Heeding Uncle Sam’s Rules

Monitoring event logs is more than

just good policy for securing an IT

infrastructure – it also is an integral

part of complying with a number of

government regulations. These regula-

tions span multiple industries, from

financial to healthcare to general

business. Following are some insight

into their requirements, and ways that

event log management can help your

firm comply.

continued...

Event Logs are Key to a Secure Network

by Sari Stern Greene, CISM, CISSP, NSA-IAM, Sage Data Security

Most companies have smart people running well-designed networks that use soundsecurity policies and procedures. Yet, they still experience threatening situations everyday, some initiated by malicious intent, and others due to simple human error. Hackersare inventing new and increasingly sophisticated ways to break into corporate infor-mation systems, and companies must respond with more effective ways to protecttheir vital corporate information systems, networks, and data. Among the most reliable,accurate, and proactive tools in the security arsenal are the event and audit logs created by network devices. Yet, few organizations understand what devices to moni-tor, what information to capture, or how to properly evaluate the data. In addition, fewhave the resources required to stay on top of the task. Following is information on thebenefits of mining network and information device event logs, and how to maximizeexternal resources to minimize the security threat.

Today’s Security Threats

It's no secret that securing information is one of the largest challenges faced by busi-nesses today. While much of the attention, and most security strategies, are focusedon malicious attacks such as phishing and hacking, a surprising number of securitybreaches are the result of “allowed” activity. In general, security concerns fall into fivemajor categories:

• Malicious attacks from unknown/unauthorized sources. Unauthorized access to or against your systems from either internal or external locations. These are not nuisance attacks. They are bonafide criminal activity.

• Malicious attacks from known/authorized sources. A significant number of attacks are generated by “insiders”—authorized users, business partners, and third party service providers. Unfortunately, not all of these individuals are trustworthy.

• Proxy attack scenarios. It is very common for an attacker to use computersdistributed throughout the world as “weapons”. This process is transparent to the system owner. No one wants to have their computer systems used this way. Having your computer systems used as part of a larger threat certainly flies in the face of good corporate citizenry and can cause major reputational damage.

• Unintended breaches created from human error. Not all threatening activity is malicious – sometimes, people just make mistakes or are fooled into taking action.

• Privacy and regulatory compliance violations. Many organizations have a legal and a fiduciary obligation to safeguard protected information. Violations, however unintentional, can have serious ramifications.

These types of events are not uncommon. They happen every day, sometimes everyminute, and no company is immune. But regular attention to and mining of the deviceaudit and event logs can yield important information to combat these and other secu-rity threats.

In addition, monitoring event and audit logs is an integral part of complying with a varietyof federal regulations including Gramm-Leach-Bliley Act (GLBA), Sarbanes-Oxley (SOX),the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Informa-tion Security Management Act (FISMA). In addition, as of October 2007, thirty-sevenstates have instituted security breach notification laws that require businesses to monitor and protect specific sets of consumer data. (See sidebar, “Heeding UncleSam’s Rules” for more information about industry regulations.)

The Gramm–Leach–Bliley Act The Benefits of Event Logs

Every device within a company’s IT infrastructure — network switches and routers;file, print, application, database and web servers; email systems; and firewalls — is capable of logging activity. So why don’t more organizations use event logs tocatch attacks? Part of the difficulty lies in the volume of event logs to review: eachdevice generates approximately 600 events per minute. A network with 15 devicesgenerates 13 million events per day to review. No matter how big the company, fewcan afford to hire enough people to evaluate that volume of information. Organiza-tions need to prioritize which logs are essential by identifying the devices and applications that store, process, and transmit critical data.

Ideally, security professionals will collect data from every significant device andapplication on the network. At a minimum, it is recommended that organizationscollect data from firewall, web server, and network authentication servers. (See sidebar, “What devices should you monitor?” for information on what data to collectand devices to monitor.)

