Welcome!

Cloud Security Authors: Pat Romanski, Ambuj Kumar, Shelly Palmer, XebiaLabs Blog, Liz McMillan

Related Topics: Cloud Security, Linux Containers, Government Cloud

Cloud Security: Article

Unleashing The Power of Logs

The Last Barrier Between You and Disaster

This article discusses some of the main defensive security solutions used today and explains the reasons why employing a Log Management and Intelligence solution is critical to complement these protection methods.

Let's first look at the most common defensive security solutions that have been popular these past few years. This is not an exhaustive list of all existing technologies, but rather a high-level view of some of the prevalent ones.

1.       Anti-virus

2.       Firewalls/VPN

3.       IDS/IPS

4.       Anti-Trojan/worms

5.       Anti-Spyware

6.       SIEMs

These correspond to an approach called "Defense in Depth" that aims to put successive rings of protection between the bad guys and the information to protect, making successful attacks harder and harder.

There are other types of security solutions, such as proactive security (Vulnerability Management and Patch Management) or remediation solutions (think of the PDCA, Plan Do Check Act, of ISO's lifecycle along the lines of CIA, Confidentiality Integrity Availability).

But by and large, think about information security and chances are you'll think first of defensive security. You'll think about an attack taking place and a security solution fending off this attack in real-time or ringing an alarm so that you can intervene in real-time. This has been the focus of the industry for a long time. Indeed, find a universal, "perfect" defensive security solution and you will have found the Grail of all solutions; no need for proactive security, and no need for other types of security solutions.

Of course let's not forget that security is an ongoing process, not a single event, and security policies should be driven by solid business requirements.  Indeed, it is important to understand that security solutions need to be correctly deployed and managed, in a framework of proper processes and procedures so that they are always up to date, correctly configured and do not suffer from any holes.

This is a very difficult task as your IT infrastructure is an ever-evolving landscape.  Your business processes change, and so do your firewall configurations.  Your people and teams change, and so does your VPN credentials list. Your threats change, and so do your SIEM scenarios. Your exposure changes and so do your IPS requirements.

For the common defensive security solutions that we listed, let's review some of the pitfalls to avoid, and how Log Management and Intelligence can help you keep these systems in tip-top shape.

Don't adopt an "install and forget" approach to your defensive security solutions. Don't assume that once your solution is installed and configured, it will continue working flawlessly forever.

Verify that your solution is performing the way you need it.

A sound Log Management and Intelligence solution will provide you with universal visibility over everything that happens in your IT infrastructure. Leverage that visibility. Unleash the power of logs.

1.       Anti-virus

Both with gateway-level AV (for such purpose as email scanning), as well as end-system level AV (for such purpose as file scanning), an AV solution is only as effective as the latest signature/update file that is running on it. Use an old file and the newest viruses will pass right through your AV solution.

Chances are that your AV solution has a built-in scheduling function that facilitates download of the latest signature file, or maybe you are running a central AV management system that pushes the latest files to your different systems.

So you typically set it up and forget about it, assuming that it always works as it's supposed to.

But what if something goes wrong? Connectivity is lost, your configuration file or registry setting gets corrupted, your scheduling engine stops, there is no available space to install the latest signature file or any other malfunction that might hamper the correct behavior of your system? How will you know that your otherwise well-oiled machine has fallen into shambles?

Logs will tell you that.

Every time your AV engine tries to get the latest and greatest signature file, it will write a log about this event.  And when it tries to install it, it will write a log about that event with the status of the update - success or failure. That log will typically have a payload containing information about the latest file in case of success, or error codes and error explanations in case of failures.

Collect, centralize and analyze these logs and you'll have a perfect picture of your AV profile for each of your systems.  Be particularly wary of failure status on downloading or installing or using these signature files. And run a complete report on all successes and compare it with your asset database. Do you find any holes?

