Event Logs are Key to a Secure Network

Transcription

1 Event Logs are Key to a Secure Network by Sari Stern Greene, CISM, CISSP, NSA-IAM, Sage Data Security Most companies have smart people running well-designed networks that use sound security policies and procedures. Yet, they still experience threatening situations every day, some initiated by malicious intent, and others due to simple human error. Hackers are inventing new and increasingly sophisticated ways to break into corporate information systems, and companies must respond with more effective ways to protect their vital corporate information systems, networks, and data. Among the most reliable, accurate, and proactive tools in the security arsenal are the event and audit logs created by network devices. Yet, few organizations understand what devices to monitor, what information to capture, or how to properly evaluate the data. In addition, few have the resources required to stay on top of the task. Following is information on the benefits of mining network and information device event logs, and how to maximize external resources to minimize the security threat. Today s Security Threats Heeding Uncle Sam s Rules Monitoring event logs is more than just good policy for securing an IT infrastructure it also is an integral part of complying with a number of government regulations. These regulations span multiple industries, from financial to healthcare to general business. Following are some insight into their requirements, and ways that event log management can help your firm comply. continued... It's no secret that securing information is one of the largest challenges faced by businesses today. While much of the attention, and most security strategies, are focused on malicious attacks such as phishing and hacking, a surprising number of security breaches are the result of allowed activity. In general, security concerns fall into five major categories: Malicious attacks from unknown/unauthorized sources. Unauthorized access to or against your systems from either internal or external locations. These are not nuisance attacks. They are bonafide criminal activity. Malicious attacks from known/authorized sources. A significant number of attacks are generated by insiders authorized users, business partners, and third party service providers. Unfortunately, not all of these individuals are trustworthy. Proxy attack scenarios. It is very common for an attacker to use computers distributed throughout the world as weapons. This process is transparent to the system owner. No one wants to have their computer systems used this way. Having your computer systems used as part of a larger threat certainly flies in the face of good corporate citizenry and can cause major reputational damage. Unintended breaches created from human error. Not all threatening activity is malicious sometimes, people just make mistakes or are fooled into taking action. Privacy and regulatory compliance violations. Many organizations have a legal and a fiduciary obligation to safeguard protected information. Violations, however unintentional, can have serious ramifications. These types of events are not uncommon. They happen every day, sometimes every minute, and no company is immune. But regular attention to and mining of the device audit and event logs can yield important information to combat these and other security threats. In addition, monitoring event and audit logs is an integral part of complying with a variety of federal regulations including Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Information Security Management Act (FISMA). In addition, as of October 2007, thirty-seven states have instituted security breach notification laws that require businesses to monitor and protect specific sets of consumer data. (See sidebar, Heeding Uncle Sam s Rules for more information about industry regulations.)

2 The Gramm Leach Bliley Act The Gramm Leach Bliley Act of 1999 (GLBA) outlined a number of security protocols that financial institutions must follow in order to protect their customer s information. The GLBA standards for safeguarding information cite that banks must protect against any anticipated threats or hazards to the security of information, and protect against any unauthorized access to or use of that information. They also must monitor systems to detect actual and attempted attacks on or intrusions into customer information systems. GLBA dictates that banks and financial institutions monitor activity captured by network device event logs and that they are reviewed on a regular and timely basis. continued... The Benefits of Event Logs Every device within a company s IT infrastructure network switches and routers; file, print, application, database and web servers; systems; and firewalls is capable of logging activity. So why don t more organizations use event logs to catch attacks? Part of the difficulty lies in the volume of event logs to review: each device generates approximately 600 events per minute. A network with 15 devices generates 13 million events per day to review. No matter how big the company, few can afford to hire enough people to evaluate that volume of information. Organizations need to prioritize which logs are essential by identifying the devices and applications that store, process, and transmit critical data. Ideally, security professionals will collect data from every significant device and application on the network. At a minimum, it is recommended that organizations collect data from firewall, web server, and network authentication servers. (See sidebar, What devices should you monitor? for information on what data to collect and devices to monitor.) Determining which devices are critical, and which information is significant, is not a one-size-fits-all proposition. Each organization needs to conduct an impact assessment of its network prior to establishing a log-capture and -review policy. Publicly accessible systems are more targeted than internal systems, simply because the number of people who can attack them is greater. ecommerce application/database servers are critical, both because they contain sensitive information that organizations must protect and because they tend to drive an organization s revenue stream. But organizations also need to prioritize the monitoring of internal servers and devices and each organization will need to determine the level of criticality of their devices on a case-by-case basis. The next step is to determine the type of information the organization is looking to extract from a specific log. Again, this information must be customized for each organization, as some will need to identify unauthorized access, user activity, and administrative activity while others need to measure volume of activity or document compliance of processes including user/group administration or change management. While event logs help companies identify breaches and attacks, they also help companies define normal activity. This process is crucial: by truly understanding how a network or information systems architecture performs normally on a daily basis, companies then have a baseline for comparison to identify abnormal behavior. This vital information provides the framework upon which a log-monitoring and -management plan can be customized. One common mistake in developing a security strategy is to focus only on errors and known breaches. What might appear to be valid traffic coming into a web server could actually be the result of someone mirroring a corporate website so they can perform phishing attacks. It s difficult to spot this activity using standard web reports, since the technique criminals use may appear as if someone is

