LogBlog

« August 2007 | Main | October 2007 »

Log Trustworthiness Hierarchy

This post is inspired by the old TaoSecurity post Enterprise Trust Pyramid where he explains that he trusts some security, system and network evidence data more than other. For example, dedicated NSM sensor records are trusted more than vanilla server logs. With this post, I am looking to establish a log trustworthiness hierarchy so that people start thinking about trusting log data as a kind of a spectrum, from "probably trash" to "guaranteed to be an accurate record of activities."

So, do you trust your logs to accurately depict what happened on the system or network? Which logs do you trust the most? How do we increase this trust?

My first draft of such trust hierarchy follows below (from low trust to high trust):

  1. Compromised system logs (mostly trash, but might contain bits that attacker missed/ignored)
  2. Desktop / laptop OS and application logs (possibly changed by users, legitimate systems owners, etc)
  3. All logs from others systems where 'root'/Administrator access is not controlled (e.g. test servers, etc)
  4. Unix application logs  (file-based)
  5. Local Windows application logs
  6. Local Unix OS syslogs
  7. Unix kernel audit logs, process accounting records
  8. Local Windows server OS (a little harder to change)
  9. Database logs (more trusted since DBA cannot touch them, while 'root' can)
  10. Other security appliance logs (located on security appliances)
  11. Various systems logs centralized to a syslog server
  12. Network device and firewall logs (centralized to syslog server)
  13. Logs centralized to a log management system via a real-time feed (obviously, transport encryption adds even more trust)

Admittedly, the differences between some of them are minor or even non-existent ...

To conclude, some logs DO in fact provide reliable evidence in case of an incident; you just need to know which ones to trust and which ones to only consider to be "hints" (or possibly even a misdirection). But of course, you need to first have logs and then look at them.

Posted September 27, 2007 in Log Management & Intelligence , LogEd , LogMatters , Security | Permalink | TrackBack (0)

« August 2007 | Main | October 2007 »

Just What is Enterprise Class? Part II

Here is the next enlightening post from Dimitri McKay, our network and systems engineer from the East Coast, where he continues to discuss the meaning of the phrase "enterprise-class," which is certainly MUCH more than a marketing buzzword! Part I is here, go read it first.

"4.Scalability: To support a large number of devices in growing enterprises, SIEM and log management products differ a great deal in how they scale. Some of the SIEM products require you to add as many as three new appliances, (which all carry a hefty price tag) just for a slight increase in throughput. Others require you to forklift out your existing hardware to bring in new, bigger (and more expensive) equipment. In my own humble opinion these options are completely ridiculous.

The LogLogic scalability approach is uniquely simple. “Add log-traffic to your LogLogic appliances until you reach capacity on that box. Then add another box. Rinse and repeat. Each box does it’s own collection, does its own parsing, reporting and searching, and does its own storage. No special other boxes required. All encompassing solution.

Of course, with “Scalability” comes other requirements of how to add capacity not only vertically, but what of horizontal scalability? Such features would include the ability to report across all LogLogic appliances, manage users and their access rights across a global environment, and use some form of remote authentication such as TACACS+ or RADIUS. This distribution should be an asset, and not a limitation of the overall system scalability. All of these are addressed and in the current LogLogic 4.x.

5.High Availability: Due to the number of corporations and government agencies depending on LogLogic for regulatory compliance, system security and forensics, as well as heartbeat monitoring and troubleshooting, it’s safe to say that LogLogic is “Mission Critical”.

Because LogLogic is a “Mission Critical” system, it must support the internal and external capacity for zero downtime via high availability. This is accomplished via bonded NIC’s, hot-swap drives in various RAID arrays and Mirrored sets, hot swap redundant power supplies and most importantly... the ability to link the boxes together in an active pair. Should there be a failure in a LogLogic pair, both appliances are exact clones of each other, and the passive appliance jumps right into gear as the primary. In milliseconds. It’s genius.

In a perfect world, there would be zero downtime on “Mission Critical” systems. Here at LogLogic, we try to minimize that to as little as possible through the use of various forms of HA, and it shows. Have you seen our new hardware?

6.Reliability: Although high availability plays a part here, I prefer to think of reliability as the quality of the code-base, the product design itself, and the forward motion of feature sets and additional device support in a timely fashion.

