100 Log Management Uses #39 Boundary defense (CAG control 5)

Today, after a brief holiday (it is Summer, after all), we continue our look at the SAN’s Consensus Audit Guidelines (CAG). Today we look at something very well suited for logs — boundary defense. Hope you enjoy it.

– By Ananth

EventTracker 6.3 review; Getting more from Log Management Correlation techniques and more

Smart Value: Getting more from Log Management

Every dip in the business cycle brings out the ‘get more value for your money’ strategies, and our current “Kingda Ka style” economic drop only increases the strategy implementation urgency.  For IT this usually means either use the tools you have to solve a wider range of problems or buy a tool that with fast initial payback and can be used to solve a wide range of other problems. This series looks at how different log management tasks can be applied to solve a wider range of problems beyond the traditional compliance and security drivers so that companies can get more value for their IT money.

Login attack identification is a common use of log management. Most folks monitor and analyze login failures from a security perspective. They use reporting and policy engines to identify anomalies in user login patterns multiple login failures with different user names in a short amount of time, as indicators of security attack or for forensic or auditing purposes. Others are taking this one step further to apply this analysis to recognize the specific devices a customer uses to login as a means to prevent fraud or lower attack risks.  However, these login analysis and reporting tasks can have uses beyond this traditional security driver.

Performance problem resolution

Login failures can also be an indicator of server or database misconfigurations, particularly since modern applications and databases depend on a complex collections of software modules. Those modules depend on login permissions to communicate just as much as we depend on login permissions to check our email.

Sometimes error messages about unknown login types or missing database connections are  the result of duplicate installations of a particular module or slight variances in permissions within a database server cluster.  Depending on where the error sits it may be fatal to the performance of a critical business service or it may fly under the radar — until a specific set of circumstances causes service performance to rapidly unravel.

These types of performance problems will also be occurring more frequently because:

  • Security and compliance concerns:  Many companies are requiring more frequent password changes for both users and communicating software modules. More frequent change means more opportunities for problems which creates more problem resolution work which eats up IT admin time that they should be spending on problem prevention.
  • Virtualization: If misconfigurations get baked into virtual machine templates that are deployed over and over again, then the situation definitely gets worse.  You end up with a template which causes the same performance problems which have to be solved over and over again.

These types of performance problems require log analysis solutions to identify error patterns and uncover unsuspected relationships between production environment deployment choices and error occurrences.

Customer service

Login failures could also be a customer service indicator as well. For example, you can analyze the number of users that request password reminders that actually login a few minutes later.  If your analysis shows that most users do not login successfully after a failed login then you have an indicator that a particular business goal is not being met.  The business is missing opportunities to connect with those users — and you have an opportunity to engage/align/interact with business managers to figure out how to positively impact the business.

That’s the type of “tech hero” I think most IT managers aspire to be. The guys and gals that go beyond their day-to-day tasks to find ways to lighten burdens their colleagues didn’t know they were carrying.  The data to do this type of hero-work is in the logs. It just needs to be surfaced in a way that makes sense to business managers, web designers and application developers.

Doing more with the same

If you already have tools to consolidate and analyze log data for login failures for security breaches you also have tools to prevent login misconfigurations from causing application performance problems, prevent login misconfigurations from creeping into VM templates, and provide insight into lost customer opportunities.  It is simply a matter of applying the tools to these additional situations.  However, we all know that just because something seems simple doesn’t mean that it is easy to achieve.  It’s when you apply a solution to multiple problems do you really put the claims of flexibility and usability to the test.  A good analysis tool should help you uncover patterns and relationships without creating a whole lot of extra work to bring in new data sources or run ad-hoc reports.

If you are trying to justify log management and analysis tools specifically for identifying login-based attacks don’t forget to include an ROI roadmap that shows a timeline for benefits beyond security attacks. The reason I like ROI roadmaps is that they get business folks thinking about IT solutions and IT time saved as assets to be leveraged in the next round of efficiency and productivity improvements — instead of thinking about IT time as only a maintenance cost that should be eliminated.

The most effective roadmaps would show how the solution will initially be used, the resulting benefits and the initial payback period as the first phase.  Subsequent phases would show how you would leverage the time saved to apply the solution to other areas and the resulting benefits.  These subsequent phases don’t have to be completely fleshed out, but should include enough substance to demonstrate that you are doing one of the fundamental laws of good business execution — thinking strategically while acting tactically.

Industry News

4th of July hacker jailed after hospital hack
A Dallas hospital guard was ordered to jail following his arrest on charges of breaking into computers, planting malicious software and planning a massive distributed-denial-of-service (DDoS) attack on the Fourth of July.

Related Resource Read how Lehigh Valley Hospital uses EventTracker to get real-time alerts on unauthorized access, detect suspicious activity and security threats, and conduct forensic investigations.

Microsoft confirms another zero-day vulnerability
The vulnerability resides in Microsoft’s Office Web Components, which are used for publishing spreadsheets, charts and databases to the Web, among other functions. The company is working on a patch but did not indicate when it would be released, according to an advisory. “If exploited successfully, an attacker could gain the same user rights as the local user”

Did you know? EventTracker’s powerful integrated Change Monitoring module detects zero-day attacks and prevents costly damage from these new attacks types.

Insider arrested for stealing critical proprietary code from Financial Services Company
Wall Street is abuzz with news that a computer programmer has been arrested for stealing top-secret application code that drives his former company’s high-speed financial trading platform. Blogger says stolen code might have been Goldman Sachs’ ‘secret sauce’

Did you know? Log Management can not only proactively detect and help prevent incidents of insider theft, but also provide evidence to catch a culprit after the fact

EventTracker 6.3 review
IT Pro Magazine review of EventTracker 6.3 : “It [EventTracker] also provides a range of features not found in standard log management products…”

100 Log Management Uses #38 Meeting CAG controls 3 & 4

Today we continue our look at the Consensus Audit Guidelines, in this case CAG Controls 3 and 4 for maintaining secure configurations on system and network devices. We take a look at how log and configuration monitoring can ensure that configurations remain secure by detecting changes in the secured state.

