiple systems across time that together represent clear indications of an impending system problem or security breach. Detecting these problems in real-time prevents or minimizes costly impact on the business.

Integrated change monitoring and configuration control allows you to monitor and manage changes that occur on the Windows file system and registry – often the only clue IT staff have of Zero-day and malware attacks or installation of unauthorized or unsupported software. By quickly identifying those hard to find changes you will enhance security, reduce system downtime, and lower overall IT costs.

A powerful report wizard enables you to create and generate meaningful reports either on an ad-hoc or schedule reports to be regularly generated on the off-hours and distributed to subscriber lists. Look for flexibility in report delivery such as in PDF, CSV or DOC format and delivered via email or RSS feed. In addition, you should be able to research the sequence of events that led to an attack or security breach and test your security improvements by playing back a saved event sequence.

Finallyevaluate solutions for long-term value rather than initial price. A vendor might offer you a great price that fits your budget initially but what happens when your IT infrastructure grows? How will licensing scale when your log volume increases beyond solution capacity? Look also for hidden costs in terms of separate modules, compliance packs, storage, training and support. The last thing you need is unexpected costs that you never accounted for.

The bottom line

Limited-scope solutions may be beneficial for extremely specific requirements, but in the current economy, the investment required for such solutions is often hard to justify. Also, procuring a number of solutions to meet a variety of disparate requirements can prove a burden on shrinking staff and existing resources. In order to maximize spend, companies must purchase products that provide a wide range of functionalities that address multiple areas. SIEM solutions such as EventTracker not only provide broad capabilities that can be applied across the compliance and security use cases but also help you save hard-dollars on operational costs.

Industry News

EventTracker gets 5 star review from SC Magazine
“EventTracker is a robust security information and event log management (SIEM) tool that has a lot of useful features”

SMBs often hit hardest by botnets
A small or midsize business (SMB) is ultimately a more attractive target for spammers, botnet operators, and other attackers than a home user mainly because it has a treasure trove of valuable data without the sufficient IT and security resources to protect it.

Did you know? Granular licensing, predictable pricing and modest resource requirements allow SMB’s to take advantage of EventTracker’s advanced security, regulatory and operational monitoring capabilities without breaking the bank.

UC Berkeley says hacker broke into health services databases
The University of California at Berkeley Friday disclosed that hackers broke into restricted computer databases in the campus health-services center, as the university began notifying current and former Berkeley students their personal information may have been taken.

Did you know? EventTracker offers complete coverage from the server to the workstation and USB level, real-time correlation and alerting, to ensure that IT personnel are instantly notified of any suspicious activity before costly damage is caused.

100 Log Management uses #28 Web application vulnerabilities

During my recent restful vacation down in Cancun I was able to reflect a bit on a pretty atypical use of logs. This actually turned into a series of 5 entries that look at using logs to trace web application vulnerabilities using the OWASP Top 10 Vulnerabilities as a base. Logs may not get all the OWASP top 10, but there are 5 that you can use logs to look for — and by periodic review ensure that your web applications are not being hacked. This is the intro. Hope you enjoy them.

[See post to watch Flash video] -Ananth