LogLogic is built on a stripped down lean, mean hardened Linux platform. From there we didn’t go the route of a proprietary datastore which can start as a good idea and then turn into a huge hulking mess with nothing but frustrations stemming from using, maintaining and increasing the capabilities of, but rather we went with a solid database solution for storing meta-data. Industry standard. Well known. Easy to use. Robust.

Then we built in some brilliant parsers and a very straight forward GUI. Sprinkle that with some great features and a little bit of magic and you have a LogLogic appliance. Our upgrade plans and implementation are fast and furious. We release new device support monthly. Monthly additions. Monthly updates.

At the end of the day, however, extenuating circumstances happen. Should there be a hardware or software problem, LogLogic support is there to help. With 24/7 support and advanced replacement available to our platinum level enterprise class customers, all the bases are covered.

Build the appliance on a solid kernel, with a well known and well tuned database. Add HA, some of the finest engineering talent in the world, and a great support team, and LogLogic does enterprise right.

Stay tuned for the 3rd installment of “Enterprise Class”. LogLogic is going where no LMI vendor has gone before."

Technorati tags:

Posted September 27, 2007 in Innovation , Log Management & Intelligence , LogEd , LogMatters | Permalink | TrackBack (0)

« August 2007 | Main | October 2007 »

One Last Time: "Choosing Your Log Management Approach" presentation

So, this coming Friday I will be giving my award-winning :-) presentation "Choosing Your Log Management Approach: Buy vs Build vs Outsource" one last time at SANS NS 2007 in Las Vegas, NV (details here and below). I was told that literally hundreds of people have signed up (we are procuring additional lunches as I am typing this).   The presentation will then be retired and will later find new life as a LogLogic webcast. It will be replaced by an even more exciting log management presentation with a still-secret name ...

See you in Vegas! BE THERE!

LogLogic Lunch and Learn Presentation
- "Choosing Your Log Management Approach"
- Speaker: Dr. Anton Chuvakin, GCIA, GCIH, GCFA
- Friday, September 28th, 2007 * 12:30pm - 1:15pm

 

Technorati tags:

Posted September 26, 2007 in | Permalink | TrackBack (0)

« August 2007 | Main | October 2007 »

We Want Your Vote!

LogLogic has been nominated for the "2008 InfoSecurity Reader's Choice Global Product Excellence Awards" and we want your vote! Go to http://www.infosecurityproductsguide.com/votingbooth/ before October 8th and vote for your favorite log management and intelligence company and solution (Hint: that would be Loglogic and LogLogic 4 respectively). LogLogic customers, channel partners, distributors, and VARs are all eligible to participate in the voting process.

Posted September 25, 2007 in | Permalink | TrackBack (0)

« August 2007 | Main | October 2007 »

P3: Exploding Products, Partners and People

Having been CEO at LogLogic for 90 days now (not quite the 100 days U.S. presidents get) I can unequivocally say that our business is exploding (not imploding, as some of our competitors were hoping for). While I cannot share with you the specifics of our success, you just have to listen to a drum-beat of announcements to see that momentum is building universally across products, partners and people.

On September 12 we announced the appointment of Richard Marquez as our VP of Channels as well as a new partner program. On September 14, we were selected as a 50 Rising Star by Deloitte and Touche. On September 18 we announced that FishNet Security, a well-known national information security solutions provider, committed to our new Premier Plus partner program (and targets). On September 24 we announced that we are the first company to release new compliance suites following the latest COBIT 4.1 and PCI guidance. Expect this drum-beat to continue for a while!

We also have significantly accelerated our hiring across all levels and departments of the organization. Please send us your resume even if no position is listed at our website since we are moving faster than our web team … careers@loglogic.com.

Posted September 25, 2007 in | Permalink | TrackBack (0)

« August 2007 | Main | October 2007 »

More Web Proxy Log Tips

After publishing my proxy log tip (here), I figured I'd post a few more mini-tips on web proxy logging as well as a link to my full presentation (webcast with voice, slides only) on web proxy log management.

First, why look at proxy logs? Apart from my overall answer that applies to all logs, proxy-specific reasons are the following:

  1. Review users’ activities on the web (not just surfing!)
  2. Monitor applications' HTTP activity
  3. Detect Web-enabled malware traffic
  4. Study proxy performance metrics

Most people just focus on #1 above and kind of forget #2-#4. Also, the focus of #1 is often narrow - what do they surf at work?- and not broad - what do they do on the web? - which is much more useful. While there is no direct mention of proxy logs in recent regulations, monitoring what users do with YOUR data is clearly part of the compliance mandates (and, obviously, a good idea in general!) Indirect references to proxy logging can be seen in the following:

So, please treat proxy logs with the respect they deserve!  Here is my full presentation (webcast with voice, slides only), on analyzing and managing web proxy logs.