Determining which devices are critical, and which information is significant, is not aone-size-fits-all proposition. Each organization needs to conduct an impact assess-ment of its network prior to establishing a log-capture and -review policy. Publiclyaccessible systems are more targeted than internal systems, simply because thenumber of people who can attack them is greater. eCommerce application/databaseservers are critical, both because they contain sensitive information that organiza-tions must protect and because they tend to drive an organization’s revenue stream.But organizations also need to prioritize the monitoring of internal servers anddevices – and each organization will need to determine the level of criticality of theirdevices on a case-by-case basis.

The next step is to determine the type of information the organization is looking toextract from a specific log. Again, this information must be customized for eachorganization, as some will need to identify unauthorized access, user activity, andadministrative activity while others need to measure volume of activity or documentcompliance of processes including user/group administration or change management.

While event logs help companies identify breaches and attacks, they also helpcompanies define normal activity. This process is crucial: by truly understandinghow a network or information systems architecture performs “normally” on a dailybasis, companies then have a baseline for comparison to identify abnormal behavior.This vital information provides the framework upon which a log-monitoring and -management plan can be customized.

One common mistake in developing a security strategy is to focus only on errorsand known breaches. What might appear to be “valid” traffic coming into a webserver could actually be the result of someone mirroring a corporate website sothey can perform phishing attacks. It’s difficult to spot this activity using standardweb reports, since the technique criminals use may appear as if someone is

The Gramm–Leach–Bliley Act of 1999

(GLBA) outlined a number of security

protocols that financial institutions must

follow in order to protect their customer’s

information. The GLBA standards for

safeguarding information cite that banks

must protect against any anticipated threats

or hazards to the security of information,

and protect against any unauthorized

access to or use of that information. They

also must monitor systems to detect actual

and attempted attacks on or intrusions into

customer information systems. GLBA

dictates that banks and financial institu-

tions monitor activity captured by network

device event logs – and that they are

reviewed on a regular and timely basis.

continued...

The Sarbanes-Oxley Act

The Sarbanes-Oxley Act (SOX) of 2002

requires all U.S. public company boards,

management, and public accounting

firms to establish a variety of internal con-

trols, including securing their information

technology infrastructures. One of the

approved frameworks is that of COBIT:

Control Objectives of Information and

Related Technology, a set of best prac-

tices created by the Information Systems

Audit and Control Association (ISACA),

and the IT Governance Institute (ITGI).

COBIT requires companies to perform

frequent IT security audits, both from

personnel within and without its internal

organization, to evaluate and mitigate risk

to information. Event logs capture vital

information on attempted and successful

breaches, and are an integral resource

for complying with SOX requirements.

continued...

The Benefits of Event Logs continued

simply viewing website pages.Yet, website and firewall logs can identify site mirroringfrom normal user traffic: most website visitors will spend a certain amount of time on thewebsite and only access a subset of the site’s pages. Web server logs can identify whena “visitor” methodically hits every page on a site in rapid succession. This type of activity,particularly if it comes from an IP address located outside of the company’s traditionalcustomer base, is an example of how “authorized” activity is not always the same as“safe” activity.

A Manageable Amount of Data

After an organization has collected event logs for all identified network devices, the nextstep is to assemble the data so that they can be analyzed. It’s impossible to review everysingle log entry manually, so security administrators must aggregate, correlate, and nor-malize entries to create a report that identifies all of the important network activity into amanageable amount of information for review. Each step in this data-capture processnarrows down the information that requires human oversight. It’s tempting to focus onmalicious events only to reduce the number of events to review, but many security inci-dents are the result of allowed activity. Following are the steps that organizations shouldfollow for log preparation and log analysis. This process is rigorously followed by SageData Security analysts:

Log Preparation

• Log Parsing: This is the process of extracting data from a log so that the parsed values can be used as input for another logging process. A simple example of pars-ing is reading a text-based log file that contains 10 comma-separated values per line and extracting the 10 values from each line.

• Event Filtering: In this step, log entries are suppressed from analysis because their characteristics indicate that they are unlikely to contain information of interest. For example, duplicate entries and standard informational entries might be filtered because they do not provide useful information to log analysts.