3 The Sarbanes-Oxley Act The Sarbanes-Oxley Act (SOX) of 2002 requires all U.S. public company boards, management, and public accounting firms to establish a variety of internal controls, including securing their information technology infrastructures. One of the approved frameworks is that of COBIT: Control Objectives of Information and Related Technology, a set of best practices created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). COBIT requires companies to perform frequent IT security audits, both from personnel within and without its internal organization, to evaluate and mitigate risk to information. Event logs capture vital information on attempted and successful breaches, and are an integral resource for complying with SOX requirements. continued... The Benefits of Event Logs continued simply viewing website pages. Yet, website and firewall logs can identify site mirroring from normal user traffic: most website visitors will spend a certain amount of time on the website and only access a subset of the site s pages. Web server logs can identify when a visitor methodically hits every page on a site in rapid succession. This type of activity, particularly if it comes from an IP address located outside of the company s traditional customer base, is an example of how authorized activity is not always the same as safe activity. A Manageable Amount of Data After an organization has collected event logs for all identified network devices, the next step is to assemble the data so that they can be analyzed. It s impossible to review every single log entry manually, so security administrators must aggregate, correlate, and normalize entries to create a report that identifies all of the important network activity into a manageable amount of information for review. Each step in this data-capture process narrows down the information that requires human oversight. It s tempting to focus on malicious events only to reduce the number of events to review, but many security incidents are the result of allowed activity. Following are the steps that organizations should follow for log preparation and log analysis. This process is rigorously followed by Sage Data Security analysts: Log Preparation Log Parsing: This is the process of extracting data from a log so that the parsed values can be used as input for another logging process. A simple example of parsing is reading a text-based log file that contains 10 comma-separated values per line and extracting the 10 values from each line. Event Filtering: In this step, log entries are suppressed from analysis because their characteristics indicate that they are unlikely to contain information of interest. For example, duplicate entries and standard informational entries might be filtered because they do not provide useful information to log analysts. Event Aggregation: This process consolidates similar entries into a single entry containing the count of the number of occurrences of the event. For example, a thousand entries that each record part of a scan could be aggregated into a single entry that indicates how many hosts were scanned. Log Conversion: This stage requires parsing the log in one format and storing its entries in a second format. For example, conversion could take data from a log stored in a database and save it in an XML format in a text file. Log Normalization: This step converts each log data field to a particular data representation, and categorizes it consistently. One of the most common uses of normalization is storing dates and times in a single format. For example, one log generator might store an event using a 12-hour format (2:34:56 PM EDT) categorized as a Timestamp, while another log generator might store it in a 24-hour format (14:34) categorized as an Event Time, with the time zone (-0400) in a different field with a separate category. Normalizing the logs ensures that they are consistent and eases the review and analysis process.

4 The Health Insurance Portability and Accountability Act Log Analysis It s not enough to review a log entry as a standalone event; its meaning often depends upon the context surrounding it. Correlation ties individual log entries together based on related information. Sequencing examines activity based on patterns. Trend Analysis identifies activity over time that in isolation might appear normal. The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996 to protect health insurance coverage for workers and their families when they change or lose their jobs. In addition, HIPAA requires firms to regulate the security and privacy of health data by providing administrative, physical, and technical safeguards. Each firm must establish processes for securing access to workstations and IT devices that contain patient data, documenting breaches, and reporting them to authorities. In addition, each firm is responsible for ensuring the same security levels for their external vendors that access their systems. Data contained in network and technology device event logs are key to uncovering attempted and actual security breaches. Sari Stern Greene, CISM, CISSP, NSA-IAM is the Founder of Sage Data Security, based in South Portland, Maine, which secures businesses and financial institutions nationwide with its ndiscovery SM Security Information Management service. For more information, visit or her at sari@sagedatasecurity.com. The Human Touch Successful log review requires both people and time in addition to the right tools. While tools and scripts can be used in the process of preparing, correlating, sequencing, and trending data, the final step in event and audit log management requires insight and analysis. Even the best report that synthesizes the most valuable information into a concise format is worthless unless someone takes the time to review it on a regular, consistent basis. This can be a resource-intensive activity. Successful log review requires people who understand what they are reviewing, time to perform the review, and deployment of the proper tools and methodology to achieve the organization s objectives. Organizations should decide what it is they want to accomplish via log review, how often and who is going to review the logs, what kind of reports are going to be generated, and how often they are going to be generated. For many companies, working with a consultant who specializes in information security is the best option. A specialized security information management firm has the skills to perform a site evaluation to identify critical devices to monitor, and understands which information is important to collect. A security consultant also can develop the custom scripts required to track and capture the right data. They stay on top of industry trends, and undergo constant training and security certification to ensure that their skills are current. They invest in the tools and technologies that are often too expensive for all but the largest firms. And, because they work with multiple firms, they are able to spot attacks and breaches that are attempted on others and develop proactive, defensive strategies. They can generate concise, insightful reports that help companies stay on top of event log review by eliminating redundant or unnecessary information, and providing the most important, actionable information. For some businesses, including those in the financial services industry, segregation of duties is a requirement. Organizations struggle to keep their information technology systems and vital data safe and secure. While event log management is time-consuming, intricate, and challenging, the rewards are great for those that mine the data they contain. The combination of an internal security team working with a consultancy that specializes in security information management helps many organizations develop the most cost-effective plan to ensure the consistent evaluation and review of event logs, and ensure the security of corporate systems and data.

