The Key Difference between “Account Logon” and “Logon/Logoff” Events in the Windows Security Log

An area of audit logging that is often confusing is the difference between two categories in the Windows security log: Account Logon events and Logon/Logoff events. These two categories are related but distinct, and the similarity in the naming convention contributes to the confusion. That being said, what is the difference between authentication and logon? […]

Read more

The View from the Trenches

Noticed the raft of headlines about break-ins at companies? If you did, that is the proverbial tip of the iceberg. Why? Think about the hammering that Sony took on the Playstation hack or how RSA will never live down the loss of golden keys and the subsequent attack at Lockheed. Victims overwhelmingly prefer to keep quiet. If there is […]

Read more

Virtualization Security: What are the Real World Risks?

There’s been a lot of recent hype about security risks with the rise of virtualization, but much of it is vague and short on specifics. There is also an assumption that all the security available on a physical server simply disappears when it migrates to being a virtual machine. This is not true. A virtual […]

Read more

Automating Review and Response to Security Events

The next significant horizon in audit log management will be the automation of the review and response tasks associated with security events. Currently, log management SIEM solutions are expected to scour logs, identify high-impact changes or other suspicious activity, and simply send out an alert. It requires the intercession of a person to assess the […]

Read more

Security Logging as a Detective and Deterrent Control Against Rogue Admins

Intrusion detection and compliance are the focus of log management, SIEM and security logging. But security logs, when managed correctly are also the only control over rogue admins. Once root or admin authority has been given to, or acquired by, a user, there is little they cannot do: with admin authority, they can circumvent access or authorization […]

Read more

Come on Feel the Noise

It’s the line from a song in the 70’s, but quite apt when it comes to describing the Windows security log. There’s no getting around the fact that there are a lot of useless and inexplicable events in the Security log, and the sooner you get comfortable with that the sooner you’ll save your sanity […]

Read more

The Art of Detecting Malicious Activity with Logs

Randy Franklin Smith compares methods for detecting malicious activity from logs including monitoring for high impact changes, setting up tripwires and anomalous changes in activity levels. Security standards and auditors make much of reviewing logs for malicious activity. I am frequently asked what event signatures are indicative of intrusions: “What are the top Event IDs […]

Read more

Logs for Insider Abuse Investigations

Introduction In most previous newsletters, we have discussed the use of logging for various regulatory mandates (such as PCI DSS, HIPAA and FISMA) as well as the use of logs for incident response and malicious software tracking. This log data can also be incredibly useful for detecting and investigating insider abuse and internal attacks. While […]

Read more

Logs vs Bots and Malware Today

Despite the fact that security industry has been fighting malicious software – viruses, worms, spyware, bots and other malware since the late 1980s, malware still represents one of the key threat factors for organizations today. While silly viruses of the 1990s and noisy worms (Blaster, Slammer, etc.) of the early 2000’s have been replaced by […]

Read more

Log review for incident response; EventTracker Excels in UNIX Challenge

Log Review for Incident Response: Part 2 From all the uses for log data across security, compliance and operations (see, for example, LogTalk: 100 Uses for Log Management #67: Secure Auditing – Solaris), using logs for incident response presents a truly universal scenario: you can be forced to use logs for incident response at any moment […]

Read more

Detecting Zeus, Logging for incident response, and more

Logging for Incident Response: Part 1 – Preparing the Infrastructure From all the uses for log data across the spectrum of security, compliance, and operations, using logs for incident response presents a truly universal scenario –you can be forced to use logs for incident response at any moment, whether you’re prepared or not. An incident […]

Read more

EventTracker 7 is here; Detailed FISMA guidance and more

Logging for FISMA part 2 : Detailed FISMA logging guidance in NIST 800-92 and SANS CSC20 The Federal Information Security Management Act of 2002 (FISMA) “requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the […]

Read more

FISMA How To; Preview EventTracker 7 and more

FISMA How To The Federal Information Security Management Act of 2002 (FISMA) “requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.” […]

Read more

Logging for HIPAA Part 2; Secure auditing in Linux

HIPAA Logging HOWTO, Part 2 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines relevant security and privacy standards for health information – both electronic and physical. The main mission of the law is “to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, […]

Read more

HIPAA Logging Howto; New attack bypasses AV protection

HIPAA Logging HOWTO, Part 1 The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines relevant security and privacy standards for health information – both electronic and physical. The main mission of the law is “to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, […]

Read more