Europe Rocks!

• SC Magazine: Biometrics story
• DigitalIDNews: Biometrics story
• SC Magazine: 5 star product review
• SC Magazine: Product launch
• Infosecurity magazine: Product launch
• IT Pro: Shell data breach
• The Register: Shell data breach
• IT Backbones Computing: Product launch
• IT Backbones Security: Product launch
• IT Backbones Networking: Product launch
• Searchsecurity: Wick Hill comment
• IT Analysis: Quad
• Security Vibes: Impressive
• IT Backbones Software: Q1 momentum
• IT Backbones Networking: Q1 Momentum
• Searchsecurity: Log management tips
• IT Pro: DSM review
• Datacentre Edge: Cloud
• SC Magazine: Wyndham Hotel
• Fresh Business Thinking: Cybersecurity
• Geek Shui Living: Biometrics
• Security Park: Cybercrime

In some ways, tradeshows like this have not changed. I have been apart of the JavaOne show since the beginning back in 1997. The RSA crowd is a bit different…namely more suits and better hygiene.  You can always tell how the economy was doing by what kind of giveaways are on the show floor. Here are my best and worst for 2010.

Hand Sanitizer? Really?

I did notice that a bunch of people had hand sanitizer. Really? Does this really send the right message? To Whom? Howard Hughes?

(sorry for the picture quality….its from my blackberry).

For Cutesiness, this injection-molded safe was pretty interesting, if a bit dated in a 19th century kind of way:

The Cell Phone stand was cool, but it did not fit my Blackberry:

The Winner: Giveaway Of The Year: RSA 2010

But the winner (for me at least) is the N-in-one tape measure/level/pencil/notepad thingy from a company called Howard:

The type of booth also has a lot to say about the economy, and what the company wants to portray. Some companies have WAY TO MUCH money and were giving it out by the barrel full. Some were trying to get attention my showing you picture of PhotoShopped mutants.

Meet The Beetles

But my favorite, and most cringe inducing was the secure laptop crawling with *live* African beetles. I am not making this up:

They got my attention, but I am not sure this was the best way to do it.

If this is the type of show that is being put on these days, then it appears the economy is on its way to a recovery.

Anti-spyware

Spyware will pollute your system silently. It will watch your every move, looking for passwords, bank account information, credit card numbers and any other information of value.

How does it do that? How does it hide so well?

It will often operate by replacing legitimate executable files. It will highjack critical system files and drop its payload into them.

Your system now seems to run as usual – the list of running processes doesn’t yield any anomalies, and performance doesn’t seem affected. But the spyware is running.

So how do logs help here?

They help from the get-go. As soon as the spyware initially infects your system, it will access critical system directories and either drop in new executables, or modify system-privileged executables. These are events that can be configured to generate logs.

And once more, your Log Management and Intelligence solution can be configured to alert you of this behavior and let you know in real-time that a program is accessing and replacing critical system executables.

It will not completely replace your system integrity solution, but it will nicely complement it.

SIEM - Security Information Event Management

The philosophy of the SIEM is to correlate disparate events taking place in your IT infrastructure to identify and flag security incidents.

For example, if a user logs in locally at 8am (as demonstrated by logs from the DHCP server assigning an IP address and then Active Directory allowing successful authentication to the Domain), and then this user logs in from the other side of the Internet via VPN (as demonstrated by logs from the VPN concentrator), then something is obviously wrong and it is likely an identity theft with illegal login taking place.

Sounds quite simple, right?

Well, it can be pretty simple provided that you know which scenarios you want to flag as problematic.

Above all, it can be pretty simple provided you have the logs that give you the visibility required to flag these behaviors and scenarios.

This is where Log Management and Intelligence comes in.

The first step in correlating logs is to collect and centralize all of your logs, as seamlessly as possible. Next, use policy-based forwarding to forward all relevant logs to your correlation engine.

This is why Log Management and SIEM are complementary.

Easily and seamlessly build a haystack, and find the needle in real-time.

SIEMs work very hard to find the needles, using extremely complex algorithms. So the more you help your SIEM by isolating certain types of logs for it to work on, the more you can optimize the process. A sound Log Management and Intelligence solution will help you feed the right logs to your SIEM so that it can do its job most efficiently, by correlating logs and events that are relevant for security purposes and targeted to the scenarios that are most important for you.

SIEM and log correlation then become a “feature” of Log Management and Intelligence!

