VMware vCloud Director Support
To quote BusinessWire, we’ve just announced another world first. At VM World today we announced our support for VMware vCloud Director in LogLogic 5. Want to see it in action? Press play below…
Posted by Andy Morris on August 31, 2010 in Cloud Computing , Innovation , LogLogic News , SaaS , Security | Permalink | Comments (0)
Open Standards: Not everyone gets it
By Bill Roth, CMO
In a recent article, our competitor LogRhythm commented on our technology plans which indicated either they don’t understand what we’re doing, or that they think what we’re trying to do will threaten the status quo - and their business.
LogRhythm’s VP of Marketing said the following:
“The idea of a standardized protocol for transporting and storing log data sounds good in theory, but it’s unrealistic given the hundreds of different types of log sources and vendors. A standard like this does more to benefit the vendor than it does the end customer, from both a technological and marketing standpoint," he added. "Standardization would make it easier for the log management or SIEM vendor, but the positive impact on the end customer is hard to see given the widespread collection and transportation capabilities that exist today."
We think the exact opposite.
The Security Information and Event Management SIEM industry needs more standardization not less. As markets mature, they all tend towards open standards. Open standards ensure that customers are free from being locked in to any one vendor, or any one proprietary technology. Additionally, standards provide a way for the consumers to provide input to the technology that they actually use. Standards also make sure there is a level playing field so no one vendor can dominate an industry. The open competition that standards encourage is good. They ensure that the consumers get the technology that they want at a reasonable price.
Consider the work done on CORBA standardization in the early ‘90s, and the standardization that continues to happen with the Java Platform. The Java Platform is an object lesson. Companies like IBM and Oracle were initially opposed to the standardization of Java on the server, in the form of J2EE, because they had large investments in their proprietary application server product lines. But as customers started clamoring for the kind of openness that standardization brings, both IBM and Oracle became licensees of the technology, as did nearly 50 other companies who signed on as licensees of the technology.
As Mark Twain said, “History doesn’t repeat itself, but it does rhyme.” Our path for the ULDP will not be an exact match to the J2EE experience. But we will take an open, community-based approach to developing our standard.
If only the rest of the industry would do the same.
LogRhythm and other competitors obviously benefit from having proprietary technology that essentially locks in their customers to a specific vendor. Take for example ArcSight’s putative “standard” Common Event Format, or CEF. While this looks like an open standard, in reality it is clearly copyrighted and there is no mention of a neutral standards body.
Clearly LogRhythm does not understand what we’re doing here, or does not want to understand. Standards necessarily create a level playing field among the vendors, and force those companies to compete on the features that matter to consumers: ease of use, scalability, and price.
The history of the last 30-years in the computer industry clearly illustrates the benefits of open standards. We believe that the creation of the ULDP will be a positive step forward for the SIEM industry and is something we’re excited to champion. And to share.
Posted by Andy Morris on August 23, 2010 in Innovation , LogEd | Permalink | Comments (0)
LogLogic 5.0: And it keeps on getting better.
By Dimitri McKay
LogLogic 5 has been years in the making and I’ve been privileged to play with, kick at and test numerous iterations of it since its inception.
The task of building 5 began with a complete back-end overhaul, as we built out the industry’s most scalable IT data platform. This may sound easy, but being able to get massive amounts of data, and clearly see (or translate from machine bleeps to human linguistics) that data, and then use this haystack of facts, is a lot more difficult than you might think. Bringing in upwards of 150,000 MPS, indexing, parsing, enriching, and then using this new insight to search, report and alert in real-time is a massive undertaking. Especially when you scale this across an infinite number of appliances. Map Reduce technology is clever, but speaking to, working with and rendering reports, alerts and searches across a vast array of hardware still takes effort. Remember, we have customers that regularly generate more than 50 billion IT events each day, and they rely on us to interpret that in real time and make it meaningful to them.
That said, I’m going to ignore the back-end and present my top 3 list of front-end features new in 5. I think you will agree they demonstrate a huge leap forward in logging and IT data management technology.
- 1) The Sex
- First up, the GUI - time for more sex appeal. The LogLogic GUI was of particular interest to me, as frankly it hadn’t changed since version 1.0. Sure we’d done some minor updates (added to the sidebar, reorganized some stuff), and to those with experience, it all made sense - there was method to our madness and reviewers regularly gave us 5 stars for “really cutting to the heart of things.” But for those stepping in for the first time, well, we needed to show you a little more TLC. We’ve known this for some time, but for the front-end that we had in mind, we first required that back-end work I talked about. Sure we could have just put lipstick on our stuff, but that’s a tactic we’ll leave to others.
