Welcome!

Government Cloud Authors: Pat Romanski, Kevin Benedict, Nate Vickery, Elizabeth White, Liz McMillan

Related Topics: Cloud Security, Linux Containers, Government Cloud

Cloud Security: Article

Unleashing The Power of Logs

The Last Barrier Between You and Disaster

This article discusses some of the main defensive security solutions used today and explains the reasons why employing a Log Management and Intelligence solution is critical to complement these protection methods.

Let's first look at the most common defensive security solutions that have been popular these past few years. This is not an exhaustive list of all existing technologies, but rather a high-level view of some of the prevalent ones.

1.       Anti-virus

2.       Firewalls/VPN

3.       IDS/IPS

4.       Anti-Trojan/worms

5.       Anti-Spyware

6.       SIEMs

These correspond to an approach called "Defense in Depth" that aims to put successive rings of protection between the bad guys and the information to protect, making successful attacks harder and harder.

There are other types of security solutions, such as proactive security (Vulnerability Management and Patch Management) or remediation solutions (think of the PDCA, Plan Do Check Act, of ISO's lifecycle along the lines of CIA, Confidentiality Integrity Availability).

But by and large, think about information security and chances are you'll think first of defensive security. You'll think about an attack taking place and a security solution fending off this attack in real-time or ringing an alarm so that you can intervene in real-time. This has been the focus of the industry for a long time. Indeed, find a universal, "perfect" defensive security solution and you will have found the Grail of all solutions; no need for proactive security, and no need for other types of security solutions.

Of course let's not forget that security is an ongoing process, not a single event, and security policies should be driven by solid business requirements.  Indeed, it is important to understand that security solutions need to be correctly deployed and managed, in a framework of proper processes and procedures so that they are always up to date, correctly configured and do not suffer from any holes.

This is a very difficult task as your IT infrastructure is an ever-evolving landscape.  Your business processes change, and so do your firewall configurations.  Your people and teams change, and so does your VPN credentials list. Your threats change, and so do your SIEM scenarios. Your exposure changes and so do your IPS requirements.

For the common defensive security solutions that we listed, let's review some of the pitfalls to avoid, and how Log Management and Intelligence can help you keep these systems in tip-top shape.

Don't adopt an "install and forget" approach to your defensive security solutions. Don't assume that once your solution is installed and configured, it will continue working flawlessly forever.

Verify that your solution is performing the way you need it.

A sound Log Management and Intelligence solution will provide you with universal visibility over everything that happens in your IT infrastructure. Leverage that visibility. Unleash the power of logs.

1.       Anti-virus

Both with gateway-level AV (for such purpose as email scanning), as well as end-system level AV (for such purpose as file scanning), an AV solution is only as effective as the latest signature/update file that is running on it. Use an old file and the newest viruses will pass right through your AV solution.

Chances are that your AV solution has a built-in scheduling function that facilitates download of the latest signature file, or maybe you are running a central AV management system that pushes the latest files to your different systems.

So you typically set it up and forget about it, assuming that it always works as it's supposed to.

But what if something goes wrong? Connectivity is lost, your configuration file or registry setting gets corrupted, your scheduling engine stops, there is no available space to install the latest signature file or any other malfunction that might hamper the correct behavior of your system? How will you know that your otherwise well-oiled machine has fallen into shambles?

Logs will tell you that.

Every time your AV engine tries to get the latest and greatest signature file, it will write a log about this event.  And when it tries to install it, it will write a log about that event with the status of the update - success or failure. That log will typically have a payload containing information about the latest file in case of success, or error codes and error explanations in case of failures.

Collect, centralize and analyze these logs and you'll have a perfect picture of your AV profile for each of your systems.  Be particularly wary of failure status on downloading or installing or using these signature files. And run a complete report on all successes and compare it with your asset database. Do you find any holes?

Likewise, your AV engine is set to scan for executables before running them. Select a system that you want to probe, and run 2 reports - one from your AV solution to find out what executable files have been scanned, and another one from your OS for all of the executables that were run. Do you find any discrepancies? If so, your AV solution is not behaving the way you need it to.

Log Management and Intelligence is a simple way to validate and make sure that your AV solution is performing as per your security policy.

2.       Firewalls/VPN

Let's talk about a scenario that happens in many corporations, including ones where strong Change Management procedures are in place.

A new application gets deployed internally, for which the firewall rule set needs to be changed. And for testing purposes, additional ports need to be open. Testing takes place but now fine-tuning requires additional time. And the operations group gets busy and these ports are left open, deeply buried in the firewall rule set (it is not uncommon for rule sets to have hundreds of policies). And by the way, there was a typo in the port number for one of the rules and now ftp flows freely inside, in clear violation of the security policy prohibiting inbound ftp traffic in your trusted zone.

