Compromise to discovery


The Verizon Business Risk Team publishes a useful Data Breach Investigations Report drawn from over 500 forensic engagements over a four-year period.

The report describes a “Time Span of Breach” event broken into four stages of an attack. These are:

– Pre-Attack Research
– Point of Entry to Compromise
– Compromise to Discovery
– Discovery to Containment

The top two are under control of the attacker but the rest are under the control of the defender. Where log management is particularly useful would be in discovery. So what does the 2008 version of the DBIR show about the time between Compromise to Discovery? Months Sigh. Worse yet, in 70% of the cases, Discovery was the victim being notified by someone else.

Conclusion? Most victims do not have sufficient visibility into their own networks and equipment.

It’s not hard but it is tedious. The tedium can be relieved, for the most part, by a one-time setup and configuration of a log management system. Perhaps not the most exciting project you can think of but hard to beat for effectiveness and return on investment.

Ananth

100 Log Management uses #30 Detecting Web Injection Attacks


Today’s Log Management use case continues our look at web vulnerabilities from the OWASP website. We will look at vulnerability A2, or how injection techniques, particularly SQL injection can be detected by analyzing web server log files.

By Ananth

100 Log Management uses #29 Detecting XSS attacks


Today we begin our series on web vulnerabilities. The number 1 vulnerability on the OWASP list is cross site scripting or XSS. XSS seems to have replaced SQL injection as the new favorite for web attacker. We look at using web server logs to detect signs of these XSS attacks.

-Ananth

EventTracker gets 5 star review; 100 Log Management uses and more


Have your cake and eat it too- improve IT security, comply with multiple regulations while reducing operational costs and saving money Headlines don’t lie. The number and severity of security breaches suffered by companies has consistently increased over the past couple of years and statistics show that 9 out of 10 businesses will suffer an attack on their corporate network in 2009.

100 Log Management uses #28 Web application vulnerabilities


During my recent restful vacation down in Cancun I was able to reflect a bit on a pretty atypical use of logs. This actually turned into a series of 5 entries that look at using logs to trace web application vulnerabilities using the OWASP Top 10 Vulnerabilities as a base. Logs may not get all the OWASP top 10, but there are 5 that you can use logs to look for — and by periodic review ensure that your web applications are not being hacked. This is the intro. Hope you enjoy them.

[See post to watch Flash video] -Ananth

100 Log Management Uses #27 Printer logs


Back from my vacation and back to logs and log use cases! Here is a fairly obvious one — using logs to manage printers. IN this video, we look at the various events generated on Windows and what you can do with them.

-Ananth

Logs and forensics, a lesson in compliance and more


How logs support data forensics investigations Novak and his team have been involved in hundreds of investigations employing data forensics. He says log data is a vital resource in discovering the existence, extent and source of any security breach. “Computer logs are central and pivotal components to any forensic investigation,” according to Novak. “They are a ‘fingerprint’ that provides a record of computer and system activities that may demonstrate a data leak or security breach.” The incriminating activities might include failed login attempts

Some thoughts on SAAS


A few months ago I wrote some thoughts on cloud security and compliance.The other day I came across this interesting article in Network World about SaaS security and it got me thinking on the subject again. The Burton analyst quoted, Eric Maiwald, made some interesting and salient points about the challenges of SaaS security but he stopped short of explicitly addressing compliance issues. If you have a SaaS service and you are subject to any one of the myriad compliance regulations how will you demonstrate compliance if the SaaS app is processing critical data subject to the standard? And is the vendor passing a SAS-70 audit going to satisfy your auditors and free you of any compliance requirement?

Mr. Maiwald makes a valid point that you have to take care in thinking through the security requirements and put it in the contract with the SaaS vendor. The same can also be held true for any compliance requirement, but he raises an even more critical point where he states that SaaS vendors want to offer a one size fits all offering (rightly so, or else I would put forward we would see a lot of belly-up SaaS vendors). My question then becomes how can an SME that is generally subject to compliance mandates but lacks the purchasing power to negotiate a cost effective agreement with a SaaS vendor take advantage of the benefits such services provide? Are we looking at one of these chicken and egg situations where the SaaS vendors don’t see the demand because the very customers they would serve are unable to use their service without this enabling technology? At the very least I would think that SaaS vendors would benefit from putting in the same audit capability that the other enterprise application vendors are, and making that available (maybe for a small additional fee) to their customers. Perhaps it could be as simple as user and admin activity auditing, but it seems to me a no brainer – if a prospect is going to let critical data and services go outside their control they are going to want the same visibility as they had when it resided internally, or else it becomes a non-starter until the price is driven so far down that reward trumps risk. Considering we will likely see more regulation, not less, in the future that price may well be pretty close to zero.