By Ananth

100 Log Management Uses #37 Consensus Audit Guidelines (CAG) controls 1 and 2

Today we start in earnest on our Consensus Audit Guidelines (CAG) series by taking a look at CAG 1 and 2. Not hugely interesting from a log standpoint but there are some things that log management solutions like EventTracker can help you with.

By Ananth

100 Log Management uses #36 Meeting the Consensus Audit Guidelines (CAG)

Today we are going to begin another series on a standard that leverages logs. The Consensus Audit Guidelines, or CAG for short, is a joint initiative of SANS and a number of Federal CIO’s and CISO’s to put in place some lower level guidelines for FISMA. One of the criticisms of FISMA is that is it is very vague and implementation can be very different from agency to agency. The CAG is a series of recommendations that make it easier for IT to make measurable improvements in security by knocking off some low hanging targets. There are 20 CAG recommended controls and 15 of them can be automated. Over the next few weeks we will look at each one. Hope you enjoy it.

By Ananth

New NIST recommendations; Using Log Management to detect web vulnerabilities and more

Log and security event management tame the wild west environment of a university network

Being a network administrator in a university environment is no easy task.  Unlike the corporate world, a university network typically has few restrictions over who can gain access; what type or brand of equipment people use at the endpoint; how those endpoint devices are configured and managed; and what users do once they are on the network.

A university network often has a higher volume of traffic than a private sector network does, as well as more wireless connections.  Rather than looking at faculty and students as users whose computing can be managed or dictated, university administrators must view them as customers whose needs must be met.  And the needs can be quite varied – everything from financial transactions at the campus bookstore to large file transfers for university research projects.  Needless to say, security for the network can be quite a challenge.

“In many ways, a university environment is much more complex than a corporate environment,” according to James Perry, the Information Security Officer at the University of Tennessee.  A university IT department almost functions more like an ISP than as a traditional IT department that sets computing standards and dictates how a network can be used.

Morris Reynolds, the Director of Information Security and Access Management at Wayne State University, echoes Perry’s comments.  “The students are basically our customers,” says Reynolds.  “Their computing needs present challenges, but if they complain, the IT group has to acquiesce.”

This requires a delicate balancing act.  On the one hand, the IT operations and security teams need to ensure the well being of university computing resources, as well as compliance with regulations such as HIPAA, PCI and the Family Educational Rights & Privacy Act (FERPA).  On the other hand, universities must be careful to avoid control procedures that may be viewed as violating student privacy, suppressing the right of free speech, or stifling to research programs and innovation.

In this “almost anything goes” environment, log and security event management are a boon to the university network administrator.  By correlating and analyzing log data from a wide range of devices, the admin is able to “see” so much more of what is happening on his network.  This helps him be more proactive in managing the operations and more effective in identifying security breaches based on university policies.  It’s a bit like bringing some semblance of order to the “Wild West” atmosphere of the college campus.

Log management helps bring order to chaos

For instance, Wayne State University has 33,000 students and 10,000 faculty members.  There are 10,000 concurrent users physically located on campus, and another 50,000 concurrent users coming into the network remotely.  The university network has more than 1,200 servers, 30,000 wired ports and 1,000 wireless access points.  The students provide their own PCs.  There’s no central control for the configuration of these endpoint devices, and they are largely unmanaged.

In this environment, a network firewall can easily experience more than 50,000 events per day.  When you take into consideration all the disparate event logs from all the devices, the total number of events logged in a single day is staggering.  And this is typical for many university networks.  Capturing the log data from all the network devices, normalizing it into a standard format, and correlating events can help to identify problems and lead to remediation.

For example, unmanaged endpoint devices like the students’ laptops are highly susceptible to viruses and malware that turn the PCs into nodes of a botnet.   When a botnet infection occurs, there is often a huge uptick in client-to-client session initiation.   As a result, there can be a major rise in the network bandwidth consumption by the infected machines.  There also may be an increase in the number of attempts to connect to the Internet.   These events are captured in device logs and can then be detected by a SIM/SIEM by correlating events across different devices such as routers and firewalls.  The SIM/SIEM can issue alerts and can remediate by restricting the students’ network access until their PCs have been cleaned.  This helps to limit further exposure and infection.

Logs also provide specific insight into changes to network resources, such as updates to Active Directory or modifications to a server’s registry and .ini files.  The changes recorded in the logs can be cross-referenced to the university’s change management logs/system to assure the change was expected and approved.   When an unauthorized change has been detected, the appropriate alerting and remediation can take place by backing out unauthorized changes.

From a network operation perspective, logs can provide insight into operational reliability problems, such as when a device becomes “noisy” – in other words, it generates many log entries.  This usually means that there is a problem such as an imminent device failure, the need for a software patch, or a misconfiguration.  These events can trigger an alert to a technician who can tend to the device’s needs before a complete failure.

In a university network environment where configuration standards and usage control just aren’t possible, log management and SIM/SIEM provide network administrators with a measure of control.  These tools help in identifying the root cause of issues by providing a holistic view into the network’s operational, security and audit logs in a centralized management tool, which in turn can assist in the detection of security breach, unauthorized change and operational events.

Compliance requirements also drive the need for log management

There is one way that university networks are similar to corporate networks.  A multitude of regulatory requirements is common in many large university environments, making compliance another driver for log and security information management.  Such regulations often dictate that logs be captured and monitored for events that violate a regulatory statute.  The University of Tennessee network is a typical example.