- The LogLogic 5 GUI has been completely redesigned with you in mind: consolidation, use cases, intuition - we threw the kitchen sink at it. To achieve our goal we brought in a group of UI designers who’ve built many of the interfaces you and I use every day in common products. These guys are experts. They spent months interviewing customers, identifying top use cases, understanding not only what our product did, but how people use it. And with that, they designed a UI that was not only a user interface, but a workflow engine. And they did so without adding dozens of annoying pop up windows (something else we’ll leave to others). What we now have is indisputably the best forensics workflow solution available. Anywhere.
- 2) The Insight
- Second on my list of awesomeness is the new Log Labels feature. Like the interface story above requiring a better back-end, the story of Log Labels is in two parts.
- Several years ago we invented the index search for log data. And it was hugely successful. So much so that at least one other vendor in the log management space went and built an entire business out of it. Ours was fast. It was mean. And just like everybody else’s it was dumb. It didn’t understand the data it was indexing. It just indexed as much as possible for ultra fast search. And as a slick search tool, it certainly got the job done. So now for part two, where for the second time, we re-invent IT data searching.
- For awhile now, customers have been asking for a way to create custom parsers, but we stepped back and asked “is it parsers that you really want, or are you trying to add business intelligence to your existing logs?” And as it turns out, that was THE question. Enter Log Labels. Here is a feature that gives our customers the capability they’ve been asking for, without requiring a BSc in Development (something else we’ll leave to the competition). What we’ve created is a way for businesses to interpret their own IT data in a way that makes sense from their unique view point. We know other vendors describe possible solutions to this problem as “very complicated” or even worse, “solvable with professional services” (code for “very expensive with no guaranteed outcome”). So we went the other way. As my father always said, “K.I.S.S” - keep it simple, stupid. And we did just that. We KISSed our Log Labels feature. It’s the next step in evolution from indexing. It adds intelligence to unstructured data. It’s GUI-based. It’s simple to use. It does not require 6 months of professional services. And it’s built into 5 for free. Everyone say Yay!
- 3) The Time Saver
- Lastly, I’m psyched about Policy Based Grouping. I know it seems like just a little thing, but when you actually start to peel it back, it makes perfect sense for our target market (think really really big players). Let me give you a few examples.
- PCI Compliance: customers who have to adhere to PCI often segregate their networks and apply the PCI controls only to that specific subnet, which makes perfect sense. But what if you’re logging your entire network, but only want to see specific reports, alerts or searches from a specific subnet? Well, LogLogic can create a dynamic group that will add devices to that specific group as they come online. This automation cuts down administration for our customers tenfold.
- Another example? You want to see all firewalls worldwide, but those firewalls are from a handful of different vendors. However, the naming convention all matches a specific standard. You can now create a dynamic group to add all devices with that naming convention worldwide. One shot deal. Job done.
So to all of our customers, you’ll get LogLogic 5 with your current support agreement. No extra charge. No additional cost. No reason to wipe your machine for a clean install. Easy-peasy.
For those who want to see how to consolidate your IT data, get visibility into, and act on events from all of your network devices, operating systems, custom applications, and more...sign up to receive detailed information. We’ll show you how it gets done. The right way.
Posted by Andy Morris on August 18, 2010 in Dimitri , Innovation , LogEd | Permalink | Comments (0)
Bilski, the Supreme Court, and Lost
By Barbara Rogan, LogLogic General Counsel
Well, we finally have an answer from the Supreme Court in the Bilski case, but frankly I feel like I’ve just finished watching an episode of Lost. Why? The Supreme Court decision answered one question but raised many more questions – at least for technology companies.
The Bilski decision upholds business process patents. Foes of business process patents had been advocating that the Supreme Court use this opportunity to declare all business process patents invalid. The Court declined to do so.
However, the Court did not rule on technology patents, software patents, or Internet patents. In fact, the Bilski decision leaves some key questions open for these types of patents.
Why? Please bear with me for a sec for some (very quick- I promise!) legal analysis…
The Supreme Court ruled that Mr. Bilski did not have a patentable invention because his invention was too abstract and they rejected Mr. Bilski’s exultations to expand the process patent universe.*
The Majority Opinion of the Supreme Court upheld using Federal Circuit’s test as a very valuable tool for determining whether any process is patentable. The test is the so-called “Machine or Transformation Test.”
