QUICKSTART GUIDE: ALERT LOGIC ACTIVEWATCH FOR LOG MANAGER TABLE OF CONTENTS Introduction...2 Getting Started...4 Configuring Log Sources...4 Common Log Sources...5
INTRODUCTION A FRESH APPROACH TO IDENTIFYING SECURITY AND THREAT ISSUES QUICKSTART GUIDE: ACTIVEWATCH FOR LOG MANAGER 2 Each day your IT infrastructure is generating an enormous amount of log messages. The messages, when analyzed on a regular basis, can provide valuable information, not only into the health of your environment, but also into potential security, compliance, and threat issues that can put your sensitive data at risk. The key to unlocking this information begins with defining and implementing a log management process that: Enables you to capture relevant log messages from across your IT infrastructure. Is built to handle enormous amounts of data with no impact on the performance or output of the solution. Provides a means for those messages to be normalized and analyzed in a short time frame. Feeds a correlation engine that can identify security and threat issues from log messages, including those that on the surface seem unrelated. Collects and analyzes log messages continuously. For many organizations, adopting a comprehensive approach to log management is a daunting task that they do not have budget or time to tackle. With Alert Logic Log Manager and Alert Logic ActiveWatch for Log Manager, we provide a better approach to log management and security issue identification that provides deep insight and continuous protection at a cost that organizations of any size can afford. Our cloud-based, fully managed log management service provides organizations with the ability to: Identify hard to detect security issues across all environments. Reduce the time and cost associated with incident response. With purpose-built security content, Alert Logic ActiveAnalytics can process unlimited amounts of log data to uncover events of interest that can indicate a threat or security issue. Once identified, Alert Logic ActiveWatch, a team of security experts, will contact you with the information you need to respond to the incident. Our unique approach to handling large volumes of data means that we can guarantee that within 15 minutes of identifying an issue in your environment, you will be notified. All day. Every day. SCALABILITY DRIVES INNOVATION In order to meet the demands of over 3,000 customers, we had to take a close look at how log messages and issue identification could be optimized. To that end, we made substantial investments in the underlying cloud infrastructure that supports the Alert Logic Security-as-a-Service platform. With over 1,000 processing cores, we currently process terabytes of data daily, and have built the platform to handle ever-increasing volumes of data. With our infrastructure future-proofed, we next invested significant cycles in devising a better way to identify issues from this enormous, growing data set. Unlike other solution providers who deliver standalone products, we provide a fully managed service for our customers. This means that we, not the customer, take on the burden of managing data and identifying issues. The end result of this effort is an extensible, flexible, and adaptable security taxonomy that
QUICKSTART GUIDE: ACTIVEWATCH FOR LOG MANAGER 3 enables the Alert Logic solution to efficiently support any number of operating systems, databases, network devices, security controls, and the like. By investing time and effort into defining this common language, the Alert Logic solution continuously protects your environment as it evolves to support your business needs. MOVING BEYOND RULES TO IDENTIFY INCIDENTS To understand how the Alert Logic solution identifies security issues, you must first understand how incidents are typically generated by other solutions. Generally most products take the following approach to identifying incidents: 1. Organization XYZ wants to collect and analyze logs from their network firewall 2. Organization XYZ looks for a log parser that works with their log management solution. This may be available from the manufacturer. If unavailable, Organization XYZ must write the log parser themselves. 3. Assuming Organization XYZ gets the log parser in place, the organization must then look at a library of correlation rules to see if the manufacturer has a pre-built correlation rule for their specific firewall. If a pre-built correlation rules exists, Organization XYZ will enable it. If a pre-built parser does not exist, Organization XYZ from the manufacturer or build one themselves. These rules must specify which log messages will generate what incidents. 