So…by now you should understand the importance of process and procedures surrounding the use of defensive security solutions, and more importantly, agree that the classic “install and forget” approach to security is doomed to certain disaster.

A sound Log Management and Intelligence system should not only be in your bag of tricks, but integral to your process and procedures as a way to verify and ensure the validity of your security solutions. Log Management and Intelligence is more than just an added safety measure – it could be the last, and most effective barrier between you and disaster.

If you enjoyed this blog mini-series and always want to be the first kid on your block to get the latest log-related scoop, be sure to visit our FeedBurner page and sign up for our news feeds. And a big shout-out and thanks to all of you Logophiles who dropped by and visited our booth at this year’s RSA conference in San Francisco!

IDS/IPS

IDS/IPS are a phenomenal tool in your defensive security toolbox…provided that they are properly configured and closely managed.

All IDS/IPS need to be regularly updated – much like an AV. And again, you need to verify that your systems are properly keeping things up to date. Use your Log Management and Intelligence solution for that.

Let’s also look at one of the most common criticisms of an IDS.

An IDS’ job is to alert on certain events, and this sometimes leads to very chatty systems; what some people call “false positives”. False positives are not an IDS’ fault – the IDS is just alerting on events that we asked it to alert us on.

For example, one malformed packet can be attributed to a malfunctioning system or poorly-coded custom application. Such isolated incidents can happen and should not be a cause for concern. If your IDS raises an alert for every malformed packet recognized, you will soon be drowning in alarms, your IDS ringing off the hook, and you will complain about false positives. However, having too many of these malformed packets in a certain period of time could be an indication that a DoS Denial of Service attack is underway. So you need a way to define a threshold above which you decide indicates an attack.

But how would you know that you have reached the threshold above which you want to be alerted, but not wasting your IDS’ cycles in threshold analysis so that it can keep doing its job best?

Logs will tell you that.

Sound Log Management and Intelligence will allow you to collect, centralize and analyze your IDS logs, in real time. Get more than x of these events per second, or per minute or hour and the alarm can be raised. For example, you can easily set thresholds so that when a malformed packet is recognized, no-one cries wolf, but if more than 10 such packets are received in a minute, this indicates cause for concern and an alarm is raised. And/or an SNMP trap is sent to your ticketing system. And/or an email is sent in real time to your security supervisor.

Logs can also help you in other ways.

An IPS, like a firewall, needs a certain policy to be implemented in order to decide what traffic to allow and what traffic to stop. And again, you have the same risk of having policies that are not appropriate for your environment.

So how do you verify that your IDS and IPS are up-to-date and functioning the way that they’re supposed to?

Logs will tell you that.

Compare logs from your IPS and logs from your downstream internal network devices and compare them. Is your IPS allowing traffic that you don’t want to allow? Are your switches receiving and treating packets that your IPS should not allow – traffic that poses a risk to bringing down your end systems?

Anti-Trojan/worm

Anti-Trojan and Anti-worm solutions are similar to AV solutions in that they need to be kept up to date with their latest signature files. So it is critical to validate that your anti-Trojan/worm solution is using the latest file, and that the scheduling, downloading and installing of these files is working fine.

Again, logs will tell you that, provided that you have a good Log Management and Intelligence solution in place.

In addition, the latest signature files provide no help to combat Trojans and worms that exploit newly discovered attack vectors in what’s called “zero-day” attacks.

One aspect that is typically common in zero-day attacks is that the malware will try spreading to neighboring systems by replication and infection, which starts by establishing connections to other systems, sometimes “random” hosts on “random” ports, often adding some form of IP spoofing mechanisms in order to obfuscate its behavior. Obfuscation can also be achieved by hiding attacks in legitimate traffic, by tunneling exploits in port 80 for example. Or DNS ports. So these Trojans and worms are sometimes capable of evading known defensive security solutions. In fact this is becoming more and more the case, as it is a matter of survival for the worms.

The only “weird” or unusual behavior that is observable is a spike in the number of network connections happening in your network, and connections refused by end-systems, or connections accepted followed by modification of system level files.

A sound Log Management and Intelligence solution will alert you when you have a spike of more than x% of logs compared to your baseline “normal” behavior for a configurable period of time. For example, you can set your solution up so that if you have more than double the number of logs generated by this system, or this group of systems, the security administrator is alerted , an alarm is raised and an SNMP trap is sent to your supervisor system.

Again, Log Management will never replace your dedicated anti-Trojan/worm solution, but it will nicely complement it.

