Security is a Holistic Proposition

Gorka Sadowski

Subscribe to Gorka Sadowski: eMailAlertsEmail Alerts
Get Gorka Sadowski: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: PC Security Journal, Security Journal, Cloud Security Journal , Secure Cloud Computing, Microsoft Developer


Unleashing The Power of Logs

The Last Barrier Between You and Disaster

This article discusses some of the main defensive security solutions used today and explains the reasons why employing a Log Management and Intelligence solution is critical to complement these protection methods.

Let's first look at the most common defensive security solutions that have been popular these past few years. This is not an exhaustive list of all existing technologies, but rather a high-level view of some of the prevalent ones.

1.       Anti-virus

2.       Firewalls/VPN

3.       IDS/IPS

4.       Anti-Trojan/worms

5.       Anti-Spyware

6.       SIEMs

These correspond to an approach called "Defense in Depth" that aims to put successive rings of protection between the bad guys and the information to protect, making successful attacks harder and harder.

There are other types of security solutions, such as proactive security (Vulnerability Management and Patch Management) or remediation solutions (think of the PDCA, Plan Do Check Act, of ISO's lifecycle along the lines of CIA, Confidentiality Integrity Availability).

But by and large, think about information security and chances are you'll think first of defensive security. You'll think about an attack taking place and a security solution fending off this attack in real-time or ringing an alarm so that you can intervene in real-time. This has been the focus of the industry for a long time. Indeed, find a universal, "perfect" defensive security solution and you will have found the Grail of all solutions; no need for proactive security, and no need for other types of security solutions.

Of course let's not forget that security is an ongoing process, not a single event, and security policies should be driven by solid business requirements.  Indeed, it is important to understand that security solutions need to be correctly deployed and managed, in a framework of proper processes and procedures so that they are always up to date, correctly configured and do not suffer from any holes.

This is a very difficult task as your IT infrastructure is an ever-evolving landscape.  Your business processes change, and so do your firewall configurations.  Your people and teams change, and so does your VPN credentials list. Your threats change, and so do your SIEM scenarios. Your exposure changes and so do your IPS requirements.

For the common defensive security solutions that we listed, let's review some of the pitfalls to avoid, and how Log Management and Intelligence can help you keep these systems in tip-top shape.

Don't adopt an "install and forget" approach to your defensive security solutions. Don't assume that once your solution is installed and configured, it will continue working flawlessly forever.

Verify that your solution is performing the way you need it.

A sound Log Management and Intelligence solution will provide you with universal visibility over everything that happens in your IT infrastructure. Leverage that visibility. Unleash the power of logs.

1.       Anti-virus

Both with gateway-level AV (for such purpose as email scanning), as well as end-system level AV (for such purpose as file scanning), an AV solution is only as effective as the latest signature/update file that is running on it. Use an old file and the newest viruses will pass right through your AV solution.

Chances are that your AV solution has a built-in scheduling function that facilitates download of the latest signature file, or maybe you are running a central AV management system that pushes the latest files to your different systems.

So you typically set it up and forget about it, assuming that it always works as it's supposed to.

But what if something goes wrong? Connectivity is lost, your configuration file or registry setting gets corrupted, your scheduling engine stops, there is no available space to install the latest signature file or any other malfunction that might hamper the correct behavior of your system? How will you know that your otherwise well-oiled machine has fallen into shambles?

Logs will tell you that.

Every time your AV engine tries to get the latest and greatest signature file, it will write a log about this event.  And when it tries to install it, it will write a log about that event with the status of the update - success or failure. That log will typically have a payload containing information about the latest file in case of success, or error codes and error explanations in case of failures.

Collect, centralize and analyze these logs and you'll have a perfect picture of your AV profile for each of your systems.  Be particularly wary of failure status on downloading or installing or using these signature files. And run a complete report on all successes and compare it with your asset database. Do you find any holes?

Likewise, your AV engine is set to scan for executables before running them. Select a system that you want to probe, and run 2 reports - one from your AV solution to find out what executable files have been scanned, and another one from your OS for all of the executables that were run. Do you find any discrepancies? If so, your AV solution is not behaving the way you need it to.

Log Management and Intelligence is a simple way to validate and make sure that your AV solution is performing as per your security policy.

2.       Firewalls/VPN

Let's talk about a scenario that happens in many corporations, including ones where strong Change Management procedures are in place.

