Welcome!

Government Cloud Authors: Elizabeth White, Flint Brenton, Liz McMillan, Gopala Krishna Behara, Raju Myadam

Related Topics: Cloud Security, Linux Containers, Government Cloud

Cloud Security: Article

Unleashing The Power of Logs

The Last Barrier Between You and Disaster

This article discusses some of the main defensive security solutions used today and explains the reasons why employing a Log Management and Intelligence solution is critical to complement these protection methods.

Let's first look at the most common defensive security solutions that have been popular these past few years. This is not an exhaustive list of all existing technologies, but rather a high-level view of some of the prevalent ones.

1.       Anti-virus

2.       Firewalls/VPN

3.       IDS/IPS

4.       Anti-Trojan/worms

5.       Anti-Spyware

6.       SIEMs

These correspond to an approach called "Defense in Depth" that aims to put successive rings of protection between the bad guys and the information to protect, making successful attacks harder and harder.

There are other types of security solutions, such as proactive security (Vulnerability Management and Patch Management) or remediation solutions (think of the PDCA, Plan Do Check Act, of ISO's lifecycle along the lines of CIA, Confidentiality Integrity Availability).

But by and large, think about information security and chances are you'll think first of defensive security. You'll think about an attack taking place and a security solution fending off this attack in real-time or ringing an alarm so that you can intervene in real-time. This has been the focus of the industry for a long time. Indeed, find a universal, "perfect" defensive security solution and you will have found the Grail of all solutions; no need for proactive security, and no need for other types of security solutions.

Of course let's not forget that security is an ongoing process, not a single event, and security policies should be driven by solid business requirements.  Indeed, it is important to understand that security solutions need to be correctly deployed and managed, in a framework of proper processes and procedures so that they are always up to date, correctly configured and do not suffer from any holes.

This is a very difficult task as your IT infrastructure is an ever-evolving landscape.  Your business processes change, and so do your firewall configurations.  Your people and teams change, and so does your VPN credentials list. Your threats change, and so do your SIEM scenarios. Your exposure changes and so do your IPS requirements.

For the common defensive security solutions that we listed, let's review some of the pitfalls to avoid, and how Log Management and Intelligence can help you keep these systems in tip-top shape.

Don't adopt an "install and forget" approach to your defensive security solutions. Don't assume that once your solution is installed and configured, it will continue working flawlessly forever.

Verify that your solution is performing the way you need it.

A sound Log Management and Intelligence solution will provide you with universal visibility over everything that happens in your IT infrastructure. Leverage that visibility. Unleash the power of logs.

1.       Anti-virus

Both with gateway-level AV (for such purpose as email scanning), as well as end-system level AV (for such purpose as file scanning), an AV solution is only as effective as the latest signature/update file that is running on it. Use an old file and the newest viruses will pass right through your AV solution.

Chances are that your AV solution has a built-in scheduling function that facilitates download of the latest signature file, or maybe you are running a central AV management system that pushes the latest files to your different systems.

So you typically set it up and forget about it, assuming that it always works as it's supposed to.

But what if something goes wrong? Connectivity is lost, your configuration file or registry setting gets corrupted, your scheduling engine stops, there is no available space to install the latest signature file or any other malfunction that might hamper the correct behavior of your system? How will you know that your otherwise well-oiled machine has fallen into shambles?

Logs will tell you that.

Every time your AV engine tries to get the latest and greatest signature file, it will write a log about this event.  And when it tries to install it, it will write a log about that event with the status of the update - success or failure. That log will typically have a payload containing information about the latest file in case of success, or error codes and error explanations in case of failures.

Collect, centralize and analyze these logs and you'll have a perfect picture of your AV profile for each of your systems.  Be particularly wary of failure status on downloading or installing or using these signature files. And run a complete report on all successes and compare it with your asset database. Do you find any holes?

Likewise, your AV engine is set to scan for executables before running them. Select a system that you want to probe, and run 2 reports - one from your AV solution to find out what executable files have been scanned, and another one from your OS for all of the executables that were run. Do you find any discrepancies? If so, your AV solution is not behaving the way you need it to.

