« January 2007 | Main | March 2007 »
Who's minding your security events?
Warning signs buried in audit logs and system security events are often ignored or simply unnoticed by IT pros until it's too late, writes Bill Elmore at TechRepublic. Pointing out that these "alerts" could prevent or thwart attempted data breaches if actively monitored and acted upon, he chronicles the high profile breeches at UCLA and Ohio University as examples of how things can go wrong -- quick.
Compliance and mandates like HIPAA or SOX can help ensure that data is checked. Data security is at the top of the IT agenda this year. In fact, the The US Goverment Accountability Office (GAO) out data security on the 2007 "High Risk" List for government systems.
Elmore says:
Another reason for security mishaps is the fact that IT is still just a necessary vehicle for the rest of corporate America. IT serves as the conduit for business profitability but is still viewed as a hit on the bottom line – an expensive hit at that. Additionally, as IT budgets become leaner, more work is expected of an already taxed staff. Walk around your IT department and ask each pro how much time they spend chasing down data security events and reviewing audit logs. Unless they happen to be security analysts, you'll probably get an emphatic response that they have too many other duties and projects to tend to than to spend their time poring over security event logs.
How does your organization view IT's role and how well does your company monitor who is accessing your data?
Posted February 28, 2007 in Compliance , Log Management & Intelligence , Security | Permalink | TrackBack (0)
« January 2007 | Main | March 2007 »
What are the five top mistakes of data encryption
LogLogic's Anton Chuvakin's "Five Mistakes of Data Encryption" article just went live at ComputerWorld. This article covers some of the mistakes that often occur when organizations try to use encryption to protect data at rest and data in transit and thus improve their security posture.
The first mistake is not using encryption when it is easy and accepted. I'm talking about those pesky plain text protocols such as telnet and FTP. One can argue that people should have abandoned the above protocols for a host of other reasons, but, as the latest Solaris telnet 0day fiasco indicates, enough people are still using them.
Read the rest of the Anton's top 5 list here.
Posted February 26, 2007 in Log Management & Intelligence , Risk Management , Security | Permalink | TrackBack (0)
« January 2007 | Main | March 2007 »
SANS Log Mangement Summit 2007 Moves to San Jose
The SANS Institute has announced the 2007 Log Mangement Summit. Besides moving to San Jose this year, the event has expanded and includes even more vendors and customers, offering an in-the-trenches look at how log management is changing the face of IT.
Ignoring data security mandates could cost your company a bundle this year. As high profile breaches are making headlines and consumers nervous about their data and privacy, enforcing security is taking a center stage. From the halls of US Congress to the European Commission (EC), new laws are being proposed whereby firms across the globe would have to inform regulators and customers of all security violations. Log Management and Intelligence can help meet these regulations.
In fact, log management, as we have come to see from our customers, is addressing stringent regulatory requirements to keeping IT operations running optimally. In fact, the Global 2000 are investing in log management and intelligence, according to a report from the SANS Institute that we commissioned. “The Log Industry: An Untapped Market” is the first study to identify the business and technology issues faced by IT executives and examines how log data is being used to address their critical needs.
Want to learn more? From SANS Research Director Alan Paller's announcment on the Summit:
The Log Management Summit is a user-to-user, non-commercial conference on what works in log management. It is the only place where you can learn about the strengths and weaknesses of competing technologies, where users will share the lessons they learned about what to log and what to keep and what to report.
Nearly every major regulation affecting cyber security now demands or implies the need for continuous logging and effective log management -- HIPAA, SOX, ISO 27001, COBIT. Even the Processing Card Industry (PCI) standard appears to demand it. And regulations governing information security technology are evolving as fast as the technology itself. Beginning in 2007, for example, a significant motivator for compliance with HIPAA is that "whistleblowers" for violators of the new guidelines may be awarded 15% of any associated fines.
Organizations that have implemented log management systems have found that they provide far more value than simply meeting compliance requirements. Their greatest value lies in the improvements they create in your defensive posture, but great benefits also accrue to the operations managers who have, for the first time, visibility into the details of what has happened on every system in their network.
The event will be held April 23-25 in San Jose, CA. This is SANS' second Log Management Summit. If you are planning to implement log management or have a compliance need, it is a must-attend!
Posted February 21, 2007 in Compliance , Log Management & Intelligence , Risk Management , Security | Permalink | TrackBack (0)
« January 2007 | Main | March 2007 »
Research: Don't let sleeping logs lie
Who is looking at your logs? Better yet, what systems and policies do you have in place to monitor log files?