The UT network spans five campuses.  In addition to supporting the needs of the students and faculty, the network serves about 160 merchants, including bookstores, coffee shops and other sales operations.  Because these merchants accept payments via credit cards, this segmented portion of the network must meet PCI DSS compliance requirements.  Two of the UT campuses work with medical data, so HIPAA compliance is a must.  There’s financial data, meaning GLBA compliance, and student information that is governed by FERPA.  Log management is a vital tool in meeting compliance requirements and validating the efforts.

It’s a challenge to oversee the operations and security of a university network environment.  Perhaps that’s why so many university network administrators use their log management and SIM/SIEM tools to take the environment from “wild” to “mild.”

Brian Musthaler, CISA – is a Principal Consultant with Essential Solutions Corp.  A former audit and information systems manager, he directs the firm’s evaluations and analysis of enterprise applications, with a particular interest in security and compliance tools.

Industry News

Federal IT Security recommendations released in final NIST draft

The National Institute of Standards and Technology has collaborated with the military and intelligence communities to produce the first set of security controls for all government information systems, including national security systems.

Did you know? EventTracker offers a comprehensive solution that enables compliance with multiple regulations, standards and guidelines including NIST recommendations, FISMA, PCI-DSS, Sarbanes-Oxley, HIPAA, Consensus Audit Guidelines (CAG) and others

T-Mobile net reportedly hit by hacker/extortion attack

T-mobile customers are awakening this morning to reports that hacker/extortionists have victimized the cellular carrier through a massive network breach resulting in the theft of untold amounts of corporate and customer data, which they’re threatening to sell to the highest bidder.

Did you know? EventTracker provides 24/7 insight into enterprise networks and detects security threats/breaches in real-time for immediate remediation before costly reputation-damaging consequences occur

Hackers hit US Army websites

A group of computer hackers based in Turkey breached the sites of two U.S. Army facilities, leveraging SQL injection attacks, according to reports. “The question of vulnerability to SQL injection attacks has come up frequently… “The number is rising dramatically. SQL injection is a serious threat. Not enough organizations are paying attention to it.”

Did you know? Log Management can help you detect and prevent web attacks including SQL injection attacks

Revamped EventTracker KnowledgeBase

The EventTracker KnowledgeBase, a free repository of detailed descriptions and information on over 20,000 event logs, has a new look! The revamped web portal now provides easy Google-like searching and options for advanced search to quickly pinpoint specific events.

100 Log Management uses #35 OWASP web vulnerabilites wrap-up

We have been talking a lot recently about web vulnerabilities, specifically the OWASP Top 10 list. We have covered how logs can help detect signs of web attacks in OWASP A1 through A6. A7 – A10 cannot be detected by logging, but in this wrap-up of the OWASP series we’ll take a look at them.

-By Ananth

100 Log Management uses #34 Error handling in the web server

Today we conclude our series on OWASP vulnerabilities with a look at A6 — error handling in the web server. Careless or non-configuration of error handling in a web server gives a hacker quite a lot of useful information about the structure of your web application. While careful configuration can take care of many issues, hackers will still probe your application deliberately triggering error conditions to see what information is there to be had. In this video we look at how you can use web server logs to detect whether you are being probed by a potential hacker.

-By Ananth

100 Log Management uses #33 Detecting and preventing cross site request forgery attacks

Today’s video blog continues our series on web vulnerabilities. We look at OWASP A5 — cross site request forgery hacks and we discuss ways that Admins can help both prevent these attacks and detect them when they do occur.

-By Ananth

100 Log Management uses #32 Detecting insecure object references

Continuing on our OWASP series, today we look at Vulnerability A4, using object references to grab important information, and how logs can be used by Admins to detect signs of these attacks. We also look at some best practices you can employ on your servers to make these attacks more difficult.

By Ananth

100 Log Management uses #31 Detecting malicious file execution in the web server

Today’s video continues our series on web vulnerabilities. We look at OWASP A3 — malicious code execution attacks in the web server — and discuss ways that Admins can help both prevent these attacks and detect them when they do occur.

-By Ananth

Compromise to discovery

The Verizon Business Risk Team publishes a useful Data Breach Investigations Report drawn from over 500 forensic engagements over a four-year period.

The report describes a “Time Span of Breach” event broken into four stages of an attack. These are:

– Pre-Attack Research
– Point of Entry to Compromise
– Compromise to Discovery
– Discovery to Containment

The top two are under control of the attacker but the rest are under the control of the defender. Where log management is particularly useful would be in discovery. So what does the 2008 version of the DBIR show about the time between Compromise to Discovery? Months Sigh. Worse yet, in 70% of the cases, Discovery was the victim being notified by someone else.

Conclusion? Most victims do not have sufficient visibility into their own networks and equipment.

It’s not hard but it is tedious. The tedium can be relieved, for the most part, by a one-time setup and configuration of a log management system. Perhaps not the most exciting project you can think of but hard to beat for effectiveness and return on investment.


100 Log Management uses #30 Detecting Web Injection Attacks

Today’s Log Management use case continues our look at web vulnerabilities from the OWASP website. We will look at vulnerability A2, or how injection techniques, particularly SQL injection can be detected by analyzing web server log files.

By Ananth

100 Log Management uses #29 Detecting XSS attacks

Today we begin our series on web vulnerabilities. The number 1 vulnerability on the OWASP list is cross site scripting or XSS. XSS seems to have replaced SQL injection as the new favorite for web attacker. We look at using web server logs to detect signs of these XSS attacks.


EventTracker gets 5 star review; 100 Log Management uses and more

Have your cake and eat it too- improve IT security, comply with multiple regulations while reducing operational costs and saving money

Headlines don’t lie. The number and severity of security breaches suffered by companies has consistently increased over the past couple of years and statistics show that 9 out of 10 businesses will suffer an attack on their corporate network in 2009. At the same time, there is growing pressure to comply with regulations and standards such as PCI-DSS, HIPAA and Sarbanes-Oxley, non-compliance of which can result in large fines and cause costly long-term damage to corporate reputations. However, in the midst of an economic recession when companies are tightening their belts, reducing headcount and scrutinizing project costs, it is getting difficult for IT professionals to get the funding they need to meet their goals. The silver lining is that SIEM solutions allow you to reduce security risks, comply with multiple regulations all the while helping you save money – a win-win situation in the current environment.