Log Management and Intelligence is a simple way to validate and make sure that your AV solution is performing as per your security policy.

2.       Firewalls/VPN

Let's talk about a scenario that happens in many corporations, including ones where strong Change Management procedures are in place.

A new application gets deployed internally, for which the firewall rule set needs to be changed. And for testing purposes, additional ports need to be open. Testing takes place but now fine-tuning requires additional time. And the operations group gets busy and these ports are left open, deeply buried in the firewall rule set (it is not uncommon for rule sets to have hundreds of policies). And by the way, there was a typo in the port number for one of the rules and now ftp flows freely inside, in clear violation of the security policy prohibiting inbound ftp traffic in your trusted zone.

How do you verify that your firewall is correctly implementing your security policy?

Logs will tell you that.

Periodically run a report of all traffic that is crossing your firewall and you'll have a clear picture of the security policy and rule set that is in place. Not the one you think is being enforced or the one you want to have enforced, but the one that is actually running and being enforced.

Run this report against your security policy and you'll have an excellent way to flag for illegal traffic and misconfigured firewalls.

Logs also give you an added measure of understanding rule sets and policies implemented, including all of the changes that have taken place. When you audit your firewall rule set, you get a snapshot of its configuration. And you really don't know all of the changes that have taken place between snapshots. Your firewall admin may have opened ports and closed them later on, but you will probably not know it.

Unless you are running a solid Log Management and Intelligence solution. In this case, you will see each of the configuration changes that have taken place.  Every time an admin changes the security policy and firewall ruleset, a log will capture and describe that event. Collect, centralize and analyze these logs and you will get a historical view of all changes to open and close ports, all changes to allow or disallow applications and all actual protocols using these ports. And you will see all of that in real-time, completing the view provided by your security audit.

3.       IDS/IPS

IDS/IPS are a phenomenal tool in your defensive security toolbox...provided that they are properly configured and closely managed.

All IDS/IPS need to be regularly updated - much like an AV. And again, you need to verify that your systems are properly keeping things up to date. Use your Log Management and Intelligence solution for that.

Let's also look at one of the most common criticisms of an IDS.

An IDS' job is to alert on certain events, and this sometimes leads to very chatty systems; what some people call "false positives".  False positives are not an IDS' fault - the IDS is just alerting on events that we asked it to alert us on.

For example, one malformed packet can be attributed to a malfunctioning system or poorly-coded custom application. Such isolated incidents can happen and should not be a cause for concern. If your IDS raises an alert for every malformed packet recognized, you will soon be drowning in alarms, your IDS ringing off the hook, and you will complain about false positives. However, having too many of these malformed packets in a certain period of time could be an indication that a DoS Denial of Service attack is underway. So you need a way to define a threshold above which you decide indicates an attack.

But how would you know that you have reached the threshold above which you want to be alerted, but not wasting your IDS' cycles in threshold analysis so that it can keep doing its job best?

Logs will tell you that.

Sound Log Management and Intelligence will allow you to collect, centralize and analyze your IDS logs, in real time. Get more than x of these events per second, or per minute or hour and the alarm can be raised. For example, you can easily set thresholds so that when a malformed packet is recognized, no-one cries wolf, but if more than 10 such packets are received in a minute, this indicates cause for concern and an alarm is raised. And/or an SNMP trap is sent to your ticketing system. And/or an email is sent in real time to your security supervisor.

Logs can also help you in other ways.

An IPS, like a firewall, needs a certain policy to be implemented in order to decide what traffic to allow and what traffic to stop. And again, you have the same risk of having policies that are not appropriate for your environment.

So how do you verify that your IDS and IPS are up-to-date and functioning the way that they're supposed to?

Logs will tell you that.

Compare logs from your IPS and logs from your downstream internal network devices and compare them. Is your IPS allowing traffic that you don't want to allow? Are your switches receiving and treating packets that your IPS should not allow - traffic that poses a risk to bringing down your end systems?