Related posts:

Technorati tags: , ,

Posted September 24, 2007 in Log Management & Intelligence , LogEd , LogMatters , Security | Permalink | TrackBack (0)

« August 2007 | Main | October 2007 »

Just What is Enterprise Class? Part I

Here is another enlightening post from Dimitri McKay, our network and systems engineer from the East Coast, where he discusses the meaning of the phrase "enterprise-class" (which is sometimes known to be abused in marketing literature...)

"The Enterprise is generally a huge task, and this post itself is quite large. Due to the mass of both this post and the average Enterprise roll-out, I will break this down into 5 parts. Here is part 1 in the 5 part series.

I hear the term “Enterprise Class” as a buzz word to define hardware and software. Sometimes it’s used to describe a feature set, and to some it’s a scalability reference. Here’s what “Enterprise Class” means to me, and how it pertains to LogLogic solutions as a whole.

  1. Multi-user: LogLogic handles the Multi-user process in a two prong attack. First, we offer the basic granular local account system which gives users the rights needed to do the job on only the devices they require. Now, on the enterprise side, we have added the ability to connect to TACACS+, RADIUS and soon LDAP/AD servers in order to alleviate the task of managing users on the LogLogic Appliances. Multi-user is a must for anything that is to be considered “Enterprise Class”. I’m hoping to see some additional authentication methods in the future, however, as for now the TACACS+ and RADIUS option certainly covers the majority of our enterprise customers.

  2. Accessibility: In 1998, Congress amended the Rehabilitation Act to require Federal agencies to make their electronic and information technology accessible to people with disabilities. Inaccessible technology interferes with an individual's ability to obtain and use information quickly and easily.  Section 508 was enacted to eliminate barriers in information technology, to make available new opportunities for people with disabilities, and to encourage development of technologies that will help achieve these goals. Most of the specifications for software pertain to usability for people with vision impairments. For example, one provision requires alternative keyboard navigation, which is essential for people with vision impairments who cannot rely on pointing devices, such as a mouse. Other provisions address animated displays, color and contrast settings, flash rate, and electronic forms, among others (see more at Section508.gov).   Now, at LogLogic, we try to make our GUI as straight forward and easy as possible. We adhere our GUI to the standards and framework put forth by the web browser itself, which thereby adheres itself to the accessibility options within both that browser and also the Operating System.

  3. Localization: As with any business solution, our world isn’t set in one language or specific dialect. As a whole, LogLogic offers language options not only in English but also in languages relevant to foreign countries that are bound by the same requirements that LogLogic can address such as JCobit and J-Sox, which are the Japanese versions of COBIT and Sarbanes-Oxley (SOX) compliance. As we move forward LogLogic continues to add alternative language support such as Korean and Chinese.

Stay tuned for the next episode of “Enterprise Class” where I will run off on a tangent about HA, reliability and scalability."

Technorati tags: ,

Posted September 24, 2007 in Log Management & Intelligence , LogEd , LogMatters | Permalink | TrackBack (0)

« August 2007 | Main | October 2007 »

New LogLogic SOX and PCI Compliance Packages Announced ...

Today, we announced two updated packages for simplifying enterprise regulatory compliance -- The LogLogic Compliance Suite: Payment Card Industry (PCI) Edition" and "The LogLogic Compliance Suite: COBIT 4.1 and Sarbanes-Oxley (SOX) Edition". Read More.

In short, the PCI Suite instantly turns log data into automated reports and alerts for monitoring PCI Data Security Standard compliance. The COBIT / SOX suite automates the process of using log data to evidence and enforce internal SOX controls through COBIT 4.1. LogLogic, by the way, is the first vendor to release automated log management reports that follow the guidelines of the newly released COBIT 4.1 framework - so we're proud to get this out in production.

Here's why organizations should care about this announcement - these Compliance Suites turn vast amounts of raw log data, which could take months and millions of dollars to review manually, into automated reports and alerts, making short work of SOX and PCI compliance. It's pretty straightforward - these solutions mitigate the time and money companies spend on routine log management tasks (including log collection and storage, report writing, and audit sampling) and are designed for both IT security and regulatory compliance with SOX and PCI.