Datacenters are increasingly turning to log management to ease compliance burdens, and gain instant insight into the network. Nemertes Research says that "almost 80% of large and small enterprises have a data center-specific security policy defined, and of those with policies, more than 80% regularly test compliance with them."
The bad news?
Although everybody engages in some level of system logging (whether solely for security reasons, or in support of regulatory-compliance efforts as well), fewer than 30% of companies log all systems, and fewer still collect the logs at a central location for review and analysis. In fact, most logs are left in place and never reviewed except in the heat of a crisis, or worse, in the aftermath.
At NetworkWorld, Nemertes offers some suggestions on log management and the security considerations for customers, with recommendations of what to look to vendors to deliver in a strategy.
Not knowing what is going on in your enterprise is not a good defense, and point products only serve to add to creating even more silos of information across the enterprise. Taking the Log platform approach, with SOA and other architectural considerations are how we at LogLogic approaches log management and intelligence, and one that our customers are trumpeting!
Posted February 20, 2007 in Compliance , Log Management & Intelligence , LogMatters , Security | Permalink | TrackBack (0)
« January 2007 | Main | March 2007 »
Anton Logging Tip of the Day #8: What Just Changed?
Let's close our eyes for a second and dive deep into the bizarre and menacing world of a Windows event log. As I mentioned before, massive Windows server log collection got a jump start in recent years due to wide availability of agentless Windows log collection tools, such as Project LASSO.
Windows event logs, the "Big Three" of System, Security and Application as well as other logs, share a lot of contradicting properties: way too much detail in some areas and missing critical info in others, consistent and thoughtful design here and sheer stupidity there, nice structured data sometimes and confusing mumbo-jumbo in other cases. And the universe of the event log is never static, the whole thing flows and morphs with each Windows release and at time with each update. New event IDs are being created, changed and loaded with new roles and new info.
In this tip, we will look at some fun Windows log entries and explain their meaning for your organization as well as cover what you should do if you encounter them. Given that the realm of Windows event log is so huge, we will start from looking at events that indicate changes of different kinds, mostly configuration and user account. So, what just changed?
I. "Computer Account Deleted" or "User Account Deleted": obviously, service or user account was deleted. Who did it? When? Why? Answer all the questions above and then you can go back to sleep - or to your incident response plan :-)
II. "Computer Account Created" or "User Account Created": same thing - depending upon when? why? who? this event means nothing or something pretty ugly.
III. "Computer Account Changed" or "User Account Changed": similarly, changes to accounts are reflected in the events containing this text. Account changes do include privilege level changes that are often of particular interest.
At this stage, it might be appropriate to ask: why aren't we going by Windows event ID to identify the above events of interest, but instead choose to use the above text blurbs? Well, up to Vista, Windows event IDs often aren't :-) Meaning that they don't identify the event sufficiently. Sometimes, they are overloaded and the same ID applies to very different things (e.g. "Success Audit"). Sometimes, the opposite happens - same event, different IDs (e.g. a lot of login/logout stuff)
IV. "Policy Change": might mean almost anything on a Windows system. Thus, we can't really tell you much; you need to read the event to see what actually changed (if anything!)
V. "The system time was changed" might not matter that much, but if you are looking to use your logs as forensic evidence (i.e. use them in court) you might want to track all the time changes since they will affect the log timestamps on the server where time changed.
VI. "The following schema object was modified" oooh, don't you love Active Directory! This indicates that some of the AD objects changed - fortunately, the object name will be in the same event.
Enough for today! Windows logging makes most everyone's head hurt (unless you are Eric or Randy, I guess...)
So, to conclude, make sure that you collect Windows event logs and analyze them on an ongoing basis, preferably using your log management system.
As I mentioned before, I am tagging all the tips on my del.icio.us feed. Here is the link: All Security Tips of the Day.
Posted February 16, 2007 in | Permalink | TrackBack (0)
« January 2007 | Main | March 2007 »
Global enterprises, governments turning to SOA
Research from Zapthink takes a look at the 'State of Worldwide Service-Oriented Architecture Adoption.' Analyst Ronald Schmelzer comments on the increasing global reach of SOA:
" . . . the net result is that no multi-national company can afford to avoid or overlook the issues associated with global distributed computing. Issues related to international regulatory compliance, internationalization and localization, support for multi-ethnic cultures, languages, and business practices must be the method de facto to be supported in any SOA initiative rather than an after-thought once the application is delivered in a particular language or cultural bias."