 

4.       Anti-Trojan/worm

Anti-Trojan and Anti-worm solutions are similar to AV solutions in that they need to be kept up to date with their latest signature files. So it is critical to validate that your anti-Trojan/worm solution is using the latest file, and that the scheduling, downloading and installing of these files is working fine.

Again, logs will tell you that, provided that you have a good Log Management and Intelligence solution in place.

In addition, the latest signature files provide no help to combat Trojans and worms that exploit newly discovered attack vectors in what's called "zero-day" attacks.

One aspect that is typically common in zero-day attacks is that the malware will try spreading to neighboring systems by replication and infection, which starts by establishing connections to other systems, sometimes "random" hosts on "random" ports, often adding some form of IP spoofing mechanisms in order to obfuscate its behavior. Obfuscation can also be achieved by hiding attacks in legitimate traffic, by tunneling exploits in port 80 for example. Or DNS ports. So these Trojans and worms are sometimes capable of evading known defensive security solutions.  In fact this is becoming more and more the case, as it is a matter of survival for the worms.

The only "weird" or unusual behavior that is observable is a spike in the number of network connections happening in your network, and connections refused by end-systems, or connections accepted followed by modification of system level files.

A sound Log Management and Intelligence solution will alert you when you have a spike of more than x% of logs compared to your baseline "normal" behavior for a configurable period of time.  For example, you can set your solution up so that if you have more than double the number of logs generated by this system, or this group of systems, the security administrator is alerted , an alarm is raised and an SNMP trap is sent to your supervisor system.

Again, Log Management will never replace your dedicated anti-Trojan/worm solution, but it will nicely complement it.

5.       Anti-spyware

Spyware will pollute your system silently.  It will watch your every move, looking for passwords, bank account information, credit card numbers and any other information of value.

How does it do that? How does it hide so well?

It will often operate by replacing legitimate executable files.  It will highjack critical system files and drop its payload into them.

Your system now seems to run as usual - the list of running processes doesn't yield any anomalies, and performance doesn't seem affected. But the spyware is running.

So how do logs help here?

They help from the get-go. As soon as the spyware initially infects your system, it will access critical system directories and either drop in new executables, or modify system-privileged executables. These are events that can be configured to generate logs.

And once more, your Log Management and Intelligence solution can be configured to alert you of this behavior and let you know in real-time that a program is accessing and replacing critical system executables.

It will not completely replace your system integrity solution, but it will nicely complement it.

6.       SIEM - Security Information Event Management

The philosophy of the SIEM is to correlate disparate events taking place in your IT infrastructure to identify and flag security incidents.

For example, if a user logs in locally at 8am (as demonstrated by logs from the DHCP server assigning an IP address and then Active Directory allowing successful authentication to the Domain), and then this user logs in from the other side of the Internet via VPN (as demonstrated by logs from the VPN concentrator), then something is obviously wrong and it is likely an identity theft with illegal login taking place.

Sounds quite simple, right?

Well, it can be pretty simple provided that you know which scenarios you want to flag as problematic.

Above all, it can be pretty simple provided you have the logs that give you the visibility required to flag these behaviors and scenarios.

This is where Log Management and Intelligence comes in.

The first step in correlating logs is to collect and centralize all of your logs, as seamlessly as possible. Next, use policy-based forwarding to forward all relevant logs to your correlation engine.

This is why Log Management and SIEM are complementary.

Easily and seamlessly build a haystack, and find the needle in real-time.

SIEMs work very hard to find the needles, using extremely complex algorithms. So the more you help your SIEM by isolating certain types of logs for it to work on, the more you can optimize the process. A sound Log Management and Intelligence solution will help you feed the right logs to your SIEM so that it can do its job most efficiently, by correlating logs and events that are relevant for security purposes and targeted to the scenarios that are most important for you.

SIEM and log correlation then become a "feature" of Log Management and Intelligence!

Conclusion:

We talked about the importance of process and procedures surrounding the use of defensive security solutions. Indeed, we demonstrated that an "install and forget" approach to security is doomed to disaster.