Likewise, your AV engine is set to scan for executables before running them. Select a system that you want to probe, and run 2 reports - one from your AV solution to find out what executable files have been scanned, and another one from your OS for all of the executables that were run. Do you find any discrepancies? If so, your AV solution is not behaving the way you need it to.

Log Management and Intelligence is a simple way to validate and make sure that your AV solution is performing as per your security policy.

2.       Firewalls/VPN

Let's talk about a scenario that happens in many corporations, including ones where strong Change Management procedures are in place.

A new application gets deployed internally, for which the firewall rule set needs to be changed. And for testing purposes, additional ports need to be open. Testing takes place but now fine-tuning requires additional time. And the operations group gets busy and these ports are left open, deeply buried in the firewall rule set (it is not uncommon for rule sets to have hundreds of policies). And by the way, there was a typo in the port number for one of the rules and now ftp flows freely inside, in clear violation of the security policy prohibiting inbound ftp traffic in your trusted zone.

How do you verify that your firewall is correctly implementing your security policy?

Logs will tell you that.

Periodically run a report of all traffic that is crossing your firewall and you'll have a clear picture of the security policy and rule set that is in place. Not the one you think is being enforced or the one you want to have enforced, but the one that is actually running and being enforced.

Run this report against your security policy and you'll have an excellent way to flag for illegal traffic and misconfigured firewalls.

Logs also give you an added measure of understanding rule sets and policies implemented, including all of the changes that have taken place. When you audit your firewall rule set, you get a snapshot of its configuration. And you really don't know all of the changes that have taken place between snapshots. Your firewall admin may have opened ports and closed them later on, but you will probably not know it.

Unless you are running a solid Log Management and Intelligence solution. In this case, you will see each of the configuration changes that have taken place.  Every time an admin changes the security policy and firewall ruleset, a log will capture and describe that event. Collect, centralize and analyze these logs and you will get a historical view of all changes to open and close ports, all changes to allow or disallow applications and all actual protocols using these ports. And you will see all of that in real-time, completing the view provided by your security audit.

3.       IDS/IPS

IDS/IPS are a phenomenal tool in your defensive security toolbox...provided that they are properly configured and closely managed.

All IDS/IPS need to be regularly updated - much like an AV. And again, you need to verify that your systems are properly keeping things up to date. Use your Log Management and Intelligence solution for that.

Let's also look at one of the most common criticisms of an IDS.

An IDS' job is to alert on certain events, and this sometimes leads to very chatty systems; what some people call "false positives".  False positives are not an IDS' fault - the IDS is just alerting on events that we asked it to alert us on.

For example, one malformed packet can be attributed to a malfunctioning system or poorly-coded custom application. Such isolated incidents can happen and should not be a cause for concern. If your IDS raises an alert for every malformed packet recognized, you will soon be drowning in alarms, your IDS ringing off the hook, and you will complain about false positives. However, having too many of these malformed packets in a certain period of time could be an indication that a DoS Denial of Service attack is underway. So you need a way to define a threshold above which you decide indicates an attack.

But how would you know that you have reached the threshold above which you want to be alerted, but not wasting your IDS' cycles in threshold analysis so that it can keep doing its job best?

Logs will tell you that.

Sound Log Management and Intelligence will allow you to collect, centralize and analyze your IDS logs, in real time. Get more than x of these events per second, or per minute or hour and the alarm can be raised. For example, you can easily set thresholds so that when a malformed packet is recognized, no-one cries wolf, but if more than 10 such packets are received in a minute, this indicates cause for concern and an alarm is raised. And/or an SNMP trap is sent to your ticketing system. And/or an email is sent in real time to your security supervisor.

Logs can also help you in other ways.

An IPS, like a firewall, needs a certain policy to be implemented in order to decide what traffic to allow and what traffic to stop. And again, you have the same risk of having policies that are not appropriate for your environment.

So how do you verify that your IDS and IPS are up-to-date and functioning the way that they're supposed to?