A new application gets deployed internally, for which the firewall rule set needs to be changed. And for testing purposes, additional ports need to be open. Testing takes place but now fine-tuning requires additional time. And the operations group gets busy and these ports are left open, deeply buried in the firewall rule set (it is not uncommon for rule sets to have hundreds of policies). And by the way, there was a typo in the port number for one of the rules and now ftp flows freely inside, in clear violation of the security policy prohibiting inbound ftp traffic in your trusted zone.

How do you verify that your firewall is correctly implementing your security policy?

Logs will tell you that.

Periodically run a report of all traffic that is crossing your firewall and you'll have a clear picture of the security policy and rule set that is in place. Not the one you think is being enforced or the one you want to have enforced, but the one that is actually running and being enforced.

Run this report against your security policy and you'll have an excellent way to flag for illegal traffic and misconfigured firewalls.

Logs also give you an added measure of understanding rule sets and policies implemented, including all of the changes that have taken place. When you audit your firewall rule set, you get a snapshot of its configuration. And you really don't know all of the changes that have taken place between snapshots. Your firewall admin may have opened ports and closed them later on, but you will probably not know it.

Unless you are running a solid Log Management and Intelligence solution. In this case, you will see each of the configuration changes that have taken place.  Every time an admin changes the security policy and firewall ruleset, a log will capture and describe that event. Collect, centralize and analyze these logs and you will get a historical view of all changes to open and close ports, all changes to allow or disallow applications and all actual protocols using these ports. And you will see all of that in real-time, completing the view provided by your security audit.

3.       IDS/IPS

IDS/IPS are a phenomenal tool in your defensive security toolbox...provided that they are properly configured and closely managed.

All IDS/IPS need to be regularly updated - much like an AV. And again, you need to verify that your systems are properly keeping things up to date. Use your Log Management and Intelligence solution for that.

Let's also look at one of the most common criticisms of an IDS.

An IDS' job is to alert on certain events, and this sometimes leads to very chatty systems; what some people call "false positives".  False positives are not an IDS' fault - the IDS is just alerting on events that we asked it to alert us on.

For example, one malformed packet can be attributed to a malfunctioning system or poorly-coded custom application. Such isolated incidents can happen and should not be a cause for concern. If your IDS raises an alert for every malformed packet recognized, you will soon be drowning in alarms, your IDS ringing off the hook, and you will complain about false positives. However, having too many of these malformed packets in a certain period of time could be an indication that a DoS Denial of Service attack is underway. So you need a way to define a threshold above which you decide indicates an attack.

But how would you know that you have reached the threshold above which you want to be alerted, but not wasting your IDS' cycles in threshold analysis so that it can keep doing its job best?

Logs will tell you that.

Sound Log Management and Intelligence will allow you to collect, centralize and analyze your IDS logs, in real time. Get more than x of these events per second, or per minute or hour and the alarm can be raised. For example, you can easily set thresholds so that when a malformed packet is recognized, no-one cries wolf, but if more than 10 such packets are received in a minute, this indicates cause for concern and an alarm is raised. And/or an SNMP trap is sent to your ticketing system. And/or an email is sent in real time to your security supervisor.

Logs can also help you in other ways.

An IPS, like a firewall, needs a certain policy to be implemented in order to decide what traffic to allow and what traffic to stop. And again, you have the same risk of having policies that are not appropriate for your environment.

So how do you verify that your IDS and IPS are up-to-date and functioning the way that they're supposed to?

Logs will tell you that.

Compare logs from your IPS and logs from your downstream internal network devices and compare them. Is your IPS allowing traffic that you don't want to allow? Are your switches receiving and treating packets that your IPS should not allow - traffic that poses a risk to bringing down your end systems?


4.       Anti-Trojan/worm

Anti-Trojan and Anti-worm solutions are similar to AV solutions in that they need to be kept up to date with their latest signature files. So it is critical to validate that your anti-Trojan/worm solution is using the latest file, and that the scheduling, downloading and installing of these files is working fine.

Again, logs will tell you that, provided that you have a good Log Management and Intelligence solution in place.

In addition, the latest signature files provide no help to combat Trojans and worms that exploit newly discovered attack vectors in what's called "zero-day" attacks.

One aspect that is typically common in zero-day attacks is that the malware will try spreading to neighboring systems by replication and infection, which starts by establishing connections to other systems, sometimes "random" hosts on "random" ports, often adding some form of IP spoofing mechanisms in order to obfuscate its behavior. Obfuscation can also be achieved by hiding attacks in legitimate traffic, by tunneling exploits in port 80 for example. Or DNS ports. So these Trojans and worms are sometimes capable of evading known defensive security solutions.  In fact this is becoming more and more the case, as it is a matter of survival for the worms.