A sound Log Management and Intelligence system should not only be part of your bag of tricks, but integral to your process and procedures as a way to verify and ensure the validity of your security solutions. Log Management and Intelligence is more than just an added safety measure - it could be the last, and most effective barrier between you and disaster.

More Stories By Gorka Sadowski

Gorka is a natural born entrepreneur with a deep understanding of Technology, IT Security and how these create value in the Marketplace. He is today offering innovative European startups the opportunity to benefit from the Silicon Valley ecosystem accelerators. Gorka spent the last 20 years initiating, building and growing businesses that provide technology solutions to the Industry. From General Manager Spain, Italy and Portugal for LogLogic, defining Next Generation Log Management and Security Forensics, to Director Unisys France, bringing Cloud Security service offerings to the market, from Director of Emerging Technologies at NetScreen, defining Next Generation Firewall, to Director of Performance Engineering at INS, removing WAN and Internet bottlenecks, Gorka has always been involved in innovative Technology and IT Security solutions, creating successful Business Units within established Groups and helping launch breakthrough startups such as KOLA Kids OnLine America, a social network for safe computing for children, SourceFire, a leading network security solution provider, or Ibixis, a boutique European business accelerator.

@ThingsExpo Stories
As data explodes in quantity, importance and from new sources, the need for managing and protecting data residing across physical, virtual, and cloud environments grow with it. Managing data includes protecting it, indexing and classifying it for true, long-term management, compliance and E-Discovery. Commvault can ensure this with a single pane of glass solution – whether in a private cloud, a Service Provider delivered public cloud or a hybrid cloud environment – across the heterogeneous enter...
DXWorldEXPO LLC announced today that ICC-USA, a computer systems integrator and server manufacturing company focused on developing products and product appliances, will exhibit at the 22nd International CloudEXPO | DXWorldEXPO. DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City. ICC is a computer systems integrator and server manufacturing company focused on developing products and product appliances to meet a wide range of ...
More and more brands have jumped on the IoT bandwagon. We have an excess of wearables – activity trackers, smartwatches, smart glasses and sneakers, and more that track seemingly endless datapoints. However, most consumers have no idea what “IoT” means. Creating more wearables that track data shouldn't be the aim of brands; delivering meaningful, tangible relevance to their users should be. We're in a period in which the IoT pendulum is still swinging. Initially, it swung toward "smart for smart...
Headquartered in Plainsboro, NJ, Synametrics Technologies has provided IT professionals and computer systems developers since 1997. Based on the success of their initial product offerings (WinSQL and DeltaCopy), the company continues to create and hone innovative products that help its customers get more from their computer applications, databases and infrastructure. To date, over one million users around the world have chosen Synametrics solutions to help power their accelerated business or per...
Dion Hinchcliffe is an internationally recognized digital expert, bestselling book author, frequent keynote speaker, analyst, futurist, and transformation expert based in Washington, DC. He is currently Chief Strategy Officer at the industry-leading digital strategy and online community solutions firm, 7Summits.
In an era of historic innovation fueled by unprecedented access to data and technology, the low cost and risk of entering new markets has leveled the playing field for business. Today, any ambitious innovator can easily introduce a new application or product that can reinvent business models and transform the client experience. In their Day 2 Keynote at 19th Cloud Expo, Mercer Rowe, IBM Vice President of Strategic Alliances, and Raejeanne Skillern, Intel Vice President of Data Center Group and ...
Founded in 2000, Chetu Inc. is a global provider of customized software development solutions and IT staff augmentation services for software technology providers. By providing clients with unparalleled niche technology expertise and industry experience, Chetu has become the premiere long-term, back-end software development partner for start-ups, SMBs, and Fortune 500 companies. Chetu is headquartered in Plantation, Florida, with thirteen offices throughout the U.S. and abroad.
Bill Schmarzo, author of "Big Data: Understanding How Data Powers Big Business" and "Big Data MBA: Driving Business Strategies with Data Science," is responsible for setting the strategy and defining the Big Data service offerings and capabilities for EMC Global Services Big Data Practice. As the CTO for the Big Data Practice, he is responsible for working with organizations to help them identify where and how to start their big data journeys. He's written several white papers, is an avid blogge...