Are you compliant?

Posted September 24, 2007 in | Permalink | TrackBack (0)

« August 2007 | Main | October 2007 »

More Project LASSO Updates

Dimitri McKay, our network and systems engineer from the East Coast contributes this fun story: "When I first started at Loglogic, the only option for retrieving Windows logs was via an open source product called Snare. Snare was a simple concept. It would basically tail a Windows event viewer and whenever a new event was written, Snare would convert that to syslog, and send it over the wire (UDP or TCP) to its destination. Basic concept, basic execution. 

    Now, all of this was well and good, however, I couldn’t help but feel like an agent was not the greatest of solutions. As a former Windows Engineer, I was sort of put off with the idea of agents as a whole. It seemed like everyone was offering agents, and those agents were never happy on my systems in some form or another. So began Project Lasso

    Over some Thai food, Matt Foley, Andrew Morris and myself had a conversation about an agent-less Windows solution, and later that day I found myself writing a PRD for the “Windows Remote Event Collector” which was code named Project Lasso

    The name stuck, and with our 4.0 release I’m really happy with the ongoing development of the product. The concept is simple... Lasso is installed either as an agent to monitor itself, or on a “Project Lasso Server” where it uses WMI connections to connect to the other hosts it will be pulling logs from. There it pulls the string dll’s to a local repository, and then pulls the windows events themselves. Both the string dll’s and the events are then sent to the receiving syslog or Loglogic appliance where they are parsed and indexed. [Anton: they can also be sent to any other syslog receiver, such as a syslog-ng server]

    In 4.0 we added a few features I’m very excited about. 

The ability to use custom shares. In version 3.x we needed a Domain Admin account to pull the full Windows events. The Domain Admin account was the only account which had access to:

In Project Lasso 3 if you set some Active Directory policies, you could eliminate the need for a Domain Admin for the registry and event viewer, but not the C$ admin share. The only other account that had access to that was the Backup Administrator. Now, in Project Lasso 4 we don’t have that issue any longer because we can configure just a standard Lasso User account to have access to the registry, the event viewer, and a local drive via a custom share.

The ability to change the Hostlist.ini on the fly: In Project Lasso version 3.x when you added hosts to be monitored, you had to restart the Lasso service. Well, this process became somewhat onerous in that every time an Administrator needed to add new servers/clients to be monitored by Project Lasso he had to re-start the service which would take quite a bit of time to check those string .dll’s for changes or additions and then start pushing logs to the destination server. This could sometimes take more than a few minutes depending on the number of hosts. So much for real-time alerting or reporting. None of this is a problem anymore as the Project Lasso service will now grab the new hosts on the next pass.

Shared DLL Repository: Prior to Project Lasso version 4, when a dll Repository was created on the Lasso Server, it downloaded all .dll’s for all monitored hosts. This means there was a ton of the same .dll’s in the repository as each machine would most likely have the same .dll’s. These folders were about 120MB large in Lasso 3 times the number of hosts you were monitoring. That can be a big storage problem in a short amount of time. In Lasso 4, the dll’s are shared among hosts so it has a much smaller disk space requirement.

In closing, if you’re interested in routing Windows Events to a syslog or Loglogic appliance, you can do so via Project Lasso either in agent mode or in agent-less / remote collector mode.

Feel free to check out the always free Lasso 4 on Logforge"

Indeed, Project Lasso  is in wide use among LogLogic customers as well as in the broader world. Deal with Windows logs? Grab Project Lasso!

Posted September 17, 2007 in Log Management & Intelligence , LogEd , LogMatters , Project Lasso | Permalink | TrackBack (0)

« August 2007 | Main | October 2007 »

LogLogic named a 2007 Silicon Valley Technology Fast 50 Rising Star

LogLogic was notified this week that it has been named a 2007 Silicon Valley Technology Fast 50 Rising Star by Deloitte and Touche. Details are still under wraps, but we do know official rankings will be announced after the Fast 50 Gala on October 30 (a black tie affair) so stay tuned. We're certainly proud and excited to be been named to the list. For more info about the criteria for receiving this award visit the Deloitte and Touche.