• Event Aggregation: This process consolidates similar entries into a single entry containing the count of the number of occurrences of the event. For example, a thousand entries that each record part of a scan could be aggregated into a single entry that indicates how many hosts were scanned.

• Log Conversion: This stage requires parsing the log in one format and storing its entries in a second format. For example, conversion could take data from a log stored in a database and save it in an XML format in a text file.

• Log Normalization: This step converts each log data field to a particular data representation, and categorizes it consistently. One of the most common uses of normalization is storing dates and times in a single format. For example, one log generator might store an event using a 12-hour format (2:34:56 PM EDT) categorized as a Timestamp, while another log generator might store it in a 24-hour format (14:34) categorized as an Event Time, with the time zone (-0400) in a different field with a separate category. Normalizing the logs ensures that they are consistent and eases the review and analysis process.

The Health Insurance Portability and Accountability Act

The Health Insurance Portability and

Accountability Act (HIPAA) was enacted

by the U.S. Congress in 1996 to protect

health insurance coverage for workers

and their families when they change or

lose their jobs. In addition, HIPAA requires

firms to regulate the security and privacy

of health data by providing administrative,

physical, and technical safeguards. Each

firm must establish processes for securing

access to workstations and IT devices

that contain patient data, documenting

breaches, and reporting them to authori-

ties. In addition, each firm is responsible

for ensuring the same security levels for

their external vendors that access their

systems. Data contained in network and

technology device event logs are key to

uncovering attempted and actual security

breaches.

Sari Stern Greene, CISM, CISSP, NSA-IAM is theFounder of Sage Data Security, based in SouthPortland, Maine, which secures businesses andfinancial institutions nationwide with itsnDiscoverySM Security Information Managementservice. For more information, visit www.sagedatasecurity.com or email her atsari@sagedatasecurity.com.

Log Analysis

It’s not enough to review a log entry as a standalone event; its meaning often dependsupon the context surrounding it.

• Correlation ties individual log entries together based on related information.• Sequencing examines activity based on patterns.• Trend Analysis identifies activity over time that in isolation might appear normal.

The Human Touch

Successful log review requires both people and time in addition to the right tools. Whiletools and scripts can be used in the process of preparing, correlating, sequencing, andtrending data, the final step in event and audit log management requires insight andanalysis. Even the best report that synthesizes the most valuable information into a concise format is worthless unless someone takes the time to review it on a regular, consistent basis. This can be a resource-intensive activity.

Successful log review requires people who understand what they are reviewing, time toperform the review, and deployment of the proper tools and methodology to achieve theorganization’s objectives. Organizations should decide what it is they want to accomplishvia log review, how often and who is going to review the logs, what kind of reports aregoing to be generated, and how often they are going to be generated.

For many companies, working with a consultant who specializes in information security is the best option. A specialized security information management firm has the skills toperform a site evaluation to identify critical devices to monitor, and understands whichinformation is important to collect. A security consultant also can develop the customscripts required to track and capture the right data. They stay on top of industry trends,and undergo constant training and security certification to ensure that their skills are current. They invest in the tools and technologies that are often too expensive for all butthe largest firms. And, because they work with multiple firms, they are able to spotattacks and breaches that are attempted on others and develop proactive, defensivestrategies. They can generate concise, insightful reports that help companies stay on topof event log review by eliminating redundant or unnecessary information, and providingthe most important, actionable information. For some businesses, including those in thefinancial services industry, segregation of duties is a requirement.

Organizations struggle to keep their information technology systems and vital data safeand secure. While event log management is time-consuming, intricate, and challenging,the rewards are great for those that mine the data they contain. The combination of aninternal security team working with a consultancy that specializes in security informationmanagement helps many organizations develop the most cost-effective plan to ensurethe consistent evaluation and review of event logs, and ensure the security of corporatesystems and data.

What Devices Should You Monitor?

Every device on a company network collects event logs, and it’s

not practical to store and evaluate every event from every device.