"We are a well-established player in the application life cycle management market and we also have a very strong version control product," stated Flint Brenton, CEO of CollabNet,, in this SYS-CON.tv interview at 18th Cloud Expo at the Javits Center in New York City, NY.
It is of utmost importance for the future success of WebRTC to ensure that interoperability is operational between web browsers and any WebRTC-compliant client. To be guaranteed as operational and effective, interoperability must be tested extensively by establishing WebRTC data and media connections between different web browsers running on different devices and operating systems. In his session at WebRTC Summit at @ThingsExpo, Dr. Alex Gouaillard, CEO and Founder of CoSMo Software, presented ...
Most people haven’t heard the word, “gamification,” even though they probably, and perhaps unwittingly, participate in it every day. Gamification is “the process of adding games or game-like elements to something (as a task) so as to encourage participation.” Further, gamification is about bringing game mechanics – rules, constructs, processes, and methods – into the real world in an effort to engage people. In his session at @ThingsExpo, Robert Endo, owner and engagement manager of Intrepid D...
Recently, WebRTC has a lot of eyes from market. The use cases of WebRTC are expanding - video chat, online education, online health care etc. Not only for human-to-human communication, but also IoT use cases such as machine to human use cases can be seen recently. One of the typical use-case is remote camera monitoring. With WebRTC, people can have interoperability and flexibility for deploying monitoring service. However, the benefit of WebRTC for IoT is not only its convenience and interopera...
Michael Maximilien, better known as max or Dr. Max, is a computer scientist with IBM. At IBM Research Triangle Park, he was a principal engineer for the worldwide industry point-of-sale standard: JavaPOS. At IBM Research, some highlights include pioneering research on semantic Web services, mashups, and cloud computing, and platform-as-a-service. He joined the IBM Cloud Labs in 2014 and works closely with Pivotal Inc., to help make the Cloud Found the best PaaS.
Everything run by electricity will eventually be connected to the Internet. Get ahead of the Internet of Things revolution. In his session at @ThingsExpo, Akvelon expert and IoT industry leader Sergey Grebnov provided an educational dive into the world of managing your home, workplace and all the devices they contain with the power of machine-based AI and intelligent Bot services for a completely streamlined experience.
Cloud-enabled transformation has evolved from cost saving measure to business innovation strategy -- one that combines the cloud with cognitive capabilities to drive market disruption. Learn how you can achieve the insight and agility you need to gain a competitive advantage. Industry-acclaimed CTO and cloud expert, Shankar Kalyana presents. Only the most exceptional IBMers are appointed with the rare distinction of IBM Fellow, the highest technical honor in the company. Shankar has also receive...
Business professionals no longer wonder if they'll migrate to the cloud; it's now a matter of when. The cloud environment has proved to be a major force in transitioning to an agile business model that enables quick decisions and fast implementation that solidify customer relationships. And when the cloud is combined with the power of cognitive computing, it drives innovation and transformation that achieves astounding competitive advantage.
Personalization has long been the holy grail of marketing. Simply stated, communicate the most relevant offer to the right person and you will increase sales. To achieve this, you must understand the individual. Consequently, digital marketers developed many ways to gather and leverage customer information to deliver targeted experiences. In his session at @ThingsExpo, Lou Casal, Founder and Principal Consultant at Practicala, discussed how the Internet of Things (IoT) has accelerated our abilit...
In his session at Cloud Expo, Alan Winters, U.S. Head of Business Development at MobiDev, presented a success story of an entrepreneur who has both suffered through and benefited from offshore development across multiple businesses: The smart choice, or how to select the right offshore development partner Warning signs, or how to minimize chances of making the wrong choice Collaboration, or how to establish the most effective work processes Budget control, or how to maximize project result...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
Data is the fuel that drives the machine learning algorithmic engines and ultimately provides the business value. In his session at Cloud Expo, Ed Featherston, a director and senior enterprise architect at Collaborative Consulting, discussed the key considerations around quality, volume, timeliness, and pedigree that must be dealt with in order to properly fuel that engine.