The new IT landscape

From inside theft to highly-targeted malware and zero-day attacks, Cyber crime is evolving rapidly and what was secure last year is not necessarily secure this year. With the proliferation of mobile devices, the new avenues for data theft are plenty –  USB thumb drives, PDAs and iPods are easy to conceal and copying confidential data onto these devices often takes just a couple of minutes. And with corporate networks accommodating not just employees, but also outside contractors and third-party providers across multiple locations, the risk is real, serious and extremely hard to minimize without clamping down on productivity.

On the other hand, cyber crime has evolved from a hobbyist occupation to a multi-billion dollar industry. Organized profit-driven groups use automated processes and highly targeted attacks to infiltrate networks in very little time and surreptitiously siphon off enterprise data. Certainly the threat to critical IT assets is only increasing in volume and sophistication. And with the global meltdown, the impetus behind data theft has grown multifold – From both disgruntled ex-employees who have been victims of layoffs, to desperate people willing to take desperate measures for financial gain. With the capabilities of IT departments being pushed to their limits, the recession has led to a perfect storm in the world of IT security, and criminals are taking advantage of this storm to attack. It is no longer a question of if but when and how – when will an attack occur and how costly will it be.

While dealing with this widening threat landscape, IT departments are still tasked with maintaining compliance with regulatory standards and government stipulations that are often vague and difficult to translate into implementation guidelines. Non-compliance is not an option since the potential for costly repercussions, whether in the form of fines, lawsuits, litigation or corporate reputation damage, is high.

The challenge 

So the challenge for IT lays in managing multiple requirements in the face of budget cuts, increasing layoffs and shrinking resources. As companies scrutinize every investment, fear factor arguments for funding security projects are waning because of a number of reasons including:

  • “We have not been attacked so far, therefore we must be immune” syndrome
  • Absence of a widespread, debilitating (9/11 style) malware attack
  • Absence of hard figures on the economic impact of a security breach
  • Measuring ROI on security investments is difficult to do because it is based on a company’s tolerance for risk, the money “saved” is intangible.
  • It can be difficult to prove that the organization would have been attacked without the solution in place.

It is no wonder then that compliance remains the main driver for many security solutions. However, because of the recession, compliance projects are facing increased competition from other business and revenue generating initiatives. So while companies understand that compliance is mandatory, a security professional may only get 30% of the funding requested. This gives rise to 2 challenges:

  1. Minimizing the cost of compliance
  2. Justifying expense

And the best way to minimize cost and justify funding is by demonstrating that that the solution in question will address multiple requirements, outside the limited scope of regulatory compliance, and provide a clear and tangible ROI.

The pressure is on to do more with less

The solution

The good news is that SIEM solutions like EventTracker can help you do just that – meet multiple requirements spanning compliance and security while providing tangible, demonstrable operational cost-savings. Benefits include:

  • In-depth protection of critical IT assets from both internal and external breaches
  • Compliance with multiple regulatory frameworks including Sarbanes-Oxley, HIPAA, PCI-DSS, FISMA, GLBA and more, as well support for evolving mandates
  • Cost-savings in the form of reduced dependence on existing resources, optimized operations, improved system availability and quick resolution of issues before they escalate into costly disruptions.

SIEM for Security

A comprehensive SIEM solution like EventTracker allows you to:

  • Detect and prevent damage from Zero-Day and other new forms of attack vectors
  • Monitor user activity and USB device usage for unauthorized internal access to sensitive data
  • Monitor networks for suspicious activity that often precedes a security breach
  • Create customized correlation rules to detect common and critical security conditions in real-time.
  • React quickly and early to suspicious activity with instant alerts and automatic remediation for proactive prevention
  • Research the sequence of events that led to an attack and test your security improvements by playing back a saved event sequence.

SIEM for Compliance

SIEM solutions help you wade through the vague guidelines of compliance requirements with predefined reports mapped to specific regulatory requirements. A comprehensive SIEM solution will help you:

  • Automate the entire compliance process from securing your environment, establishing baselines, tracking user activity, alerting to potential violations to creating audit-ready reports
  • Demonstrate to auditors that periodic reviews are being conducted in compliance with internal and external policies
  • Comply with a variety of regulatory standards spanning multiple verticals

SIEM for Operations

SIEM solutions enable you to increase IT efficiency and decrease the total cost of ownership by:

  • Automating routine tasks and decreasing dependence on existing resources
  • Optimizing operations by monitoring, alerting and reporting on disk space trends, CPU usage trends, runaway processes, high-memory usage, service downtime
  • Enabling IT staff to quickly diagnose issues before they excalate into costly disruptions
  • Accelerating troubleshooting and simplifying forensic investigations

SIEM solutions such as EventTracker provide a fast and demonstrable ROI within 8-9 months and help you save on average $100 per server per month in ongoing maintenance and operational costs.

Selecting the right SIEM solution

Now that you are able to justify funding for a SIEM solution, the next step is to identify the right SIEM solution for your environment.  This is no easy task because of 2 reasons. Firstly, there is a large number of products available and vendors have done a great job of making their products sound roughly the same in core features such as correlation, reporting, collection, etc. and secondly, vendors are too busy differentiating themselves on features that in many cases have little or nothing to do with core functionality.