Logs will tell you that.

Compare logs from your IPS and logs from your downstream internal network devices and compare them. Is your IPS allowing traffic that you don't want to allow? Are your switches receiving and treating packets that your IPS should not allow - traffic that poses a risk to bringing down your end systems?

 

4.       Anti-Trojan/worm

Anti-Trojan and Anti-worm solutions are similar to AV solutions in that they need to be kept up to date with their latest signature files. So it is critical to validate that your anti-Trojan/worm solution is using the latest file, and that the scheduling, downloading and installing of these files is working fine.

Again, logs will tell you that, provided that you have a good Log Management and Intelligence solution in place.

In addition, the latest signature files provide no help to combat Trojans and worms that exploit newly discovered attack vectors in what's called "zero-day" attacks.

One aspect that is typically common in zero-day attacks is that the malware will try spreading to neighboring systems by replication and infection, which starts by establishing connections to other systems, sometimes "random" hosts on "random" ports, often adding some form of IP spoofing mechanisms in order to obfuscate its behavior. Obfuscation can also be achieved by hiding attacks in legitimate traffic, by tunneling exploits in port 80 for example. Or DNS ports. So these Trojans and worms are sometimes capable of evading known defensive security solutions.  In fact this is becoming more and more the case, as it is a matter of survival for the worms.

The only "weird" or unusual behavior that is observable is a spike in the number of network connections happening in your network, and connections refused by end-systems, or connections accepted followed by modification of system level files.

A sound Log Management and Intelligence solution will alert you when you have a spike of more than x% of logs compared to your baseline "normal" behavior for a configurable period of time.  For example, you can set your solution up so that if you have more than double the number of logs generated by this system, or this group of systems, the security administrator is alerted , an alarm is raised and an SNMP trap is sent to your supervisor system.

Again, Log Management will never replace your dedicated anti-Trojan/worm solution, but it will nicely complement it.

5.       Anti-spyware

Spyware will pollute your system silently.  It will watch your every move, looking for passwords, bank account information, credit card numbers and any other information of value.

How does it do that? How does it hide so well?

It will often operate by replacing legitimate executable files.  It will highjack critical system files and drop its payload into them.

Your system now seems to run as usual - the list of running processes doesn't yield any anomalies, and performance doesn't seem affected. But the spyware is running.

So how do logs help here?

They help from the get-go. As soon as the spyware initially infects your system, it will access critical system directories and either drop in new executables, or modify system-privileged executables. These are events that can be configured to generate logs.

And once more, your Log Management and Intelligence solution can be configured to alert you of this behavior and let you know in real-time that a program is accessing and replacing critical system executables.

It will not completely replace your system integrity solution, but it will nicely complement it.

6.       SIEM - Security Information Event Management

The philosophy of the SIEM is to correlate disparate events taking place in your IT infrastructure to identify and flag security incidents.

For example, if a user logs in locally at 8am (as demonstrated by logs from the DHCP server assigning an IP address and then Active Directory allowing successful authentication to the Domain), and then this user logs in from the other side of the Internet via VPN (as demonstrated by logs from the VPN concentrator), then something is obviously wrong and it is likely an identity theft with illegal login taking place.

Sounds quite simple, right?

Well, it can be pretty simple provided that you know which scenarios you want to flag as problematic.

Above all, it can be pretty simple provided you have the logs that give you the visibility required to flag these behaviors and scenarios.

This is where Log Management and Intelligence comes in.

The first step in correlating logs is to collect and centralize all of your logs, as seamlessly as possible. Next, use policy-based forwarding to forward all relevant logs to your correlation engine.

This is why Log Management and SIEM are complementary.

Easily and seamlessly build a haystack, and find the needle in real-time.

SIEMs work very hard to find the needles, using extremely complex algorithms. So the more you help your SIEM by isolating certain types of logs for it to work on, the more you can optimize the process. A sound Log Management and Intelligence solution will help you feed the right logs to your SIEM so that it can do its job most efficiently, by correlating logs and events that are relevant for security purposes and targeted to the scenarios that are most important for you.