Posted September 14, 2007 in | Permalink | TrackBack (0)

« August 2007 | Main | October 2007 »

New LogLogic Partner Program Unveiled

Today, LogLogic announced a NEW tiered channel program that provides partners unparalleled resources, support and margin incentives for the express purpose of shortening partner sales cycles and increasing close rates.

As a result of compliance mandates (SOX, HIPAA, COBIT, PCI, FISMA, etc.), which often require companies to carefully track, manage, and report on their log data - enterprises are scrambling to institute log management and intelligence solutions to become compliant or face financial ramifications and / or a public relations nightmare. LogLogic's solutions play well here, providing proactive enforcement and remediation through Log Management and Intelligence as well as a real-time view of adherence to multiple regulations and standards.

To lead the channel charge, LogLogic has brought on Richard Marquez as vice president of Partner Sales. Richard is a 20-year channel veteran superstar who most recently led Partner Sales at Computer Associates after spending 10 years at Symantec building one of the industry's most successful channel business. Welcome Richard! Click here to learn more about LogLogic's Partner Program. You can also register your interest in becoming a partner.

Posted September 13, 2007 in Log Management & Intelligence | Permalink | TrackBack (0)

« August 2007 | Main | October 2007 »

The Simple Truth about the Log Management market?

Change seems to generate a fair amount of introspective thinking and I wanted to share a couple of thoughts and observations with you:

  1. Log Management has really come into its own over the past two years. The SANS Institute did an incredible job of educating literally hundreds, if not thousands, of IT professionals on the art and science of next generation log management. Stephen and crew deserve an enormous amount of kudos for taking an every-day IT task and highlighting its importance - and fundamentals - for good security.
  2. Compliance is the driver, but…. PCI in particular shone a very bright light on log management, moving it into the realm of "IT requirement". Log Management is now a standard of due care, but, and this is a BIG "BUT", IT operators don't have the time to perform log analysis through homegrown solutions and are looking to replace complexity and work with simplicity and efficiency.
  3. Too much time is spent on semantics. I know that the person that wins the war of words first has an unfair advantage in the war in the market. But come on, whether you call it security event management or log management all depends on the lens you are looking through and the task at hand. What's happened to change so many people's view is that more and more customers are calling analysts and resellers looking for a log management solution because that's what regulations tell them to do. Call it what you will, it's important and customers need basic requirements answered.
  4. LogLogic is better positioned than any vendor out there to meet these requirements. These aren't the same requirements requested by the security operations center in 1999. Today customers want all data collected, stored unaltered, shared and secured easily. They don't want reports or new log sources to mean yet another professional services engagement. And they don't want a hidden "first hit pricing".

Nomenclature may come and go - some things at LogLogic never change: our aim to maintain an unrelenting focus on meeting customer requirements and innovating like crazy.

Posted September 12, 2007 in | Permalink | TrackBack (0)

« August 2007 | Main | October 2007 »

LogLogic's Second Act

LogLogic has successfully navigated its first act: we turned a compelling idea into a business success. LogLogic is now preparing for a new season: our second act! A new act means lots of changes at LogLogic - and the team is abuzz with excitement and productivity. We've got a deep bench and committed leadership team that is growing fast. On the sales front, Robert Yusin is doing a phenomenal job at more than doubling sales year over year! This is something we've been doing for multiple years. Richard Hornstein is providing calm leadership as Chief Financial Officer (we're becoming a big company, without becoming dowdy). Many new faces are vaulting onto the stage. We have appointed Richard Marquez to Vice President, Partner Sales and George Tuma is now VP of Engineering. Sadly, two dedicated loggies, Andy Lark and Tony Chang, are moving on. I thank both of them for their contributions and friendship - and I thank Andy especially for vaulting me into blogosphere as his parting gift ;-)

All in all, the show is quite exciting and while the script is still being written - I am confident that the second act will be phenomenal and the subject of rave reviews. As Shakespeare said: "All the world's a stage, and all the men and women merely players." But in our case, our world is focused on LMI, and our team are not merely players, but dreamers and executers. To audition, check us out, as recruiting remains a first priority.

Posted September 12, 2007 in | Permalink | TrackBack (0)

Visit loglogic.com

I ♥ Logs

Subscribe to this blog’s feed RSS

November 2007
Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  
Categories
Archives
Blogroll
Blogroll
Compliance
Good Reading
LogLogic
LogLogic Partners
Sites We Watch