The answer is in your system logs.
Organizations usually have some form of security architecture that is comprised of various measures to control and monitor who accesses IT systems under their security umbrella. For instance, the number of system administrators are typically controlled pretty closely and regularly reviewed, credentials are typically monitored with their activities logged and those logs are also monitored.
In a perfect world this is how things should work. We know who is managing critical security systems and we monitor what they do.
All of this process is great, until we see an article about a networking and security company finding unauthorized code in their firewall.
There have been many reports, like this one, involving security software and products having 'back doors' that give hackers the ability to log into devices and applications without using standard access control processes. Back doors subvert an organization’s attempt to restrict access to systems by effectively removing the fence and allowing entry by simply walking past the locked gate. Back doors are a shortcut to the system. So, how do you fight this?
The solution lies in system log files, but it isn’t easy.
Collect system logs and store off-system
First off, there is the volume of information. Collecting system logs, which potentially includes every user and system event, can be a rather large task when collecting them for every critical system in your enterprise network. It simply becomes too burdensome to gather and retain after a certain critical point of data retention is realized.
Logs also have to be aggregated off system and pre-filtered. Otherwise, leaving the log information on the system and analyzing it there becomes impractical from a performance perspective. There is also the potential risk of an attacker erasing the log data that is retained on the target system, making it imperative to stream and store log data somewhere else.
Systems that gather log information for further processing have to be relatively large and dynamic in storage, and usually consist of two pieces of technology: a data collector and storage device.
Review log data
Then there is the problem of reviewing the information. Mountains of information have to be processed in near real time. It is simply impractical to think you can set someone in front of a monitor and put him or her in charge of log reviews. Either one of two things will happen: you will bankrupt the company from the resulting espresso bill or you will drive he or she insane within 20 minutes. Even if you did provide enough caffeine, it would be impossible to watch every event and filter what has to be investigated. Think of the movie The Matrix, and all the green screen characters falling about 2,000 percent faster.
Processes are necessary, but as we have seen they can be subverted if we don’t orchestrate all security resources properly. People, technology and processes have to work cohesively to fight the bad guys. In this instance, technology is the heavy lifter for coping with the problem. Log aggregators and analyzers, such as Splunk or Cisco’s Firewall Analyzer, have the ability to collect log information and provide critical information as to what is happening with your security infrastructure. Others include McAfee Enterprise Log Manager, NetIQ, InTrust, Arcsight ESM and Alien Vault. A plethora of other products are available that can collect critical log information, process it and provide you with deep insight across a wide range of technologies within your enterprise IT environment.
We can assist you through every step of the solution, from defining the need, product comparison and selection to the complete implementation and integration of the solution into your operational environment. Our big data and security experts can use our Advanced Technology Center to provide your organization with hands-on technology analysis for determining the best solution. Our global Integration Centers can build rack-and-stack systems, completely configured and ready for immediate use.
These capabilities help you create a cybersecurity reference architecture that is scalable for today and tomorrow’s needs, efficient in acquisition and support costs, and effective at providing a deep view into your security posture.
Let us help you achieve a depth of view into the security status of your information assets. Leave a comment below or reach out to me directly to get started.