The only "weird" or unusual behavior that is observable is a spike in the number of network connections happening in your network, and connections refused by end-systems, or connections accepted followed by modification of system level files.

A sound Log Management and Intelligence solution will alert you when you have a spike of more than x% of logs compared to your baseline "normal" behavior for a configurable period of time.  For example, you can set your solution up so that if you have more than double the number of logs generated by this system, or this group of systems, the security administrator is alerted , an alarm is raised and an SNMP trap is sent to your supervisor system.

Again, Log Management will never replace your dedicated anti-Trojan/worm solution, but it will nicely complement it.

5.       Anti-spyware

Spyware will pollute your system silently.  It will watch your every move, looking for passwords, bank account information, credit card numbers and any other information of value.

How does it do that? How does it hide so well?

It will often operate by replacing legitimate executable files.  It will highjack critical system files and drop its payload into them.

Your system now seems to run as usual - the list of running processes doesn't yield any anomalies, and performance doesn't seem affected. But the spyware is running.

So how do logs help here?

They help from the get-go. As soon as the spyware initially infects your system, it will access critical system directories and either drop in new executables, or modify system-privileged executables. These are events that can be configured to generate logs.

And once more, your Log Management and Intelligence solution can be configured to alert you of this behavior and let you know in real-time that a program is accessing and replacing critical system executables.

It will not completely replace your system integrity solution, but it will nicely complement it.

6.       SIEM - Security Information Event Management

The philosophy of the SIEM is to correlate disparate events taking place in your IT infrastructure to identify and flag security incidents.

For example, if a user logs in locally at 8am (as demonstrated by logs from the DHCP server assigning an IP address and then Active Directory allowing successful authentication to the Domain), and then this user logs in from the other side of the Internet via VPN (as demonstrated by logs from the VPN concentrator), then something is obviously wrong and it is likely an identity theft with illegal login taking place.

Sounds quite simple, right?

Well, it can be pretty simple provided that you know which scenarios you want to flag as problematic.

Above all, it can be pretty simple provided you have the logs that give you the visibility required to flag these behaviors and scenarios.

This is where Log Management and Intelligence comes in.

The first step in correlating logs is to collect and centralize all of your logs, as seamlessly as possible. Next, use policy-based forwarding to forward all relevant logs to your correlation engine.

This is why Log Management and SIEM are complementary.

Easily and seamlessly build a haystack, and find the needle in real-time.

SIEMs work very hard to find the needles, using extremely complex algorithms. So the more you help your SIEM by isolating certain types of logs for it to work on, the more you can optimize the process. A sound Log Management and Intelligence solution will help you feed the right logs to your SIEM so that it can do its job most efficiently, by correlating logs and events that are relevant for security purposes and targeted to the scenarios that are most important for you.

SIEM and log correlation then become a "feature" of Log Management and Intelligence!


We talked about the importance of process and procedures surrounding the use of defensive security solutions. Indeed, we demonstrated that an "install and forget" approach to security is doomed to disaster.

A sound Log Management and Intelligence system should not only be part of your bag of tricks, but integral to your process and procedures as a way to verify and ensure the validity of your security solutions. Log Management and Intelligence is more than just an added safety measure - it could be the last, and most effective barrier between you and disaster.

More Stories By Gorka Sadowski

Gorka is a natural born entrepreneur with a deep understanding of Technology, IT Security and how these create value in the Marketplace. He is today offering innovative European startups the opportunity to benefit from the Silicon Valley ecosystem accelerators. Gorka spent the last 20 years initiating, building and growing businesses that provide technology solutions to the Industry. From General Manager Spain, Italy and Portugal for LogLogic, defining Next Generation Log Management and Security Forensics, to Director Unisys France, bringing Cloud Security service offerings to the market, from Director of Emerging Technologies at NetScreen, defining Next Generation Firewall, to Director of Performance Engineering at INS, removing WAN and Internet bottlenecks, Gorka has always been involved in innovative Technology and IT Security solutions, creating successful Business Units within established Groups and helping launch breakthrough startups such as KOLA Kids OnLine America, a social network for safe computing for children, SourceFire, a leading network security solution provider, or Ibixis, a boutique European business accelerator.