Schmelzer says that SOA adoption is not just happening in North America and Europe, noting:
"...substantial uptick in SOA adoption in Australia, India, Korea, China, Singapore, parts of Latin and South America, and the Middle East. Many of these global initiatives have a particular industry bent, such as a strong telecommunications presence in Korea, banking and insurance in Australia, government in Singapore, manufacturing and services in China and India, and retail in the Latin and South American regions."
Just last week a report in Defense News noted that the DoD is moving its web portals to a service-oriented architecture. It makes sense for the DoD to make sure that the right relationships between data can be connected, automating compliance and making data accessible in the most effective and cost efficient manner.
We're finding that the public sector is looking at SOA more and more as well at LogLogic. Log Management and Intelligence delivered as an SOA turns proprietary closed systems throughout the organization into ‘Open Log Services’ that can be re-used and repurposed, helping with all kinds of compliance from FISMA to PCI.
More findings on SOA at Zapthink.
Posted February 10, 2007 in Compliance , Innovation , Log Management & Intelligence | Permalink | TrackBack (0)
« January 2007 | Main | March 2007 »
Keep Your Eye On PCI Compliance
Take away the fines, the security breaches, and the looming deadline, and at the end of the day if a business wants to be competitive they will figure out how get compliant. Why? To not take customer credit cards from Visa, MasterCard, and American Express makes it hard to sell anything in a global economy.
Protecting data information and being able to prove you are mitigating the risk of the data being breached is central to satisfying PCI DSS. But what you should be asking is how can you cost effectively reach compliance and stay that way. The real answer? LMI.
Find more resources and tools at PCIAwarness.com, including an upcoming PCI Compliance webcast, on February 21st at 11am PT, in which Sr. Analyst from Forrester Kahlid Kark will speak to what the looming deadlines are and what you can do to achieve PCI Compliance.
Posted February 08, 2007 in Compliance | Permalink | TrackBack (0)
« January 2007 | Main | March 2007 »
CRN does a SIEM roundup
CRN published a good article about the momentum in the SIEM space this morning, mentioning us in the list of products.
What is propelling the market? According to the article,
Fueled originally by stealthy threats such as worms and more recently by compliance, the SIEM market is projected to grow from about $380 million last year to $873 million in 2010, according to research firm IDC.
RSA Security, the security division of EMC, estimates that the SIEM market is expanding at a rate of between 25 percent and 35 percent annually.
Log management, as we have come to see from our customers, is addressing stringent regulatory requirements to keeping IT operations running optimally. In fact, the Global 2000 are investing in log management and intelligence, according to a report from the SANS Institute that we commissioned. “The Log Industry: An Untapped Market” is the first study to identify the business and technology issues faced by IT executives and examines how log data is being used to address their critical needs.
The SIEM article at CRN is here.
Posted February 05, 2007 in | Permalink | TrackBack (0)
« January 2007 | Main | March 2007 »
Kick off RSA with us on Monday
Are you going to the RSA Conference in San Francisco? Kick off the event with us.
Raise a glass with LogLogic on Mon Feb 5th at 6pm at TWO restaurant to celebrate a year of innovation and growth!
Mingle with users, industry luminaries and and raise a glass with all us loggies!
We want to thank you for your support and celebrate as we doubled our customer base and are debuting breakthrough features into the world's leading log management and intelligence platform.
We are entering 2007 with a bang and are in the mood celebrate. Cocktails and appetizers. A Nintendo Wii will be given away! Your RSA badge gets you in. Be sure to RSVP at RSVP@loglogic.com.
Posted February 04, 2007 in LogLogic News | Permalink | TrackBack (0)
« January 2007 | Main | March 2007 »
The SuperBowl, Log Data and TiVO
Superbowl 2007 is underway. TiVO is giving TV networks and ad agencies a chance to receive second-by-second data about which programs the company's 4.5 million subscribers and, more importantly, which commercials people are skipping. Silicon Valley-based TiVO has been doing this for the past five years.
The company relies on log data to determine the viewing habits of their subscribers to provide this data. TiVO calls that "unique Commercial Audience Measurement data" and started a research arm of the company that provides analysis of the second-by-second viewing patterns of a "nightly sample of 20,000 TiVo users, whose recorders report back to TiVo on what was watched and when. "
Having your log files mined for data is not required to use TiVO's service. The company's privacy policy informs users that they may ask to " to request that TiVO block the collection of Diagnostic Information logs."
Be interesting to see who wins the most viewed commercial tomorrow....