Tune in again tomorrow, when I’ll cover the last two defensive security solutions – Anti-Spyware and SIEM – and conclude my multi-part blog on Log Management as a secret weapon. And sign up to join our LogLogic facebook page – it’s a great way to stay up-to-date on all things LogLogic!

Firewalls/VPN

Let’s talk about a scenario that happens in many corporations, including ones where strong Change Management procedures are in place.

A new application gets deployed internally, for which the firewall rule set needs to be changed. And for testing purposes, additional ports need to be open. Testing takes place but now fine-tuning requires additional time. And the operations group gets busy and these ports are left open, deeply buried in the firewall rule set (it is not uncommon for rule sets to have hundreds of policies). And by the way, there was a typo in the port number for one of the rules and now ftp flows freely inside, in clear violation of the security policy prohibiting inbound ftp traffic in your trusted zone.

How do you verify that your firewall is correctly implementing your security policy?

Logs will tell you that.

Periodically run a report of all traffic that is crossing your firewall and you’ll have a clear picture of the security policy and rule set that is in place. Not the one you think is being enforced or the one you want to have enforced, but the one that is actually running and being enforced.

Run this report against your security policy and you’ll have an excellent way to flag for illegal traffic and misconfigured firewalls.

Logs also give you an added measure of understanding rule sets and policies implemented, including all of the changes that have taken place. When you audit your firewall rule set, you get a snapshot of its configuration. And you really don’t know all of the changes that have taken place between snapshots. Your firewall admin may have opened ports and closed them later on, but you will probably not know it.

Unless you are running a solid Log Management and Intelligence solution. In this case, you will see each of the configuration changes that have taken place. Every time an admin changes the security policy and firewall ruleset, a log will capture and describe that event. Collect, centralize and analyze these logs and you will get a historical view of all changes to open and close ports, all changes to allow or disallow applications and all actual protocols using these ports. And you will see all of that in real-time, completing the view provided by your security audit.

Stay tuned…tomorrow I’ll tackle IDS/IPS tools and Anti-Trojan/Anti-worm solutions.

Don’t forget to follow us on Twitter and if you’re attending the big RSA Conference in San Francisco this week, come by our LogLogic booth and say hi…we’d love to talk logs with you!

We’ve all come to rely on a standard set of defensive solutions to address information and network protection, but these standards have given us a false sense of security. We think it’s high time that everyone understood why employing a Log Management and Intelligence solution is not only “nice to have” but actually critical to complement these standard protection methods. In the next few days I’ll be posting a blog mini-series exploring the standard measures we’ve gotten comfortable with and I’ll explain why logs could be your most effective secret weapon.

Let’s first look at the most common defensive security solutions that have been popular these past few years. This is not an exhaustive list of all existing technologies, but rather a high-level view of some of the prevalent ones.

1. Anti-virus
2. Firewalls/VPN
3. IDS/IPS
4. Anti-Trojan/worms
5. Anti-Spyware
6. SIEMs

These correspond to an approach called “Defense in Depth” that aims to put successive rings of protection between the bad guys and the information to protect, making successful attacks harder and harder.

There are other types of security solutions, such as proactive security (Vulnerability Management and Patch Management) or remediation solutions (think of the PDCA, Plan Do Check Act, of ISO’s lifecycle along the lines of CIA, Confidentiality Integrity Availability).

But by and large, think about information security and chances are you’ll think first of defensive security. You’ll think about an attack taking place and a security solution fending off this attack in real-time or ringing an alarm so that you can intervene in real-time. This has been the focus of the industry for a long time. Indeed, find a universal, “perfect” defensive security solution and you will have found the Grail of all solutions; no need for proactive security, and no need for other types of security solutions.

Of course let’s not forget that security is an ongoing process, not a single event, and security policies should be driven by solid business requirements. Indeed, it is important to understand that security solutions need to be correctly deployed and managed, in a framework of proper processes and procedures so that they are always up to date, correctly configured and do not suffer from any holes.

This is a very difficult task as your IT infrastructure is an ever-evolving landscape. Your business processes change, and so do your firewall configurations. Your people and teams change, and so does your VPN credentials list. Your threats change, and so do your SIEM scenarios. Your exposure changes and so do your IPS requirements.

For the common defensive security solutions that we listed, let’s review some of the pitfalls to avoid, and how Log Management and Intelligence can help you keep these systems in tip-top shape.

Don’t adopt an “install and forget” approach to your defensive security solutions. Don’t assume that once your solution is installed and configured, it will continue working flawlessly forever.

