« On Natural Flow of Log Management | Main | ROI of PCI compliance »

What Happens if Logs Aren't There ...

Seeing this story  where logs weren't available when sorely needed for an investigations inspired me to finish my own version of that...  First, let me quote  the conclusions from the above post.

• "If you got important data to protect, log everything you reasonably can. All the “security” in this scenario failed and failed to help reconstruct events.
• Do you have one of those semi hands-off security appliances that you presume is working fine because you can connect to the web admin portal? Make it forward logs to somewhere.
• Do you have workstations which touch sensitive data anytime? Yes. Then boost the priority to configure central logging, stop procrastinating, then take comfort you’ll be in better shape than the poor souls at this company fighting to salvage their pride, and maybe their jobs."

Indeed, there is no better way to say it. But - guess what - despite us saying this (and even pointing glaring mistakes), a lot of people still choose to ignore logs. What can we use to help them, even despite themselves? Maybe a bit of FUD can help?  Yes, while many proclaim that people need to be naturally drawn towards doing "the right thing" and that scaring people into action is not that efficient (especially, if you do this one too many times...). However, this is the world we live in and in it, FUD works. FUD sells insurance as well as safety features in cars and other products, moves compliance solutions, makes people read and update their boring DR and BC plans, and causes a lot of other good overall :-)

And, indeed, one can get desensitized if you hear that "sky is falling" too often, but here is the thing: I think that one should be willing to take the risk of such "desensitization", especially given that sky is indeed "not quite static" ...

So, let's look at one such scenario in this post (which is, as they say, "inspired by a true story"). Imagine you have a Windows Active Directory (AD) server (or a domain controller) that holds all of the accounts for a good part of your organization. One notable morning you get calls from dozens of frantic users (yes, including your boss's boss :-( and maybe even his boss ... ) who are unable to login  to their Windows systems. Their computers reject their apparently valid logon credentials. You check the account settings on your AD box and your face turn pale: there aren't any user domain accounts. The term would be "mysteriously vanished" :-) Where do you go next? Windows event logs on the AD server, of course. Good thinking! However, AD servers and domain controllers (DCs) are famous for being very "chatty", often producing hundreds of event log records per second on busy networks. Thus, when you look at the logs you notice that the entries older than 8 hours (!) got rotated into oblivion. And there is nothing that points at the account disappearance within the remaining puddle of log data. Argggh!

Now, what do you do next? Do you feel at least a little fear about your job, maybe also feeling slightly uncertain of what exactly happened with your server or even doubtful that you can prevent it, if it were to happen again. Maybe your IT team has an SLA to worry about? Which has your boss's bonus dependent on it? What if it happens again tomorrow (after you painstakingly restored all the accounts based on old records, incremental backups and the info from the users)? And why can't it? - you have no idea why it happened this time... Are your servers compromised - or was it just a junior sysadmin error? Or a new Windows bug? You truly have no way of knowing, which, as we all know, doesn't help you to feel brave, certain and doubtless...

Now, if only you bought that log management solution and started collecting and analyzing logs before, and not after the incident. Imagine how the life would be different!

Posted January 21, 2007 in | Permalink

Visit loglogic.com

Subscribe to this blog’s feed

• June 2008
• May 2008
• April 2008
• March 2008
• February 2008
• January 2008
• December 2007
• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007
• January 2007
• December 2006
• November 2006
• October 2006
• September 2006
• August 2006
• July 2006
• June 2006
• May 2006
• April 2006
• March 2006
• February 2006
• January 2006
• December 2005
• November 2005
• October 2005
• September 2005

Blogroll

• CynergisTek
• Bruce Schneier
• InfoSecDaily

Compliance

• Continuity Central
• Compliance Pipeline
• SOX Compliance Journal
• Sarbanes-Oxley 101

Good Reading

• Log Management ROI
• Log Management Best Practices
• SANS Institute Log Management White Paper

LogLogic

• O’Reilly
• Anton Chuvakin
• LogLogic.Com
• Jian Zhen

LogLogic Partners

• Juniper Networks
• ONStor
• Counterpane
• Bluecoat

Sites We Watch

• The Merc
• CRN
• IT Architect
• The Reg
• Security Focus
• Slashdot
• TechWeb
• SANS
• C/Net
• CIO Insight
• InformationWeek
• Jamie Lewis - Burton Group
• eWeek
• IT Manager's Journal
• MIT Magazine
• VNU