Doug Picotte | September 06, 2012
Often times, as Regional Technical Managers, we engage with clients in device scoping exercises to determine what security logs we should be monitoring. A while back I blogged about this topic, but I wanted to expand a bit more into security logging value, as well as the priority of various log sources.
In most situations the general approach to scoping is to focus on “high value” log sources that can provide the most security relevant information and provide the greatest visibility into the client environment. The other component to scoping is to understand the clients’ assets and compliance drivers. At the end of the day, the goal is to obtain the highest level of visibility into the client environment. The business objectives piece of this is huge because we want to meet the clients’ critical business and security/compliance objectives in as cost effective manner as possible.
Kitchen Sink Logging
Often times we come across clients that have an on-premise SIEM platform in place. They may be having issues managing the data, or perhaps may not have the resources to monitor and tune the platform properly. In many cases, we find the client is simply logging everything to the SIEM, on the premise that they will not miss anything. (I joke that they are logging everything, including the “kitchen sink”). I suppose the thought is that if a security incident were to occur, they could sift through the logs after the fact to determine what has taken place. Of course, this is not good. The idea is to log security relevant sources and proactively monitor that data for security incidents before they have the opportunity to impact the client environment.
Download our white paper to learn more about the differences and advantages/disadvanges between Managed Security Services and SIEM.
Security Logging by Value
The following information describes security logging based on security relevant value. I welcome any additional comments you may have on this topic.
Network Intrusion Detection Systems (NIDS) and Network Intrusion Prevention Systems (NIPS)
NIDS/NIPS provide the widest variety of valuable alerts for network security monitoring. NIDS or NIPS should be inspecting all ingress/egress traffic. It's becoming more and more common to also inspect traffic in and out of key segments within the network. The information from these devices is also used for correlation with other devices and security intelligence feeds.
Firewalls are the next most valuable item to monitor. Firewall traffic analysis (as well as IDS traffic analysis) can be used to detect zero-day attacks. The infected systems seek to announce their availability or to send data to ‘command and control’ (CC) servers on the internet. By comparing the destination IP addresses of outbound communications, both allowed and denied, against lists of known CC servers, we can identify the compromised systems, even if there is no detection signature available for the specific exploit that was used. Firewall traffic is also baselined, so spikes in volume or new connections can be identified, triggering a deeper analysis of any anomalous traffic. If used, network proxies would also be at this level of importance.
Vulnerability Scanning Data
While it is not actually a device to be monitored, internal vulnerability scanning is the next most important item in the monitoring hierarchy. Obviously, there is security value in identifying and patching vulnerabilities in your systems. Additionally, if Solutionary has your vulnerability data, we can correlate it against detected events, lowering or raising their severities depending on the level of correspondence. Systems are matched against attacks based on operating system, applications or services running, version numbers and patch levels. While all relevant attacks are posted to your portal and reports, proactive notifications are only needed when the target system is vulnerable to the specific attack being used. (To put it bluntly, we all know that you probably care less about a threat to which you are not actually vulnerable).
Authentication Devices such as Active Directory or VPN Concentrators are next on the list. In addition to the obvious value of protecting the systems that manage your user accounts and permissions, monitoring of authentication devices allows Solutionary to perform user ID matching. If Solutionary is receiving your successful and failed authentication events, we can correlate security events with the user ID of the person logged onto the affected system at the time of the event, and include the user ID(s) in the alert. Receiving the user ID as part of your event notifications saves time performing lookups and provides additional context for rapid assessment of event importance. For environments that have rapid turnover of IP address assignments, this correlation becomes even more valuable. If you have users who connect only briefly to access systems or synchronize files, it can be difficult to identify which user was responsible for a given alert. User ID matching makes it much easier to identify which of your ‘road warriors’ is inadvertently attacking your network every time he logs on.
Specialty Security Devices
Specialty security devices, such as Web Access Firewalls (WAFs) and Network Access Controllers (NACs), if used, are the next systems to include. WAFs provide a much more targeted detection of attacks specific to web servers and applications than standard firewalls and IDS/IPSs can achieve. NACs identify the connection of new systems to the network, allowing immediate detection of unauthorized devices.
Applications and Databases
Key applications, such as databases and web servers, are next in importance. In addition to the security value of protecting the availability of the systems and the integrity of their data, many compliance regimes require monitoring of these systems. For example, in the PCI DSS, servers that hold protected cardholder data must be monitored. But, a server that is on the same network segment as a system that contains protected cardholder data must also be monitored. Monitoring of servers and applications allows more effective correlation with other security devices to detect attacks, and provides the analysts with a greater ability to determine the importance of detected events.
PCs and Laptops
PCs and laptops are next in monitoring value. These systems can be monitored using a centralized console product, such as Symantec™ Endpoint Protection. Endpoint monitoring is becoming more important as attackers move toward multi-stage methodologies, which often start by compromising user workstations rather than directly targeting core systems. This also becomes more important when you think about the decreasing importance of security perimeters, and the increasing importance of mobile devices and telecommuters.
Last on this list are the generic networking devices. These include routers, switches, load balancers, etc. The value these devices provide is mainly for correlation with alerts generated by other security systems. You can also get value from these devices when analyzing baseline and traffic volume. The best value here is in environments that have tight change control policies. In this case, the monitoring can be used to help enforce policy. However, monitoring these devices may be required by your regulatory or audit regimes.
Download our white paper, "Contextual Security Provides Actionable Intelligence" to see how security data can also be enriched with contextual data to provide better understanding and actionable intelligence.
Until Next Time
Thanks very much for reading my friends. I would also like to thank Kevin Dempsey for his contributions to this blog. Until next time, and as always, ride safe, crank up the tunes, and stay secure!
POST A COMMENT