Verify that your solution is performing the way you need it.

A sound Log Management and Intelligence solution will provide you with universal visibility over everything that happens in your IT infrastructure. Leverage that visibility. Unleash the power of logs.

1. Anti-virus

Both with gateway-level AV (for such purpose as email scanning), as well as end-system level AV (for such purpose as file scanning), an AV solution is only as effective as the latest signature/update file that is running on it. Use an old file and the newest viruses will pass right through your AV solution.

Chances are that your AV solution has a built-in scheduling function that facilitates download of the latest signature file, or maybe you are running a central AV management system that pushes the latest files to your different systems.

So you typically set it up and forget about it, assuming that it always works as it’s supposed to.

But what if something goes wrong? Connectivity is lost, your configuration file or registry setting gets corrupted, your scheduling engine stops, there is no available space to install the latest signature file or any other malfunction that might hamper the correct behavior of your system? How will you know that your otherwise well-oiled machine has fallen into shambles?

Logs will tell you that.

Every time your AV engine tries to get the latest and greatest signature file, it will write a log about this event. And when it tries to install it, it will write a log about that event with the status of the update – success or failure. That log will typically have a payload containing information about the latest file in case of success, or error codes and error explanations in case of failures.

Collect, centralize and analyze these logs and you’ll have a perfect picture of your AV profile for each of your systems. Be particularly wary of failure status on downloading or installing or using these signature files. And run a complete report on all successes and compare it with your asset database. Do you find any holes?

Likewise, your AV engine is set to scan for executables before running them. Select a system that you want to probe, and run 2 reports – one from your AV solution to find out what executable files have been scanned, and another one from your OS for all of the executables that were run. Do you find any discrepancies? If so, your AV solution is not behaving the way you need it to.

Log Management and Intelligence is a simple way to validate and make sure that your AV solution is performing as per your security policy.

Next up…I’ll discuss Firewalls/VPN and tell you where logs fit in.

And don’t forget to sign up for our LogLogic Newsletter…and you’ll always be in-the-know!

“TheInfoPro’s Technology Heat Index™ is widely regarded as effective measure of user “demand” for a technology, and from a vendor’s perspective, a good indicator of the relative size of the market opportunity. TheInfoPro’s Information Security Technology Heat Index cites event log management as the No. 1 priority in information security IT spending, with data loss prevention (DLP) and NAC [ed - network access control] ranking next, respectively.”

And then of course, there’s the specter of compliance. We’ve lost count of the number of laws, rules, & guidelines around the world that contain the basic IT imperatives of encrypt data and store the logs. Just about every customer DLP initiative we’ve encountered has a log management element to it: either the obvious, or the more nuanced data access control provided by the likes of our Database Manager.
Which is also good news, because the list of exciting technology solutions from TheInfoPro includes…

“DLP tops the IT projects list as well as the exciting technology solutions list. Security professionals have identified that both Symantec and McAfee are likely to be the preferred DLP vendors. LogLogic and Microsoft are top choices as vendors for event log management.”

LMI is an acronym for a term coined by LogLogic. “Log Management and Intelligence”. Seems like a simple enough statement, but don’t be fooled by it’s lightweight appearance – there’s a lot packed into that little acronym. Think of the proposition that the co-founders of LogLogic were offering. They came from the world of SEM (or SIEM or SIM or SEIM - different acronym, same meaning), where their lives revolved around the correlation of specific security-focused log messages. But where many folks at the time focused their visions on the more obvious security-related messages, LogLogic saw that there was exponentially more value in collecting ALL log messages. This wasn’t just security focused, although LMI is absolutely critical for proper forensics…but no. This was much bigger because of what was required. And what it offered. Intelligence.

This wasn't your grandfather’s syslog server. Oh no. This wasn't about grep'ing raw logs. Oh no. This was a full web-based UI with mySQL parsing for reports, the ability to search, alert, and forward data onward to other tools. This was syslog on steroids. This was a tool for more than troubleshooting. This was a tool for more than searching. This was a tool for storing the ‘truth’ of your IT infrastructure in its entirety. This was what we called Log Management AND Intelligence.

The first generation of hardware was basic. With the off-the-shelf parts available at that time, the appliances cranked out some huge message rates. the collection scope was mostly around perimeter devices, the first being firewalls such as the Cisco PIX. Anyone who knows logs will tell you, the Cisco PIX is probably the most chatty device on the planet. The word “verbose” does not even begin to express how much data these bad boys create. But that was the beginning. The first version of the ST appliance (used for long term storage and long term forensics) did a massive 50,000 messages per second. The largest LX appliance (used for alerting, reporting and short term searching) handled 3,000 messages per second. Back then, these message rates were unheard of.