Each company must develop a customized plan to capture the

critical information that could impact its business. Following is a

description of the types of devices that Sage Data Security has

identified as the most important to track, and the type of infor-

mation that they can deliver.

• Firewalls: Firewalls can log all the traffic going in and out of the

network. Typically, when security administrators review their logs

for inbound and outbound traffic, they’ll check to see that the

firewall is denying traffic, with the idea that accepted traffic has

already been approved and the firewall is doing its job. With fire-

wall logs, security administrators have to make sure that not only

is unauthorized traffic denied, but that they understand exactly

what it comprises so they can be proactive in addressing poten-

tial threats.

In addition to reviewing denied activity, security administrators

should review unusual amounts of allowed activity. For example,

a high number of file transfers can be a warning of malware or of

a user violating company policy. If a company typically makes

daily FTP transfers comprising one megabyte of data, then secu-

rity administrators should investigate if a file transfer is suddenly

600 megabytes. Or, if the company allows Port 80 traffic for out-

bound browsing, they should take note if the traffic from a partic-

ular device increases substantially. The key: look for unexpected

traffic as well as expected traffic within unexpected levels.

• Web servers: Web server logs are another rich source of data

to identify and thwart malicious activity. Typically, a security

administrator looks to web server logs for entries that result in

errors: users requesting pages that don’t exist – 404 Page Not

Found Errors – or users trying to access directory files for which

they don’t have authorization, such as 403 Forbidden Errors.

Other errors to monitor include 500 Internal Server Errors, and

501 Header Value errors, both of which can indicate malicious

activity as well as malfunctioning applications or bad HTML code.

Checking the logs for Null Referrers can identify hackers who are

scanning the website with automated tools that don’t follow proper

protocols. Security teams also need to monitor any access to

pages that are used to update website content to ensure that

only authorized users are attempting to get at this data.

Critical alerts in web server logs are when traffic to IIS servers

is attempting to access database information via SQL injection –

or when attempts are made to access folders on the server that

aren’t linked to the HTML within the pages of the web server (ex.

Directory Traversals). Web server logs can also identify attempted

execution of operating system commands. All of these events

are indicative of malicious activity that should be reviewed in

more detail.

• Network Authentication Server: An example of a network

authentication server is an Active Directory Domain Controller.

Authentication server logs document account activity.

Administrative and user activity should be reviewed including:

account lockouts, invalid account logons, invalid passwords,

password changes, user management changes including new

accounts and changed accounts, computer management events

including when audit logs are cleared or computer account names

are changed, group management events such as the creation

or deletion of groups and the addition of users to high security

groups, user activity outside of logon time restrictions, and

server reboots.

Mining and monitoring the information generated by the logs of your networkand technology devices offers a wealth of information to help protect yourorganization. Each log offers clues about hacking attempts or attacks as wellas on innocent activities that have unexpected – and possibly harmful – consequences. Yet each device generates countless numbers of events, somany that it’s impossible to review them all manually.

That’s why we created nDiscoverySM, the information security managementservice that analyzes your event activity, identifies breaches, and defendsyour corporate data.

With nDiscoverySM, we help your organization make sense of an overwhelmingvolume of data. We perform a site analysis to identify critical network andtechnology devices, and develop a baseline report that identifies normalactivity. We create custom programs that capture and track the right informa-tion, and our proprietary methodology efficiently analyzes and correlates yourlog entries. We provide you with a concise, insightful report of all pertinentnetwork activity and identify significant events, potential breaches, and potential threats.

About Sage Data Security and nDiscoverySM

nDiscoverySM – An Essential Solution for Your Business

• Full site evaluation determines critical devices and information to capture

• Data capture, aggregation, correlation, and analysis

• Concise, pertinent reporting delivers vital information on a regular basis

• Full review of anomalies as well as potentially harmful “allowed” activity

• Remediation advice and information to keep your organization secure

Contact Sage Data Security today and

learn how we can help you defend your

information assets! Call 207.879.SAGE

or visit www.sagedatasecurity.com.