5 What Devices Should You Monitor? Every device on a company network collects event logs, and it s not practical to store and evaluate every event from every device. Each company must develop a customized plan to capture the critical information that could impact its business. Following is a description of the types of devices that Sage Data Security has identified as the most important to track, and the type of information that they can deliver. Firewalls: Firewalls can log all the traffic going in and out of the network. Typically, when security administrators review their logs for inbound and outbound traffic, they ll check to see that the firewall is denying traffic, with the idea that accepted traffic has already been approved and the firewall is doing its job. With firewall logs, security administrators have to make sure that not only is unauthorized traffic denied, but that they understand exactly what it comprises so they can be proactive in addressing potential threats. In addition to reviewing denied activity, security administrators should review unusual amounts of allowed activity. For example, a high number of file transfers can be a warning of malware or of a user violating company policy. If a company typically makes daily FTP transfers comprising one megabyte of data, then security administrators should investigate if a file transfer is suddenly 600 megabytes. Or, if the company allows Port 80 traffic for outbound browsing, they should take note if the traffic from a particular device increases substantially. The key: look for unexpected traffic as well as expected traffic within unexpected levels. Web servers: Web server logs are another rich source of data to identify and thwart malicious activity. Typically, a security administrator looks to web server logs for entries that result in errors: users requesting pages that don t exist 404 Page Not Found Errors or users trying to access directory files for which they don t have authorization, such as 403 Forbidden Errors. Other errors to monitor include 500 Internal Server Errors, and 501 Header Value errors, both of which can indicate malicious activity as well as malfunctioning applications or bad HTML code. Checking the logs for Null Referrers can identify hackers who are scanning the website with automated tools that don t follow proper protocols. Security teams also need to monitor any access to pages that are used to update website content to ensure that only authorized users are attempting to get at this data. Critical alerts in web server logs are when traffic to IIS servers is attempting to access database information via SQL injection or when attempts are made to access folders on the server that aren t linked to the HTML within the pages of the web server (ex. Directory Traversals). Web server logs can also identify attempted execution of operating system commands. All of these events are indicative of malicious activity that should be reviewed in more detail. Network Authentication Server: An example of a network authentication server is an Active Directory Domain Controller. Authentication server logs document account activity. Administrative and user activity should be reviewed including: account lockouts, invalid account logons, invalid passwords, password changes, user management changes including new accounts and changed accounts, computer management events including when audit logs are cleared or computer account names are changed, group management events such as the creation or deletion of groups and the addition of users to high security groups, user activity outside of logon time restrictions, and server reboots.

6 About Sage Data Security and ndiscovery SM Mining and monitoring the information generated by the logs of your network and technology devices offers a wealth of information to help protect your organization. Each log offers clues about hacking attempts or attacks as well as on innocent activities that have unexpected and possibly harmful consequences. Yet each device generates countless numbers of events, so many that it s impossible to review them all manually. That s why we created ndiscovery SM, the information security management service that analyzes your event activity, identifies breaches, and defends your corporate data. With ndiscovery SM, we help your organization make sense of an overwhelming volume of data. We perform a site analysis to identify critical network and technology devices, and develop a baseline report that identifies normal activity. We create custom programs that capture and track the right information, and our proprietary methodology efficiently analyzes and correlates your log entries. We provide you with a concise, insightful report of all pertinent network activity and identify significant events, potential breaches, and potential threats. ndiscovery SM An Essential Solution for Your Business Contact Sage Data Security today and learn how we can help you defend your information assets! Call SAGE Full site evaluation determines critical devices and information to capture Data capture, aggregation, correlation, and analysis Concise, pertinent reporting delivers vital information on a regular basis Full review of anomalies as well as potentially harmful allowed activity Remediation advice and information to keep your organization secure or visit