We saw the value proposition not only for forensics, but quickly realized that this could be extremely useful for Operations. Extremely useful for troubleshooting. Extremely helpful in offering a high-level view. Looking at raw logs was great for the soldiers on the front lines, but we wanted something more for the management types...those hoping to see things more along the lines of red lights, green lights, and yellow lights. Are we in bad shape, good shape, or somewhere in between?

The focus on log management wasn’t popular just yet. Compliance wasn’t on the table...but it was in the post – it was en route. It would soon be a big deal, and with it would come long term audit requirements, such as PCI’s 1 year and SOX’s 5-7 year storage requirements. At the time, people were telling us that the whole concept was insane. I remember talking to customers, and to them it was terrifying! “That means I have to store each and every log message from ALL of my devices for 5-7 years?!?” Yes sir!

Back then, LogLogic was the only game in town. But the SEM vendors saw the value proposition. They saw the size of the “log management” pie, versus their own. Some actually realized that log management was really the entire pie, and the SEM tools were nothing more than whipped cream on top. They were the optional side of ice cream. They realized that nearly everything that customers wanted from their logs could come without correlation…could come without the high cost and troublesome deployment of SEM. And we welcomed the fresh blood - competition is good for our customers, and its great for our morale.

Old dogs can learn new tricks – just look at the new Windows phone. But there’s usually accompanying baggage that needs to be dealt with. For the SEM vendors, their baggage was that they’d spent years building tools that were designed to throw away data, saving only the very best nuggets for correlation and timely alerting. We on the other hand, had spent years hoarding data like a compulsive obsessive. And it has paid off.

We continue to focus on the backend. We do the flash stuff too of course, but when organizations like Comcast ask us to process a gazillion messages a second, we’re proud that our heritage is in solid, robust, scalable storage.

This week we released our latest class of hardware. On the appliances, we more than doubled the message rate capabilities. We quadrupled the number of devices each appliance can handle. We made reporting and searching that much faster...all while shrinking the environmental footprint of our appliances. Less power required. Less size equals less rack space required. Fewer boxes equals less heat created. But we grew in the areas that matter. More messages. More storage. More devices supported.

Every day we Loggies hear about yet another company entering the log management space. We hear about companies changing their names just to sound more “logging friendly”. They put a product on the street, making huge promises but then fail in the huge enterprise space. The car may look nice, but she’s got no zoom.

If you want to see clear differentiation…if you want to see why we’re still focused on hoarding data, then put the competitors side by side. Do your proof of concepts together. Run your alerts and your reports and your forensic searches together. You’ll see why Loglogic doesn’t just collect log messages, we obsessively collect ALL log messages so we can smartly add the business intelligence you need.

LMI: Log Management and Intelligence. We do it bigger. We do it faster. And we do it better. By design.

Oldest trick in the book. Put up a sign that says “Free Beer” and it’s guaranteed you’ll catch the attention of the masses. Well, we’re giving something away that’s even better than free beer…how about free money? One thousand dollars to be precise.

Every LogLogic customer has a great story to tell and we want to hear yours…and your story could win you a cool grand!

Send us your detailed story about how LogLogic helped you overcome a difficult challenge in your IT environment, identify a serious breach, achieve critical regulatory compliance, or save your organization time and money. You all rely on LogLogic every day to keep your companies secure and compliant, and we want to hear about your real-world experiences in the trenches and on the front-lines of your IT environments.

Whether you’re benefiting from our log management, security event management, compliance management, or database security management solutions, we want to pay you a thousand bucks for your story. Check out some of our existing customer success stories to help get your creative juices flowing.

Send us your LogLogic stories no later than March 15th. A panel of LogLogic judges will read your submissions and select the two best stories, who will each win one thousand dollars!

You can find details about our “Tell Us Your Story” contest by visiting http://www.loglogic.com/tellusyourstory/

Do yourself a favor and send me your story. A thousand bucks will buy you a lot of beer, and everyone knows that nothing tastes better than free beer.

Oh, and while I’ve still got your attention, I’m stoked to announce that LogLogic made the finalists list in the Network Computing Awards for 2010, so do us a favor and visit the on-line awards page to cast your vote for LogLogic in the Testing & Monitoring Product of the Year category.