How do you verify that your firewall is correctly implementing your security policy?

Logs will tell you that.

Periodically run a report of all traffic that is crossing your firewall and you'll have a clear picture of the security policy and rule set that is in place. Not the one you think is being enforced or the one you want to have enforced, but the one that is actually running and being enforced.

Run this report against your security policy and you'll have an excellent way to flag for illegal traffic and misconfigured firewalls.

Logs also give you an added measure of understanding rule sets and policies implemented, including all of the changes that have taken place. When you audit your firewall rule set, you get a snapshot of its configuration. And you really don't know all of the changes that have taken place between snapshots. Your firewall admin may have opened ports and closed them later on, but you will probably not know it.

Unless you are running a solid Log Management and Intelligence solution. In this case, you will see each of the configuration changes that have taken place.  Every time an admin changes the security policy and firewall ruleset, a log will capture and describe that event. Collect, centralize and analyze these logs and you will get a historical view of all changes to open and close ports, all changes to allow or disallow applications and all actual protocols using these ports. And you will see all of that in real-time, completing the view provided by your security audit.

3.       IDS/IPS

IDS/IPS are a phenomenal tool in your defensive security toolbox...provided that they are properly configured and closely managed.

All IDS/IPS need to be regularly updated - much like an AV. And again, you need to verify that your systems are properly keeping things up to date. Use your Log Management and Intelligence solution for that.

Let's also look at one of the most common criticisms of an IDS.

An IDS' job is to alert on certain events, and this sometimes leads to very chatty systems; what some people call "false positives".  False positives are not an IDS' fault - the IDS is just alerting on events that we asked it to alert us on.

For example, one malformed packet can be attributed to a malfunctioning system or poorly-coded custom application. Such isolated incidents can happen and should not be a cause for concern. If your IDS raises an alert for every malformed packet recognized, you will soon be drowning in alarms, your IDS ringing off the hook, and you will complain about false positives. However, having too many of these malformed packets in a certain period of time could be an indication that a DoS Denial of Service attack is underway. So you need a way to define a threshold above which you decide indicates an attack.

But how would you know that you have reached the threshold above which you want to be alerted, but not wasting your IDS' cycles in threshold analysis so that it can keep doing its job best?

Logs will tell you that.

Sound Log Management and Intelligence will allow you to collect, centralize and analyze your IDS logs, in real time. Get more than x of these events per second, or per minute or hour and the alarm can be raised. For example, you can easily set thresholds so that when a malformed packet is recognized, no-one cries wolf, but if more than 10 such packets are received in a minute, this indicates cause for concern and an alarm is raised. And/or an SNMP trap is sent to your ticketing system. And/or an email is sent in real time to your security supervisor.

Logs can also help you in other ways.

An IPS, like a firewall, needs a certain policy to be implemented in order to decide what traffic to allow and what traffic to stop. And again, you have the same risk of having policies that are not appropriate for your environment.

So how do you verify that your IDS and IPS are up-to-date and functioning the way that they're supposed to?

Logs will tell you that.

Compare logs from your IPS and logs from your downstream internal network devices and compare them. Is your IPS allowing traffic that you don't want to allow? Are your switches receiving and treating packets that your IPS should not allow - traffic that poses a risk to bringing down your end systems?

 

4.       Anti-Trojan/worm

Anti-Trojan and Anti-worm solutions are similar to AV solutions in that they need to be kept up to date with their latest signature files. So it is critical to validate that your anti-Trojan/worm solution is using the latest file, and that the scheduling, downloading and installing of these files is working fine.

Again, logs will tell you that, provided that you have a good Log Management and Intelligence solution in place.

In addition, the latest signature files provide no help to combat Trojans and worms that exploit newly discovered attack vectors in what's called "zero-day" attacks.

One aspect that is typically common in zero-day attacks is that the malware will try spreading to neighboring systems by replication and infection, which starts by establishing connections to other systems, sometimes "random" hosts on "random" ports, often adding some form of IP spoofing mechanisms in order to obfuscate its behavior. Obfuscation can also be achieved by hiding attacks in legitimate traffic, by tunneling exploits in port 80 for example. Or DNS ports. So these Trojans and worms are sometimes capable of evading known defensive security solutions.  In fact this is becoming more and more the case, as it is a matter of survival for the worms.

The only "weird" or unusual behavior that is observable is a spike in the number of network connections happening in your network, and connections refused by end-systems, or connections accepted followed by modification of system level files.

A sound Log Management and Intelligence solution will alert you when you have a spike of more than x% of logs compared to your baseline "normal" behavior for a configurable period of time.  For example, you can set your solution up so that if you have more than double the number of logs generated by this system, or this group of systems, the security administrator is alerted , an alarm is raised and an SNMP trap is sent to your supervisor system.

