Top 10 Network Security Mistakes - #6: Insufficient Logging and Monitoring
Continuing along our journey through the Top 10 Network Security Mistakes, today we’ll take a look at logging and monitoring.
Hopefully we can all agree that information is power. And many times, in the course of protecting or using powerful information, we can generate other powerful information. This is frequently referred to as metadata.
If you have ever watched a show where the good guys try to find the bad guys after a crime, you know how this works. Whether it’s CSI: Miami, Monk or Matlock, they always do the same thing, right? They collect clues to reconstruct events of the past.
While the TV shows would be pretty boring if they always had a video of the crime, our jobs would be much easier if we had abundant data available on demand.
That’s where logs and monitoring come in.
Plentiful metadata can help define the difference between coming up with a quick explanation for an issue and having to offer an awkward shrug from the hot seat.
I do not like shrugs in InfoSec. I do not like the looks they get. Not from spam, nor resident in RAM, I do not like InfoSec shrugs, Sam I Am.
So, let us review a few ways to use logs and monitoring to avoid shrugs.
Logs: A Revolver in the Study
Where do we get the best logs? Start with what you control. If you are in NetSec, then you may have access to a number of solutions such as:
Almost everything you manage can (should) generate logs for everything it does. Since Information is Power and disk is cheap, now is not the time to get stingy.
If you are one of these people who turn off logging options to save disk or improve your signal-to-noise ratio, I urge you to change your approach. Let other solutions sift out your signal; you just make like a lumberjack (produce logs – get it? Wacka wacka!).
Turn on logs for all access rules, administrative access, authentication events, requests, allows, denies, everything. Grep, find and include will be your friends later when you need to quiet noisy log entries.
Now that you have lots and lots of luxurious logs on the loose, let’s talk about wrangling them up.
Central log consolidation is a great way to collect all the data in one place. This does several things for you:
- Preserves integrity. Compromised devices may try to conceal naughty behavior. They can’t do this if the logs are sent off-host as soon as they are generated.
- Saves local resources. You might have a lot of storage on your devices, but then again you might not. Log collectors can have as much capacity as your imagination and budget will allow, so let them do the heavy lifting.
- Allows for correlation. This is big. So big, in fact, it gets its own section.
Correlation = More Elation
Now that all your logs are in one place, you can see if any of them relate to each other.
Did you see 325,121 denied login attempts to a user account, then a successful login, followed by a password reset? Hmm…where there is smoke, there may be a flare gun.
Log correlation allows for extremely powerful data mining across all logs to look for potentially troublesome series of events across different systems. There are a number of SEM/SEIM solutions available, so it is more a matter of figuring out what the best fit is for your needs.
Where logs generally tell a story of what has already happened, monitoring can tell a story about what is currently happening.
There are many forms of monitoring. Some are more involved that others, but they all yield additional information about your environment. This can range from simple ICMP pings to SNMP polls, to netflow, s-flow collection. These tools can help tell a story about system utilization or general traffic patterns which can help uncover deeply rooted issues.
Network Based Anomaly Detection (NBAD) can help establish traffic baselines in your network and let you know when traffic deviates from its regular patterns.
Beyond that is Network Traffic Recording, which is like a packet DVR for your network – this allows you to look at the exact packets from any conversation at any point in time within your recorded window. This is amazingly powerful in forensic situations.
Some of these solutions are a bit advanced, but they can also add immeasurable value to your efforts to secure your network and reverse engineer events and incidents. The point is: you can only use the data you have available, so gather everything you can. This is no time to pack light.
- #10 - Incorrectly Deployed DMZ Networks
- #9 - Bad Password Hygiene
- #8 - Insecure Admin Access
- #7 - Permissive Access Controls
- #5 - Lack of Segmentation
- #4 - Interior Malign
- #3 - Belief in Perimeter Security
- #2 - Dude, Where's My Ware?
- #1 - Not Looking Beyond Layer 7