SIEM and log correlation then become a "feature" of Log Management and Intelligence!

Conclusion:

We talked about the importance of process and procedures surrounding the use of defensive security solutions. Indeed, we demonstrated that an "install and forget" approach to security is doomed to disaster.

A sound Log Management and Intelligence system should not only be part of your bag of tricks, but integral to your process and procedures as a way to verify and ensure the validity of your security solutions. Log Management and Intelligence is more than just an added safety measure - it could be the last, and most effective barrier between you and disaster.

More Stories By Gorka Sadowski

Gorka is a natural born entrepreneur with a deep understanding of Technology, IT Security and how these create value in the Marketplace. He is today offering innovative European startups the opportunity to benefit from the Silicon Valley ecosystem accelerators. Gorka spent the last 20 years initiating, building and growing businesses that provide technology solutions to the Industry. From General Manager Spain, Italy and Portugal for LogLogic, defining Next Generation Log Management and Security Forensics, to Director Unisys France, bringing Cloud Security service offerings to the market, from Director of Emerging Technologies at NetScreen, defining Next Generation Firewall, to Director of Performance Engineering at INS, removing WAN and Internet bottlenecks, Gorka has always been involved in innovative Technology and IT Security solutions, creating successful Business Units within established Groups and helping launch breakthrough startups such as KOLA Kids OnLine America, a social network for safe computing for children, SourceFire, a leading network security solution provider, or Ibixis, a boutique European business accelerator.