– Steve Lafferty

Log Monitoring – real time or bust?


As a vendor of a log management solution, we come across prospects with a variety of requirements — consistent with a variety of needs and views of approaching problems.

Recently, one prospect was very insistent on “real-time” processing. This is perfectly reasonable but as with anything, when taken to an extreme, can be meaningless. In this instance, the “typical” use case (indeed the defining one) for the log management implementation was “a virus is making its way across the enterprise; I don’t have time to search or refine or indeed any user (slow) action; I need instant notification and ability to sort data on a variety of indexes instantly”.

As vendors we are conditioned to think “the customer is always right” but I wonder if the requirement is reasonable or even possible. Given specifics of a scenario, I am sure many vendors can meet the requirement — but in general? Not knowing which OS, which attack pattern, how logs are generated/transmitted?

I was reminded again by this blog by Bejtlich in which he explains that “If you only rely on your security products to produce alerts of any type, or blocks of any type, you will consistently be “protected” from only the most basic threats.”

While real-time processing of logs is a perfectly reasonable requirement, retrospective security analysis is the only way to get a clue as to attack patterns and therefore a defense.

 Ananth

100 Log Management uses #26 MS debug logs-Part II


Today is a continuation of our earlier look at Microsoft debug logs. Today we are going to look at logs from the Time and Task Scheduler services.

-By Ananth

100 Log Management uses #25 MS debug logs


MSdebug logs. Pretty arcane stuff but Sysadmins occasionally need to get deep into OS services such as group policy to debug problems in the OS. Logging for most of these types of services requires turning on in the registry as there is generally a performance penalty. We are going to look at a few examples over the next couple of days. Today we look at logs that are important on some older operating systems, while next time we look at services such as Time and Task Scheduler that are really most useful in the later Microsoft versions.

-By Ananth

100 Log Management uses #24 404 errors


Today’s log tip is a case of a non-obvious, but valuable, use of log collection. Web server logs provide lots of good information for web developers; today we look at some of the interesting information contained in 404 errors.

-By Ananth

The blind spot of mobile computing detecting a hack attempt and more


Overcoming the blind spot of mobile computing For many organizations, mobile computing has become a strategic approach to improve productivity for sales professionals, knowledge workers and field personnel. As a result, the Internet has become an extension of the corporate network. Mobile and remote workers use the Internet as the means to access applications and resources that previously were only available to “in-house” users – those who are directly connected to the corporate network.

100 Log Management uses #23 Server shutdown


Today we look at monitoring server shutdowns. Typically I would recommend that you set up an alert from your log management solution that immediately alerts you if any critical production server is shutdown or restarted, but even for non-critical servers it is wise to check on occasion what is going on. I do it on a weekly basis — servers shutting down can happen normally (win update, maintenance, etc), but can also indicate crashes and instability in the machine or someone simply screwing around; and by eyeballing a short report (it should be short) you will be able to quickly see any odd patterns.

100 Log Management uses #22 After hours login


Today we use logs to do a relatively easy check for unusual activity – in this case after hours log-ons. If your organization is mostly day shift, for example, your typical users will not be logging in after hours and if they are this is something worth checking out. This kind of simple analysis is a quick and easy way to look for unusual patterns of activity that could indicate a security problem.

-By Ananth

100 Log Management uses #21 File deletes


Today’s use case is a good one. Windows makes it very hard and resource expensive to track file deletes, but there are certain directories (like in our case, our price and sales quote folders), where files should not be deleted from. Making use of Object Access Auditing and a good log analysis solution you can pull a lot of valuable information from the logs that indicate unwarranted file deletions.

– By Ananth

Famous Logs


The Merriam Webster dictionary defines a log as “a record of performance, events, or day-to-day activities”. Though we think of logs in the IT context, over the years many famous logs have been written. Here are some of my favorites:

Dr Watson who logged the cases of Sherlock Holmes

The Journals of Lewis and Clark, one of the greatest voyages of discovery in human history.