The reality is that SIEM solutions are typically optimized for different use-cases and you need to find a solution that will best meet you own needs. To help define your requirements and determine the best solution for your organization, you should answer the following questions:

  • What is the easiest way to automate the collection of events?
  • How can I store all that data securely and efficiently so it is still accessible?
  • How can I gain actionable intelligence from all that data in real-time?
  • How do I generate reports out of consolidated data?
  • Can the solution handle my unique requirements without expensive customization?
  • How long will it take me to get a solution up and running, and what are my ongoing costs?
  • Which offering has the broadest feature set to maximize my investment

A comprehensive SIEM solution should automate the secure collection and consolidation of all enterprise events to a central point and make them readily available to IT personnel for analysis. The architecture needs to be scalable and highly configurable while still being easy to install and quick to implement. It should provide an efficient, secure, tamper-proof event archive for reporting and compliance requirements, a powerful real-time correlation engine that operates on the event stream, and a reporting and analytics engine for ad-hoc and scheduled querying.

Make sure the solution can receive and process logs from all platforms and sources in your network including Syslog, Syslog NG, SNMP V1/V2, Windows, Solaris BSM, IIS, Exchange, Oracle, SQL Server and has the capability to monitor system thresholds such as CPU, disk usage and memory, as well as USB devices. Look for a solution where the agents can be centrally configured, managed and distributed and can perform sophisticated filtering of the event logs prior to transmission to the central collection point, so if reduction of the event stream is possible, it can be easily accomplished.

A good SIEM solution should allow you to access the data in the way that fits your organizational structure. You may want a single central console which includes a UI for administration, configuration and event viewing, reporting and analysis. Or support for multiple, distributed consoles. Or a role-based web interface integrated with Active Directory for single sign-on support.

For larger organizations that have multiple sites or are organized into multiple units within the same site, it may be necessary for all of the event log data to be consolidated and archived in a single place for compliance purposes, with the correlation and day to day management the responsibility of different, distinct IT groups.

Think about how events are stored – with millions of events generated daily, a database can be an expensive and slow medium for archiving data. Storing even a small time period of event data can require a huge database, a big database server machine and additional expensive database licenses. Databases are also not guaranteed secured storage. Look for a SIEM solution that can archive the original log in a compressed and secured archive optimized for the write-once/read many times nature of event log information.

A robust correlation and analytics engine is critical to ongoing security efforts and enables powerful real-time monitoring and rules-based alerting on the event stream. Rules can watch for multiple, seemingly minor unrelated events occurring on multiple systems across time that together represent clear indications of an impending system problem or security breach. Detecting these problems in real-time prevents or minimizes costly impact on the business.

Integrated change monitoring and configuration control allows you to monitor and manage changes that occur on the Windows file system and registry – often the only clue IT staff have of Zero-day and malware attacks or installation of unauthorized or unsupported software. By quickly identifying those hard to find changes you will enhance security, reduce system downtime, and lower overall IT costs.

A powerful report wizard enables you to create and generate meaningful reports either on an ad-hoc or schedule reports to be regularly generated on the off-hours and distributed to subscriber lists. Look for flexibility in report delivery such as in PDF, CSV or DOC format and delivered via email or RSS feed. In addition, you should be able to research the sequence of events that led to an attack or security breach and test your security improvements by playing back a saved event sequence.

Finallyevaluate solutions for long-term value rather than initial price. A vendor might offer you a great price that fits your budget initially but what happens when your IT infrastructure grows? How will licensing scale when your log volume increases beyond solution capacity? Look also for hidden costs in terms of separate modules, compliance packs, storage, training and support. The last thing you need is unexpected costs that you never accounted for.

The bottom line

Limited-scope solutions may be beneficial for extremely specific requirements, but in the current economy, the investment required for such solutions is often hard to justify. Also, procuring a number of solutions to meet a variety of disparate requirements can prove a burden on shrinking staff and existing resources. In order to maximize spend, companies must purchase products that provide a wide range of functionalities that address multiple areas. SIEM solutions such as EventTracker not only provide broad capabilities that can be applied across the compliance and security use cases but also help you save hard-dollars on operational costs.

Industry News

EventTracker gets 5 star review from SC Magazine
“EventTracker is a robust security information and event log management (SIEM) tool that has a lot of useful features”

SMBs often hit hardest by botnets
A small or midsize business (SMB) is ultimately a more attractive target for spammers, botnet operators, and other attackers than a home user mainly because it has a treasure trove of valuable data without the sufficient IT and security resources to protect it.

Did you know? Granular licensing, predictable pricing and modest resource requirements allow SMB’s to take advantage of EventTracker’s advanced security, regulatory and operational monitoring capabilities without breaking the bank.

UC Berkeley says hacker broke into health services databases
The University of California at Berkeley Friday disclosed that hackers broke into restricted computer databases in the campus health-services center, as the university began notifying current and former Berkeley students their personal information may have been taken.

Did you know? EventTracker offers complete coverage from the server to the workstation and USB level, real-time correlation and alerting, to ensure that IT personnel are instantly notified of any suspicious activity before costly damage is caused.

100 Log Management uses #28 Web application vulnerabilities

During my recent restful vacation down in Cancun I was able to reflect a bit on a pretty atypical use of logs. This actually turned into a series of 5 entries that look at using logs to trace web application vulnerabilities using the OWASP Top 10 Vulnerabilities as a base. Logs may not get all the OWASP top 10, but there are 5 that you can use logs to look for — and by periodic review ensure that your web applications are not being hacked. This is the intro. Hope you enjoy them.

[See post to watch Flash video] -Ananth

100 Log Management Uses #27 Printer logs

Back from my vacation and back to logs and log use cases! Here is a fairly obvious one — using logs to manage printers. IN this video, we look at the various events generated on Windows and what you can do with them.