Posted February 04, 2007 in Innovation | Permalink | TrackBack (0)
« January 2007 | Main | March 2007 »
GAO says that not complying with FISMA can mean 'high risk'
The US Goverment Accountability Office (GAO) has unveiled their 2007 "High Risk" List and government systems security tops the list. The complete report points out that government agencies have largely failed to comply with the Federal Information Security Management Act (FISMA) requirements to create and implement information security programs. The report says that "the Department of Homeland Security (DHS) and the National Cyber Security Division have not met key cybersecurity responsibilities" to secure systems in government agencies and across information systems that share data with the government.
The goal of the report is to recommend:
Lasting solutions to high-risk problems offer the potential to save billions of dollars, dramatically improve service to the public, strengthen confidence and trust in the performance and accountability of the U.S. government, and ensure the ability of government to deliver on its promises.
Protecting information assets is a requirement for US Government agencies and businesses that interact with government information, too. When next generation log management and intelligence is coupled with the FISMA security standard, enterprises can move from reactively responding to security breeches and designate continuous compliance as a strategy. They can also get aligned with controls and regulations to not only protect information assets, but automatically adheres to required standards developed by NIST including: FIPS 199 (Standards for Security Categorization of Federal Information and Information Systems), NIST 800-59 (Guideline for Identifying an Information System as a National Security System) and NIST 800-60 (Guide for Mapping Types of Information and Information Systems to Security Categories).
In late September NIST published final version of the "Guide to Computer Security Log Management." LogLogic's security veteren Anton Chuvakin participated in the review process. One area that Anton hoped would open up a bit was to eliminate the wall between security uses of logs and other IT uses for troubleshooting and other management issues related to IT and logs.
Log Management is becoming increasingly important to IT and is now helping Government agencies as one of our customers discussed at length with SANS in a What Works Case Study in December.
You can learn more about FISMA in this Government Computer News webcast interview we sponsored last month with Dr. Ron Ross of NIST. Ross went through FISMA guidelines, cleared up misconceptions on FISMA Compliance, and made recommendations for sound strategies to to get compliant with FISMA in short order.
A PDF download of the GAO's complete 2007 "High Risk" List is available here.
Posted February 03, 2007 in | Permalink | TrackBack (0)
« January 2007 | Main | March 2007 »
Project LASSO Gets An Update
LogLogic-sponsored and community-supported open source project, LASSO has released a new update. This release provides a host of multithreading bugfixes in addition to an improved installation process. The LogLogic Windows Event Collector v3.0.2 provides an "agent-style" installation and provides greater system control for users. The source code is available for download at SourceForge.
LASSO runs on a central server and harvests information from log files on Windows servers. Log event collection is often used by enterprises to automate processes to ensure IT compliance with regulations, predict and remediate network health and provide immutable logs.
LogLogic initiated LASSO, a Windows-based open source software designed to collect Windows event logs, including custom application logs, and provide central collection and transport of Windows log data via TCP syslog to any syslog-NG compatible log receivers. Project LASSO is a viable open source alternative, or complement, to Microsoft’s Windows event collection infrastructure.
The current release of the LogLogic Windows Event Collector v3.0.2 has the following additional enhancements:
The code is more stable and has had several bugs fixed related to multi-threading. This resolves crashing problems seen at some user sites since the fourth-quarter Microsoft Windows Updates.
The Installer now will not allow more than one instance of LASSO on a computer, and it correctly handles uninstall of any previously existing version of Project LASSO before installing the new version. Configuration and history information (Lasso.ini, Hostlist.ini, HighWatermarks.log, Repository and Spool files) are preserved during the process.
Note that if you wish to simply uninstall Project Lasso without installing a new version, you may wish to manually delete the Repository and Spool directories afterwards, as they can be quite large.
The Installer now supports an “agent-style” install, where all Lasso.ini configuration parameters are specified in the installation dialogues, and the standard InstallShield® scripted install feature can be used to automate batch installation on multiple machines.
However, it is still necessary to manually configure the “LASSO Windows Event Collector” service parameters after installation. Please refer to the Lasso User Guide for the recommended settings.
There is a new Lasso.ini configuration parameter, which controls whether the initial DLL scan is done at start-up. Turning it off can speed up initial start times, for existing LASSO installations that already have filled the DLL Repository:
SkipInitDLLScan,0 Default value; does perform DLL scan at startup.
SkipInitDLLScan,1 Prevents DLL scan at startup.
LASSO is available under the GNU General Public License, it has been downloaded over 5000 times.
Posted February 01, 2007 in Innovation , Log Management & Intelligence | Permalink | TrackBack (0)
November 2007
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 |
Categories
Archives
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005