Again, Log Management will never replace your dedicated anti-Trojan/worm solution, but it will nicely complement it.

5.       Anti-spyware

Spyware will pollute your system silently.  It will watch your every move, looking for passwords, bank account information, credit card numbers and any other information of value.

How does it do that? How does it hide so well?

It will often operate by replacing legitimate executable files.  It will highjack critical system files and drop its payload into them.

Your system now seems to run as usual - the list of running processes doesn't yield any anomalies, and performance doesn't seem affected. But the spyware is running.

So how do logs help here?

They help from the get-go. As soon as the spyware initially infects your system, it will access critical system directories and either drop in new executables, or modify system-privileged executables. These are events that can be configured to generate logs.

And once more, your Log Management and Intelligence solution can be configured to alert you of this behavior and let you know in real-time that a program is accessing and replacing critical system executables.

It will not completely replace your system integrity solution, but it will nicely complement it.

6.       SIEM - Security Information Event Management

The philosophy of the SIEM is to correlate disparate events taking place in your IT infrastructure to identify and flag security incidents.

For example, if a user logs in locally at 8am (as demonstrated by logs from the DHCP server assigning an IP address and then Active Directory allowing successful authentication to the Domain), and then this user logs in from the other side of the Internet via VPN (as demonstrated by logs from the VPN concentrator), then something is obviously wrong and it is likely an identity theft with illegal login taking place.

Sounds quite simple, right?

Well, it can be pretty simple provided that you know which scenarios you want to flag as problematic.

Above all, it can be pretty simple provided you have the logs that give you the visibility required to flag these behaviors and scenarios.

This is where Log Management and Intelligence comes in.

The first step in correlating logs is to collect and centralize all of your logs, as seamlessly as possible. Next, use policy-based forwarding to forward all relevant logs to your correlation engine.

This is why Log Management and SIEM are complementary.

Easily and seamlessly build a haystack, and find the needle in real-time.

SIEMs work very hard to find the needles, using extremely complex algorithms. So the more you help your SIEM by isolating certain types of logs for it to work on, the more you can optimize the process. A sound Log Management and Intelligence solution will help you feed the right logs to your SIEM so that it can do its job most efficiently, by correlating logs and events that are relevant for security purposes and targeted to the scenarios that are most important for you.

SIEM and log correlation then become a "feature" of Log Management and Intelligence!

Conclusion:

We talked about the importance of process and procedures surrounding the use of defensive security solutions. Indeed, we demonstrated that an "install and forget" approach to security is doomed to disaster.

A sound Log Management and Intelligence system should not only be part of your bag of tricks, but integral to your process and procedures as a way to verify and ensure the validity of your security solutions. Log Management and Intelligence is more than just an added safety measure - it could be the last, and most effective barrier between you and disaster.

More Stories By Gorka Sadowski

Gorka is a natural born entrepreneur with a deep understanding of Technology, IT Security and how these create value in the Marketplace. He is today offering innovative European startups the opportunity to benefit from the Silicon Valley ecosystem accelerators. Gorka spent the last 20 years initiating, building and growing businesses that provide technology solutions to the Industry. From General Manager Spain, Italy and Portugal for LogLogic, defining Next Generation Log Management and Security Forensics, to Director Unisys France, bringing Cloud Security service offerings to the market, from Director of Emerging Technologies at NetScreen, defining Next Generation Firewall, to Director of Performance Engineering at INS, removing WAN and Internet bottlenecks, Gorka has always been involved in innovative Technology and IT Security solutions, creating successful Business Units within established Groups and helping launch breakthrough startups such as KOLA Kids OnLine America, a social network for safe computing for children, SourceFire, a leading network security solution provider, or Ibixis, a boutique European business accelerator.