4. Once the rules are written, Organization XYZ must test the rule. If the results are as expected, the rule will be activated. Organization XYZ must follow this same process for each and every log source they intend to analyze with their log management solution. It is easy to see that, in a short amount of time, this organization could end up with hundreds, if not thousands, of individual correlation rules that they must manage. To compound the complexity, when this organization decides to replace their network firewall with one from another manufacturer, for example, they will need to deactivate their existing correlation rules and write new rules and/or update existing rules for their new firewall. This process is not only inefficient, but it has the potential to cause major issues with their entire log management solution, negatively impacting the solution s ability to identify issues. Alert Logic developed a radically different, more efficient approach to solve this problem. Instead of starting with the assumption that there must be individual correlation rules for every specific log source, we developed what we call the security taxonomy. The security taxonomy is a common language that allows the solution to interpret logs from any source type in the same manner. For instance, in the case of a network firewall, the Alert Logic solution is completely agnostic as to the manufacturer of the firewall. The solution can analyze logs from any firewall manufacturer by simply creating a log parser that maps to the common language of the security taxonomy. At that point, any firewall, from any manufacturer, can be analyzed for security issues. For example, with the security taxonomy in place, the following simple two-line rule equates to literally 100s of the individual rules needed to cover SQL injection attacks in other solutions. Category/Outcome = Failure Category/Technique = SQLi This process is inherently more flexible than the old rule-based approach to incident identification, and dramatically
QUICKSTART GUIDE: ACTIVEWATCH FOR LOG MANAGER 4 increases our ability to identify incidents impacting your organization. It is this strategy that makes Alert Logic s approach to incident identification more efficient and effective than any other solution on the market today. GETTING STARTED Assuming your Alert Logic Log Manager account is active and licensed and your Log Manager appliance (if using) is installed and functioning properly, to use Alert Logic ActiveWatch for Alert Logic Log Manager you need to complete the set up instructions outlined in the Alert Logic Log Manager documentation. To access this documentation visit: http://docs.alertlogic.com. On an ongoing basis you will need to: Incorporate Log Manager configurations into your change management process Ensure you update notification and escalation rules for personnel changes. Add new log sources when your applications change. Generally this means adding/updating your flat file collection sources. When servers are upgraded and/or new servers deployed ensure to install the log manager agent. CONFIGURING LOG SOURCES The Alert Logic approach to incident identification will increase your organizations ability to respond to incidents faster than ever before. However, to gain this benefit you must ensure that the right information is being fed into the solution. This begins with you defining the systems, applications, databases, security controls, and ALL IT assets as log sources. When configuring your log sources keep these tips in mind. Incident creation is based on your log sources. The mantra of garbage in, garbage out applies here. The incidents generated will only be as relevant and informative as the log data dictates. To that end, Alert Logic recommends creating log sources for not only firewalls and security controls, but also configure your servers and applications to transmit logs to Alert Logic. Having this broad set of log sources will help identify indicators of compromise (IOCs) that may only surface when analyzing multiple log sources. After log collection the fundamental building block is a log parser. Make sure that all of your devices are generating parsed logs. To check this search for log messages that have no type and review them within the Alert Logic web interface. Contact the SOC and create a support case to review any unparsed messages. Configure your operating system logs sources first. These configurations are typically very straightforward and will help you test the flow of data to the Alert Logic Log Manager as well as validate your personal preferences. For Microsoft Windows servers all event logs are collected by default after the local Alert Logic agent installation. For LINUX servers change the local syslog settings to forward the logs to the Alert Logic agent.
QUICKSTART GUIDE: ACTIVEWATCH FOR LOG MANAGER 5 The following section lists the common log sources that typically contain security data. This list is by no means comprehensive of all possible log sources in your environment. For more information about these and other log sources contact your Alert Logic Solutions Consultant. COMMON LOG SOURCES Microsoft Active Directory Microsoft Windows Servers Microsoft Internet Information Services Microsoft SQL Server Oracle Database MySQL Cisco network devices (ASA, IOS routers & switches, etc.) Juniper firewalls and network devices Fortinet network devices NetScreen network devices SonicWall FireEye security products Imperva security products Linux/Unix operating systems Apache web servers Mcafee Symantec Sophos Palo Alto Checkpoint Firewalls 2015 Alert Logic, Inc. All rights reserved. Alert Logic and the Alert Logic logo are trademarks, registered trademarks, or servicemarks of Alert Logic, Inc. All other trademarks listed in this document are the property of their respective owners. 0615US