The Machine or Transformation test boils down to this: Does the process concern the operation of a particular machine or apparatus or does it effect a transformation of matter into a different state or thing? If the answer to either of these questions is “yes” then you have patentable subject matter.
If the answer is no to both, then you probably have an abstract idea that is not patentable.
At the first read, this seems to make it clear that a machine is sufficient to make a process patentable. This would seem to make it clear that technology process inventions are all patentable as technology, almost by definition, requires the use of a machine.
But just using a machine is not enough. The key detail of this ruling is that the Court said that the machine cannot just add “insignificant postsolution[sic] activity”.
In their brief before the Supreme Court, the US Government (the winning party) argued that using a general purpose machine (i.e. a calculator or a telephone) would not be sufficient for to turn an otherwise non-patentable process into a patentable process.
Would the Internet, a desktop computer, or even an iPad be considered a general purpose machine? If so, then processes where these technologies are integral would not be patentable. Indeed, many of my colleagues in the technology world are worried about this implication.
In Yahoo!’s Amicus Curiae brief, Yahoo! Worries that with the Machine or Transformation, processes which are carried out over the Internet (a general purpose series of machines) may fail this test, thus leaving out from patent protection all Internet based processes.
The concern expressed by Yahoo! is not just theoretical.
While the Bilski case was pending, the District Court in Northern California in Cybersource Corporation v. Retail Decisions, used the Machine or Transformation Test to rule in a patent infringement suit that a process patent was likely invalid because it utilized the Internet as its machine.
What about the Transformation option? The meaning of transformation as it applies to digital information has yet to be decided.
In oral arguments, Justice Sotomayor suggests that electronic signals may be a “substance” which would differentiate it from a pure process completed outside of a computer. Based on this reasoning, a viable argument could be made that the electronic processes transform the information from one type or state into another type or state. This would free digital technology patents from the need to be tied to a machine for the purposes of obtaining a patent. However this line of thinking did not make it to either the majority opinion or the concurring opinion.
What inventions might be still be patentable if they fail the Machine or Transformation Test? Supreme Court ruled that the Machine or Transformation Test is NOT the exclusive test.
The Supreme Court says there is a possibility of such inventions existing, but in the concurring opinion written by Justice Breyer, with Justice Scalia joining, the Justices indicate that the majority opinion should not be read as “suggest[ing] that many patentable processes lie beyond” the reach of the Machine or Transformation test.
So, while Bilski saved the day for process patents generally, Bilski left many open issues to be decided for technology process patents. We’ll be watching to see how the lower courts use Bilski in evaluating technology patents.
*Phew. As you may remember from my earlier blog post on this issue, I don’t want to spend my days at LogLogic making sure that all our critical business processes were patented.
Posted by Bill Roth on June 30, 2010 in Innovation , Legal Nerd | Permalink | Comments (0)
Free Appliance – Rush now before they’re all gone!
Actually you have to ignore the title of this blog. Sorry but there’s no such thing as a free lunch. We’re not now, nor do we have plans to ever give away our appliances – either as software, virtual or hardware.
What we are doing is allowing anyone who’s interested to download a tech preview of our latest 4.9 LX log management product. There are several reasons for doing this:
1) We just received feedback from our most recent customer survey and you asked for it
2) We are planning on releasing a full production-ready version of 5.0 in the future and wanted early feedback on how we perform in a VM sandbox
3) Customers asked for a version of our code that they could have in a test/trial/experimental network without having to pay $$ for a physical appliance
4) Partners asked for an appliance that they could play with, again without parting with the spondulicks (that’s Brit speak for hard cash)
5) Cloud vendors asked for it so they can build new business models
You should know that the free download is the full version of 4.9 but it’s limited to being a non-production version. The aim is to release an enterprise version just as soon as you’ve helped us define the parameters. To quote our recent press release “The LogLogic Log Management Virtual Appliances will be the market’s first full-service virtual log management solutions, offering enterprise-grade log data collection, search and storage capabilities for companies seeking to improve business operations, enhance security and meet strict compliance mandates.”
We’ve always claimed that we’re the clear leader in solving complex, distributed log management problems; this release is one of many steps we’re taking to further prove that claim.
You can join in on the fun and kick our appliance for free by visiting http://www.loglogic.com/Virtual-Appliance.