@ThingsExpo Stories
SYS-CON Events announced today that Dasher Technologies will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Dasher Technologies, Inc. ® is a premier IT solution provider that delivers expert technical resources along with trusted account executives to architect and deliver complete IT solutions and services to help our clients execute their goals, plans and objectives. Since 1999, we'v...
Enterprises have taken advantage of IoT to achieve important revenue and cost advantages. What is less apparent is how incumbent enterprises operating at scale have, following success with IoT, built analytic, operations management and software development capabilities – ranging from autonomous vehicles to manageable robotics installations. They have embraced these capabilities as if they were Silicon Valley startups. As a result, many firms employ new business models that place enormous impor...
SYS-CON Events announced today that Massive Networks, that helps your business operate seamlessly with fast, reliable, and secure internet and network solutions, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. As a premier telecommunications provider, Massive Networks is headquartered out of Louisville, Colorado. With years of experience under their belt, their team of...
SYS-CON Events announced today that Taica will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Taica manufacturers Alpha-GEL brand silicone components and materials, which maintain outstanding performance over a wide temperature range -40C to +200C. For more information, visit http://www.taica.co.jp/english/.
SYS-CON Events announced today that TidalScale, a leading provider of systems and services, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. TidalScale has been involved in shaping the computing landscape. They've designed, developed and deployed some of the most important and successful systems and services in the history of the computing industry - internet, Ethernet, operating s...
SYS-CON Events announced today that MIRAI Inc. will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. MIRAI Inc. are IT consultants from the public sector whose mission is to solve social issues by technology and innovation and to create a meaningful future for people.
SYS-CON Events announced today that IBM has been named “Diamond Sponsor” of SYS-CON's 21st Cloud Expo, which will take place on October 31 through November 2nd 2017 at the Santa Clara Convention Center in Santa Clara, California.
SYS-CON Events announced today that TidalScale will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. TidalScale is the leading provider of Software-Defined Servers that bring flexibility to modern data centers by right-sizing servers on the fly to fit any data set or workload. TidalScale’s award-winning inverse hypervisor technology combines multiple commodity servers (including their ass...
Join IBM November 1 at 21st Cloud Expo at the Santa Clara Convention Center in Santa Clara, CA, and learn how IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Cognitive analysis impacts today’s systems with unparalleled ability that were previously available only to manned, back-end operations. Thanks to cloud processing, IBM Watson can bring cognitive services and AI to intelligent, unmanned systems. Imagine a robot vacuum that becomes your personal assistant tha...
Widespread fragmentation is stalling the growth of the IIoT and making it difficult for partners to work together. The number of software platforms, apps, hardware and connectivity standards is creating paralysis among businesses that are afraid of being locked into a solution. EdgeX Foundry is unifying the community around a common IoT edge framework and an ecosystem of interoperable components.
As popularity of the smart home is growing and continues to go mainstream, technological factors play a greater role. The IoT protocol houses the interoperability battery consumption, security, and configuration of a smart home device, and it can be difficult for companies to choose the right kind for their product. For both DIY and professionally installed smart homes, developers need to consider each of these elements for their product to be successful in the market and current smart homes.
Infoblox delivers Actionable Network Intelligence to enterprise, government, and service provider customers around the world. They are the industry leader in DNS, DHCP, and IP address management, the category known as DDI. We empower thousands of organizations to control and secure their networks from the core-enabling them to increase efficiency and visibility, improve customer service, and meet compliance requirements.
With major technology companies and startups seriously embracing Cloud strategies, now is the perfect time to attend 21st Cloud Expo October 31 - November 2, 2017, at the Santa Clara Convention Center, CA, and June 12-14, 2018, at the Javits Center in New York City, NY, and learn what is going on, contribute to the discussions, and ensure that your enterprise is on the right path to Digital Transformation.
Most technology leaders, contemporary and from the hardware era, are reshaping their businesses to do software. They hope to capture value from emerging technologies such as IoT, SDN, and AI. Ultimately, irrespective of the vertical, it is about deriving value from independent software applications participating in an ecosystem as one comprehensive solution. In his session at @ThingsExpo, Kausik Sridhar, founder and CTO of Pulzze Systems, will discuss how given the magnitude of today's applicati...
Smart cities have the potential to change our lives at so many levels for citizens: less pollution, reduced parking obstacles, better health, education and more energy savings. Real-time data streaming and the Internet of Things (IoT) possess the power to turn this vision into a reality. However, most organizations today are building their data infrastructure to focus solely on addressing immediate business needs vs. a platform capable of quickly adapting emerging technologies to address future ...
SYS-CON Events announced today that mruby Forum will exhibit at the Japan External Trade Organization (JETRO) Pavilion at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. mruby is the lightweight implementation of the Ruby language. We introduce mruby and the mruby IoT framework that enhances development productivity. For more information, visit http://forum.mruby.org/.
Digital transformation is changing the face of business. The IDC predicts that enterprises will commit to a massive new scale of digital transformation, to stake out leadership positions in the "digital transformation economy." Accordingly, attendees at the upcoming Cloud Expo | @ThingsExpo at the Santa Clara Convention Center in Santa Clara, CA, Oct 31-Nov 2, will find fresh new content in a new track called Enterprise Cloud & Digital Transformation.
SYS-CON Events announced today that NetApp has been named “Bronze Sponsor” of SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. NetApp is the data authority for hybrid cloud. NetApp provides a full range of hybrid cloud data services that simplify management of applications and data across cloud and on-premises environments to accelerate digital transformation. Together with their partners, NetApp emp...
In a recent survey, Sumo Logic surveyed 1,500 customers who employ cloud services such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP). According to the survey, a quarter of the respondents have already deployed Docker containers and nearly as many (23 percent) are employing the AWS Lambda serverless computing framework. It’s clear: serverless is here to stay. The adoption does come with some needed changes, within both application development and operations. Tha...
SYS-CON Events announced today that Avere Systems, a leading provider of enterprise storage for the hybrid cloud, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Avere delivers a more modern architectural approach to storage that doesn't require the overprovisioning of storage capacity to achieve performance, overspending on expensive storage media for inactive data or the overbui...