Logs and forensics, a lesson in compliance and more

How logs support data forensics investigations

Novak and his team have been involved in hundreds of investigations employing data forensics.  He says log data is a vital resource in discovering the existence, extent and source of any security breach.  “Computer logs are central and pivotal components to any forensic investigation,” according to Novak.  “They are a ‘fingerprint’ that provides a record of computer and system activities that may demonstrate a data leak or security breach.”  The incriminating activities might include failed login attempts, user and system access, file uploads/downloads, database access or manipulation, access privilege modification, application system transactions, transmission of email messages or attachments, and many other common activities.

In many cases, when logs are setup and configured properly, they can tell the story of the tactics a hacker used during a breach.  They can give insight as to how advanced (or not) the hacker is, and provide an understanding of the extent of a breach by showing how long a hacker was inside the confines of the firewall.  “You can see if the unauthorized person has been in your system for five minutes or five months,” explains Novak.

Given the security insight that logs can provide, it’s no surprise that data protection regulations such as the Payment Card Industry Data Security Standard (PCI DSS), the Federal Rules of Civil Procedure (FRCP),  the Sarbanes-Oxley Act (SOX), and the Health Insurance Portability and Accountability Act (HIPAA) all mandate the requirement for logs and log management.  The information captured by logs can be used to help protect sensitive data and to support incident response and forensic analysis in the event of a suspected data breach.

Often it’s these regulations that are driving organizations to become better at log management and event correlation.  In Novak’s experience, however, many organizations do need to improve in their log monitoring and management practices.  “It’s not uncommon to find that companies collect the logs but don’t review them as closely as they should,” says Novak.  “The monitoring of logs in many instances is hampered due to the extensive amounts of good data being captured and the lack of means to properly manage or analyze that data.  As a result, if there is a breach or questionable activity, it may take weeks or months to actually detect it – if it’s detected at all.”  Novak says the lack of logs or log management can increase the cost and length of an investigation substantially.

The dimension of data correlation is critically important in the support of a forensic investigation.  Correlating data from multiple sources provides the means to substantiate other evidence sources, and logs are a good way to do that.  “We use logs to corroborate what is seen in a forensic image or, vice versa, what we see in a forensic image to what we see in logs,” says Novak.

In investigations, it’s common to use logs to play off one another to validate each other.  For example, an environment has firewall, intrusion detection system (IDS), system and application logs.  If they are properly configured, an investigator can go through all the logs and “show” that a hacker got into the network or application at a specific time.  If all the logs aren’t in agreement about the illicit activity, this could be an indication the hacker manipulated one or more of the logs to make it difficult to follow his actions.  By correlating the log data, it’s possible to determine this manipulation.

Log data should be viewed and treated like a primary evidence source.  Hopefully it will never be needed to investigate or validate a data breach or hacking incident.  In any event, here are some best practices that can help ensure that log data and log management practices properly support forensic investigations.

  • Have a clear corporate policy for managing logs across the entire organization.
  • Have centralized storage and retention of all logs, with everything in one place and in one format.
  • Ensure the time synchronization of logs to facilitate correlating the data and retrieving data over specific timeframes.
  • Ensure the separation of duties over logs and log management systems to protect from potential internal threats such as a super user or administrator turning off or modifying logs to conceal illicit activity.
  • Always maintain backup copies of logs.
  • Document what is being logged and why, and how the log data is captured, stored and analyzed.  Ensure that 100 percent of log-able devices and applications are captured and the data is unfiltered.
  • Have a defined retention policy that specifies the retention period across the organization for all log data.  Organizations should work with counsel to determine the best time frames and have log data incorporated into an overall data retention policy.
  • Have a defined procedure to follow after an incident.
  • Test the incident response plan, including the retrieval of backup log data from off-site storage.

If an incident or data breach is suspected, there are several steps to take right away:

  • Increase the logging capability to the maximum and consider adding a network sniffer to capture additional detail from network traffic.  In an incident, it’s better to have more data rather than less.
  • Freeze the rotation or destruction of existing logs to prevent the loss of potential evidence.
  • Get backup copies of the logs and make sure they are secure.
  • Deploy a qualified investigations team to determine the situation.

With the right care and feeding, data logs can provide solid forensic evidence in the event of a security breach or data loss.  Analyzing the logs may not make for an exciting TV drama, but it can be rewarding nonetheless.

Brian Musthaler, CISA – is a Principal Consultant with Essential Solutions Corp. A former audit and information systems manager, he directs the firm’s evaluations and analysis of enterprise applications, with a particular interest in security and compliance tools.

Industry News

Conficker worm arms itself to steal and spam
The Conficker/Downadup worm is on the move again. After a relatively uneventful April 1, on which the worm began widening the number of Web sites that it scanned for instructions, a new Conficker variant has emerged and appears to be preparing to spam and steal information.

 Did you know? EventTracker is the only SIEM solution that comes integrated with a powerful change and configuration monitoring solution that detects zero-day attacks and helps prevent costly damage from new, emerging threats.

A lesson in compliance from the chemical industry
Events occurring in the U.S. chemical-manufacturing industry, specifically those relating to security guidelines being enforced by the federal government, are likely foreshadowing what’s next in line for other industries.

 Did you know? EventTracker provides support for the broadest set of compliance requirements among SIEM/Log Management vendors. Customizable reports and active defense in depth ensure that companies are able to comply with constantly evolving and new regulations.

In poor economy, more IT pros could turn to e-crime
In an annual security survey, Sixty-six percent of respondents felt that out-of-work IT workers would be tempted to join the criminal underground, driven in part by threats to bonuses, job losses, and worthless stock options

Did you know?  EventTracker detects in real-time suspicious activity that often precedes a security breach, and enables instant remediation before costly data theft occurs.