@ThingsExpo Stories
The 22nd International Cloud Expo | 1st DXWorld Expo has announced that its Call for Papers is open. Cloud Expo | DXWorld Expo, to be held June 5-7, 2018, at the Javits Center in New York, NY, brings together Cloud Computing, Digital Transformation, Big Data, Internet of Things, DevOps, Machine Learning and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding busin...
Smart cities have the potential to change our lives at so many levels for citizens: less pollution, reduced parking obstacles, better health, education and more energy savings. Real-time data streaming and the Internet of Things (IoT) possess the power to turn this vision into a reality. However, most organizations today are building their data infrastructure to focus solely on addressing immediate business needs vs. a platform capable of quickly adapting emerging technologies to address future ...
Nordstrom is transforming the way that they do business and the cloud is the key to enabling speed and hyper personalized customer experiences. In his session at 21st Cloud Expo, Ken Schow, VP of Engineering at Nordstrom, discussed some of the key learnings and common pitfalls of large enterprises moving to the cloud. This includes strategies around choosing a cloud provider(s), architecture, and lessons learned. In addition, he covered some of the best practices for structured team migration an...
No hype cycles or predictions of a gazillion things here. IoT is here. You get it. You know your business and have great ideas for a business transformation strategy. What comes next? Time to make it happen. In his session at @ThingsExpo, Jay Mason, an Associate Partner of Analytics, IoT & Cybersecurity at M&S Consulting, presented a step-by-step plan to develop your technology implementation strategy. He also discussed the evaluation of communication standards and IoT messaging protocols, data...
With tough new regulations coming to Europe on data privacy in May 2018, Calligo will explain why in reality the effect is global and transforms how you consider critical data. EU GDPR fundamentally rewrites the rules for cloud, Big Data and IoT. In his session at 21st Cloud Expo, Adam Ryan, Vice President and General Manager EMEA at Calligo, examined the regulations and provided insight on how it affects technology, challenges the established rules and will usher in new levels of diligence arou...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, provided a fun and simple way to introduce Machine Leaning to anyone and everyone. He solved a machine learning problem and demonstrated an easy way to be able to do machine learning without even coding. Raju Shreewastava is the founder of Big Data Trunk (www.BigDataTrunk.com), a Big Data Training and consulting firm with offices in the United States. He previously led the data warehouse/business intelligence and B...
Recently, REAN Cloud built a digital concierge for a North Carolina hospital that had observed that most patient call button questions were repetitive. In addition, the paper-based process used to measure patient health metrics was laborious, not in real-time and sometimes error-prone. In their session at 21st Cloud Expo, Sean Finnerty, Executive Director, Practice Lead, Health Care & Life Science at REAN Cloud, and Dr. S.P.T. Krishnan, Principal Architect at REAN Cloud, discussed how they built...
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
DevOps at Cloud Expo – being held June 5-7, 2018, at the Javits Center in New York, NY – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real results. Among the proven benefits,...
@DevOpsSummit at Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, is co-located with 22nd Cloud Expo | 1st DXWorld Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait...
Cloud Expo | DXWorld Expo have announced the conference tracks for Cloud Expo 2018. Cloud Expo will be held June 5-7, 2018, at the Javits Center in New York City, and November 6-8, 2018, at the Santa Clara Convention Center, Santa Clara, CA. Digital Transformation (DX) is a major focus with the introduction of DX Expo within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive ov...
SYS-CON Events announced today that T-Mobile exhibited at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. As America's Un-carrier, T-Mobile US, Inc., is redefining the way consumers and businesses buy wireless services through leading product and service innovation. The Company's advanced nationwide 4G LTE network delivers outstanding wireless experiences to 67.4 million customers who are unwilling to compromise on qua...
SYS-CON Events announced today that Cedexis will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Cedexis is the leader in data-driven enterprise global traffic management. Whether optimizing traffic through datacenters, clouds, CDNs, or any combination, Cedexis solutions drive quality and cost-effectiveness. For more information, please visit https://www.cedexis.com.
SYS-CON Events announced today that Google Cloud has been named “Keynote Sponsor” of SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Companies come to Google Cloud to transform their businesses. Google Cloud’s comprehensive portfolio – from infrastructure to apps to devices – helps enterprises innovate faster, scale smarter, stay secure, and do more with data than ever before.
SYS-CON Events announced today that Vivint to exhibit at SYS-CON's 21st Cloud Expo, which will take place on October 31 through November 2nd 2017 at the Santa Clara Convention Center in Santa Clara, California. As a leading smart home technology provider, Vivint offers home security, energy management, home automation, local cloud storage, and high-speed Internet solutions to more than one million customers throughout the United States and Canada. The end result is a smart home solution that sav...
SYS-CON Events announced today that Opsani will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Opsani is the leading provider of deployment automation systems for running and scaling traditional enterprise applications on container infrastructure.
SYS-CON Events announced today that Nirmata will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Nirmata provides a comprehensive platform, for deploying, operating, and optimizing containerized applications across clouds, powered by Kubernetes. Nirmata empowers enterprise DevOps teams by fully automating the complex operations and management of application containers and its underlying ...
SYS-CON Events announced today that Opsani to exhibit at SYS-CON's 21st Cloud Expo, which will take place on October 31 through November 2nd 2017 at the Santa Clara Convention Center in Santa Clara, California. Opsani is creating the next generation of automated continuous deployment tools designed specifically for containers. How is continuous deployment different from continuous integration and continuous delivery? CI/CD tools provide build and test. Continuous Deployment is the means by which...