The Motorcycle Diaries: Notes on a Latin American Journey

Fictional Prof. Pierre Arronax chronicled the fantastic travels of Capt. Nemo in Jules Vernes’ 20,000 Leagues Under the Sea

Diary of a Young Girl by Anne Frank, a vivid, insightful journal and one of the most moving and eloquent documents of the Holocaust.

Personal logs from captains of the Enterprise (Kirk, Picard, Janeway).

Samuel Pepys, the renowned 17th century diarist who lived in London, England.

The record by Charles Darwin, of his trip on the HMS Beagle

Bridget Jones Diary by Helen Fielding

Ananth

100 Log Management uses #20 Solaris BSM system boots


Today is another Solaris BSM example. The Basic Security Module of Solaris audits all system boots, and it is good practice to have checks in place to ensure that these critical systems are only being restarted at the correct times. Any unexpected activity is something that should be investigated.

– By Ananth

100 Log Management uses #19 Account Management


Today’s look at logs illustrates a typical use case of using logs to review for unexpected behavior. Within Active Directory you have users and groups that are created, deleted and modified. It is always a good idea to go in and review the activities of your domain admins just to be sure that it matches what you feel should be occurring. If it differs it is something to investigate further.

– By Ananth

100 Log Management uses #18 Account unlock by admin


Today we look at something a little different – reviewing admin activity for unlocking accounts. Sometimes a lockout occurs simply because a user has fat fingers, but often accounts are locked on purpose and unlocking one of these should be reviewed to see why

100 Log Management uses #17 Monitoring Solaris processes


The Solaris operating systems has some interesting daemons that warrant paying attention to. Today’s log use case examines monitoring processes like sendmail, auditd and sadm to name a few.

Security threats rise in recession Comply secure and save with Log Management


How LM / SIEM plays a critical role in the integrated system of internal controls Many public companies are still grappling with the demands of complying with the Sarbanes-Oxley Act of 2002 (SOX). SOX Section 404 dictates that audit functions are ultimately responsible for ensuring that financial data is accurate. One key aspect of proof is the absolute verification that sufficient control has been exercised over the corporate network where financial transactions are processed and records are held.

100 Log Management uses #16 Patch updates


I recorded this Wednesday — the day after patch Tuesday, so fittingly, we are going to look at using logs to monitor Windows Updates. Not being up to date on the latest patches leaves security holes but with so many machines and so many patches it is often difficult to keep up with them all. Using logs helps.

100 Log Management uses #15 Pink slip null


Today is a depressing log discussion but certainly a sign of the times. When companies are going through reductions in force, IT is called upon to ensure that the company’s Ip is protected. This means that personnel no longer with the company should no longer have access to corporate assets. Today we look at using logs to monitor if there is any improper access.

-Ananth

100 Log Management uses #14 SQL login failure


Until now, we have been looking mostly at system, network and security logs. Today, we shift gear and look at database logs, more specifically user access logs in SQL Server.

-By Ananth

100 Log Management uses #13 Firewall traffic analysis


Today, we stay on the subject of Firewalls and Cisco PIX devices in particular. We’ll look at using logs to analyze trends in your firewall activity to quickly spot anomalies.

-By Ananth

100 Log Management uses #12 Firewall management


Today’s and tomorrow’s posts look at your firewall. There should be few changes to your firewall and even fewer people making those changes. Changing firewall permissions is likely the easiest way to open up the most glaring security hole in your enterprise. It pays to closely monitor who makes changes and what the changes are, and today we’ll show you how to do that.

-By Ananth

100 Log Management uses #11 Bad disk blocks


I often get the feeling that one of these days I am going to fall victim to disk failure. Sure, most times it is backed up, but what a pain. And it always seems as though the backup was done right before you made those modifications yesterday. Monitoring bad disk blocks on devices are an easy way to get an indication that you have a potential problem. Today’s use case looks at this activity.

– By Ananth

100 Log Management uses #10 Failed access attempts


Today we are going to look at a good security use case for logs -reviewing failed attempts to access to shares. Sometimes an attempt to access directories or shares are simply clumsy typing, but often it is an attempt by internal users or hackers to snoop in places they have no need to be.

100 Log Management uses #9 Email trends


Email has become one of the most important communication methods for businesses — for better or worse! Today we look at using logs from an ISP mail service to get a quick idea of overall trends and availability. Hope you enjoy it.

-By Ananth