Some thoughts on SAAS

A few months ago I wrote some thoughts on cloud security and compliance.The other day I came across this interesting article in Network World about SaaS security and it got me thinking on the subject again. The Burton analyst quoted, Eric Maiwald, made some interesting and salient points about the challenges of SaaS security but he stopped short of explicitly addressing compliance issues. If you have a SaaS service and you are subject to any one of the myriad compliance regulations how will you demonstrate compliance if the SaaS app is processing critical data subject to the standard? And is the vendor passing a SAS-70 audit going to satisfy your auditors and free you of any compliance requirement?

Mr. Maiwald makes a valid point that you have to take care in thinking through the security requirements and put it in the contract with the SaaS vendor. The same can also be held true for any compliance requirement, but he raises an even more critical point where he states that SaaS vendors want to offer a one size fits all offering (rightly so, or else I would put forward we would see a lot of belly-up SaaS vendors). My question then becomes how can an SME that is generally subject to compliance mandates but lacks the purchasing power to negotiate a cost effective agreement with a SaaS vendor take advantage of the benefits such services provide? Are we looking at one of these chicken and egg situations where the SaaS vendors don’t see the demand because the very customers they would serve are unable to use their service without this enabling technology? At the very least I would think that SaaS vendors would benefit from putting in the same audit capability that the other enterprise application vendors are, and making that available (maybe for a small additional fee) to their customers. Perhaps it could be as simple as user and admin activity auditing, but it seems to me a no brainer – if a prospect is going to let critical data and services go outside their control they are going to want the same visibility as they had when it resided internally, or else it becomes a non-starter until the price is driven so far down that reward trumps risk. Considering we will likely see more regulation, not less, in the future that price may well be pretty close to zero.

– Steve Lafferty

Log Monitoring – real time or bust?

As a vendor of a log management solution, we come across prospects with a variety of requirements — consistent with a variety of needs and views of approaching problems.

Recently, one prospect was very insistent on “real-time” processing. This is perfectly reasonable but as with anything, when taken to an extreme, can be meaningless. In this instance, the “typical” use case (indeed the defining one) for the log management implementation was “a virus is making its way across the enterprise; I don’t have time to search or refine or indeed any user (slow) action; I need instant notification and ability to sort data on a variety of indexes instantly”.

As vendors we are conditioned to think “the customer is always right” but I wonder if the requirement is reasonable or even possible. Given specifics of a scenario, I am sure many vendors can meet the requirement — but in general? Not knowing which OS, which attack pattern, how logs are generated/transmitted?

I was reminded again by this blog by Bejtlich in which he explains that “If you only rely on your security products to produce alerts of any type, or blocks of any type, you will consistently be “protected” from only the most basic threats.”

While real-time processing of logs is a perfectly reasonable requirement, retrospective security analysis is the only way to get a clue as to attack patterns and therefore a defense.


100 Log Management uses #26 MS debug logs-Part II

Today is a continuation of our earlier look at Microsoft debug logs. Today we are going to look at logs from the Time and Task Scheduler services.

-By Ananth

100 Log Management uses #25 MS debug logs

MSdebug logs. Pretty arcane stuff but Sysadmins occasionally need to get deep into OS services such as group policy to debug problems in the OS. Logging for most of these types of services requires turning on in the registry as there is generally a performance penalty. We are going to look at a few examples over the next couple of days. Today we look at logs that are important on some older operating systems, while next time we look at services such as Time and Task Scheduler that are really most useful in the later Microsoft versions.

-By Ananth

100 Log Management uses #24 404 errors

Today’s log tip is a case of a non-obvious, but valuable, use of log collection. Web server logs provide lots of good information for web developers; today we look at some of the interesting information contained in 404 errors.

-By Ananth

The blind spot of mobile computing detecting a hack attempt and more

Overcoming the blind spot of mobile computing

For many organizations, mobile computing has become a strategic approach to improve productivity for sales professionals, knowledge workers and field personnel.  As a result, the Internet has become an extension of the corporate network.  Mobile and remote workers use the Internet as the means to access applications and resources that previously were only available to “in-house” users – those who are directly connected to the corporate network.

Managing laptops and other portable devices such as smart phones and PDAs can be a real challenge for any organization.  Because these devices aren’t continuously connected to the corporate network in a secure manner, they pose a large security risk.   Once a mobile device is disconnected from the network, there is limited visibility to IT operations on the device.  For example, it’s difficult to tell if the device has its firewall engaged, the anti-virus signatures are up to date, or the operating system has all the necessary security patches.  What’s more, a disconnected device can’t “phone home” to provide the central systems management application with its log and intrusion detection system data.

Further exacerbating this challenge is the vast array of mobile devices with their unique mobile operating systems.  Depending on the manufacturer and brand, PDAs and smart phones use everything from Windows Mobile to Symbian OS.  Other popular mobile operating systems in play today include BlackBerry OS, Mac OS X, Palm OS, and various flavors of mobile Linux.  Moreover, the devices have diverse and often proprietary event logs.  It’s almost pure chaos for the IT department that is anxious to receive operational information from the devices to know if there are security events that can pose a risk to the individual devices, or worse, to the corporate network when the devices do connect again.  Unfortunately, there are no common methods of collecting, consolidating and reviewing these mobile device logs today.

Stephen Northcutt, president of the SANS Technology Institute, says this lack of mobile device log data creates a blind spot in the overall detective controls provided by log analysis.  This blind spot is a critical issue during forensic analysis when attempting to determine the source of an actual data breach or even in determining if attempts have been made to hack or corrupt a mobile device.

Without log data, organizations will have reduced situational awareness and difficulty in supporting device and application status reporting, the troubleshooting of problems with applications and equipment, incident response, and forensic investigation.

Knowing that you will not have this situational awareness of what is happening to mobile devices when they are not connected to the network, what can be done to improve the security of mobile devices and the data they hold?

First of all, recognize that log data management and analysis is just one part of a “controlled” mobility strategy and the overall IT system of internal controls, albeit an important one.  While a continuous feed of log data of mobile devices is highly desired and would be great to have, all is not lost without it.  When these devices do connect to the network, you can retrieve whatever log data is “available” and capable of being read in order to collect information on the software, hardware and security applications located on mobile devices.  This information can be used to support your compliance requirements, if nothing else.  You can show, for example, that a group of laptops all had a personal firewall and anti-virus software, and that the anti-virus DAT files were updated at a certain time.

Second, assess the risks associated with the data and devices that you are attempting to protect.  It should be part of an organization’s overall data protection process to identify data which is critical or sensitive and to develop and implement the appropriate policies and procedures concerning the use and care of that data.  Where mobile computing is concerned, the biggest risks are when the information is in motion (i.e., moving to/from the outside world via the Internet) or at the endpoints of the network (i.e., on mobile PCs, on USB devices, on external drives, or on other highly mobile devices such as smart phones and PDAs).

Third, implement strong preventative controls that assure secure communications, force encryption of sensitive data, and provide automated processes to manage the mobile platform.   There are numerous mobile device management products and services you can use to apply timely security patches and software updates; prevent an infected device from attaching to the network; back up or encrypt sensitive information; ensure that corporate policies are enforced, and so on.

By taking these and other steps required based on unique business risk, your organization can feel more comfortable about your mobile computing security posture, as well as your ability to demonstrate that the mobile devices connected to the enterprise network are in compliance with corporate security policies at the time that they are both on and off the network.

Brian Musthaler, CISA – is a Principal Consultant with Essential Solutions Corp. A former audit and information systems manager, he directs the firm’s evaluations and analysis of enterprise applications, with a particular interest in security and compliance tools.

Industry News

Get it free: Full-featured search engine for all log data
…A tip for any systems administrator who has had to dig through old log files, searching for clues about an event that happened on the network. Maybe it was a server configuration change, or an intrusion attempt, or a hardware device sending signals that it’s about to fail.

Workers stealing company data
Six out of every ten employees stole company data when they left their job last year, said a study of US workers. 24% could still access data after leaving the company

Did you know? EventTracker’s advanced user activity and USB monitoring provides in-depth protection from internal theft or inadvertent data loss without clamping down on normal usage.

Heartland breach bad as Tylenol poisonings?
Heartland Payment Systems stock (HPY) was hit hard in the wake of what is being described as the biggest single breach of consumer and financial data security ever. The company issued statements Friday (1/23) in an effort at damage control in which the CEO compares the potential industry-wide impact of the breach to none other than that of the Tylenol poisonings of some twenty-five years ago that nearly brought down the drug maker.

Did you know? EventTracker detects in real-time suspicious activity that often precedes a security breach, and enables instant remediation before costly data theft occurs.

Considering a SIEM solution? Read this first
Cutting through SIEM vendor hype – SIEM solutions are optimized for difference usecases and one size never fits all. The good news is that with the number of potential solutions to choose from, if you do your homework, you will find a product that meets your requirements.

Prism Microsystems named finalist in the 2009 CODiE awards
EventTracker recognised as top performer in the data security category; finalist selection made from over 850 nominations submitted by 600 companies.

100 Log Management uses #23 Server shutdown

Today we look at monitoring server shutdowns. Typically I would recommend that you set up an alert from your log management solution that immediately alerts you if any critical production server is shutdown or restarted, but even for non-critical servers it is wise to check on occasion what is going on. I do it on a weekly basis — servers shutting down can happen normally (win update, maintenance, etc), but can also indicate crashes and instability in the machine or someone simply screwing around; and by eyeballing a short report (it should be short) you will be able to quickly see any odd patterns.

100 Log Management uses #22 After hours login

Today we use logs to do a relatively easy check for unusual activity – in this case after hours log-ons. If your organization is mostly day shift, for example, your typical users will not be logging in after hours and if they are this is something worth checking out. This kind of simple analysis is a quick and easy way to look for unusual patterns of activity that could indicate a security problem.

-By Ananth

100 Log Management uses #21 File deletes

Today’s use case is a good one. Windows makes it very hard and resource expensive to track file deletes, but there are certain directories (like in our case, our price and sales quote folders), where files should not be deleted from. Making use of Object Access Auditing and a good log analysis solution you can pull a lot of valuable information from the logs that indicate unwarranted file deletions.

– By Ananth

Famous Logs

The Merriam Webster dictionary defines a log as “a record of performance, events, or day-to-day activities”. Though we think of logs in the IT context, over the years many famous logs have been written. Here are some of my favorites:

Dr Watson who logged the cases of Sherlock Holmes

The Journals of Lewis and Clark, one of the greatest voyages of discovery in human history.

The Motorcycle Diaries: Notes on a Latin American Journey

Fictional Prof. Pierre Arronax chronicled the fantastic travels of Capt. Nemo in Jules Vernes’ 20,000 Leagues Under the Sea

Diary of a Young Girl by Anne Frank, a vivid, insightful journal and one of the most moving and eloquent documents of the Holocaust.

Personal logs from captains of the Enterprise (Kirk, Picard, Janeway).

Samuel Pepys, the renowned 17th century diarist who lived in London, England.

The record by Charles Darwin, of his trip on the HMS Beagle

Bridget Jones Diary by Helen Fielding


100 Log Management uses #20 Solaris BSM system boots

Today is another Solaris BSM example. The Basic Security Module of Solaris audits all system boots, and it is good practice to have checks in place to ensure that these critical systems are only being restarted at the correct times. Any unexpected activity is something that should be investigated.

– By Ananth

100 Log Management uses #19 Account Management

Today’s look at logs illustrates a typical use case of using logs to review for unexpected behavior. Within Active Directory you have users and groups that are created, deleted and modified. It is always a good idea to go in and review the activities of your domain admins just to be sure that it matches what you feel should be occurring. If it differs it is something to investigate further.

– By Ananth