Posted by Andy Morris on June 02, 2010 in Cloud Computing , Innovation , Log Management & Intelligence , LogLogic News , SaaS | Permalink | Comments (0)
Activating Easter Eggs for Bigger, Faster, Better Appliances
Back in December, as you know because you’re an avid watcher of the log management space, we released our 4.9 software. At the time we claimed “40 new features,” “double the performance” and other headline grabbing claims – all of which of course were true!
What we didn’t tell you was that several of those features were Easter Eggs waiting in silence for something magnificent to happen.
It just did.
Today we announced an extension to our Log Management family of appliances. We’ve added 5 new machines that, in conjunction with the “eggs”, go like lightning. The top of the range appliance, the ST4020 has been clocked in the labs as consuming over 250,000 logs PER SECOND! That’s not just an improvement on the old, it’s a whole new class of beast.
We’ve tripled the amount of connectivity, quadrupled the amount of storage, quadrupled the raw processing power, tripled the memory, and managed to lower the TCO from dollars to cents in many of the metrics.
Click here to meet the new members of the family.
Posted by Andy Morris on February 15, 2010 in Innovation | Permalink | Comments (0)
The One Supreme Court Case You Should Pay Attention To This Session
In the High-Tech industry, the machinations of the US Supreme Court are, at best, fodder for dinner party trivia questions. There is one case on the Supreme Court docket this year that has the potential to change the way intellectual property protected in the United States, and have a major effect on the software companies who rely on the patent process. It could also have a devastating effect on innovation.
The case, known as ”Bilski v. Kappos” (AKA “In Re Bilski”), has to do with what subject matter can be protected by a patent. In this case, the inventors, Bernard L. Bilski and Rand Warsaw, filed a patent application for a process of hedging risk in energy contracts. The requirement is that invention must be “concrete” and” produce a useful result”.
The US Patent and Trademark Office (USPTO) rejected the inventors’ application, on the grounds that it was too ill-defined. In legal terms, the claimed invention was an un-patentable abstract idea. The inventors appealed to the patent appeals board, and this was rejected as well.
The inventors then appealed to Federal Court, which decided the case “en banc.” When an appeals court decides a case “en banc” this means that the entire appeals court, not just a subset of the sitting judges (which is the norm), writes the decision in the case. En banc decisions are typically reserved for the most important cases – cases where precedent setting law is likely to result.
The case affects a class of patents know as "business methods" patents. While business method patents have been around for a very long time (the Piggly-Wiggly supermarkets were founded based on a patented business process), the case State Street Bank v. Signature Financial Group in 1998, widened the scope for patenting of business processes.
Continue reading "The One Supreme Court Case You Should Pay Attention To This Session" »
Posted by Bill Roth on December 01, 2009 in Innovation , Legal Nerd , LogLogic News | Permalink | Comments (0)
What Bilski Means To High-Tech Companies
By Barbara Rogan, LogLogic General Counsel
While we all wait with bated breath for the decision of the Supreme Court in Bilski v. Kappos, I had a chance to ponder the impact this decision could have on LogLogic and other private technology start-ups.
If the Supremes decide that the Bilski “invention” is in fact patentable subject matter, as in-house counsel for an innovative technology company, I am going to be forced to spend a lot more of my time filing new patents.
Why? LogLogic is an innovative, start-up company and we can’t afford to let another company patent our business processes. Rather than just looking at getting patents for our core technology, I would then need to think about getting patents for all our businesses processes – how we handle RMA’s, how we handle technical support calls, etc.
While I won’t mind spending more time on patents, as a shareholder in LogLogic, I wonder if that is the best use of LogLogic’s engineers, product management, etc. time. I would rather that they spend their precious hours in the day innovating and creating the next generation of log management products and services or providing support and services to our loyal customers.
Yes, patents are important and our engineers at LogLogic should spend some time on patent applications. But if the Supreme Court widens the scope of patentable material to the extent that the Mr. Bilski and Mr. Warsaw ask, then we will need to think about protecting with a patent all of our business processes, lest someone else patent the process ahead of us.
What’s interesting is that most of the developed world does not offer patent protection for businesses processes. My question would be whether it would be better for US competitiveness to have such extensive patent protection?
I think not. Such extensive patent protection would inevitably lead to more legal wrangling. More discussions with patent trolls, er patent licensing firms and more payments of licensing fees. I would rather we spend our time innovating and competing globally, rather than rushing to the patent office every time we come up with a new business process.
Posted by Barbara Rogan on December 01, 2009 in Innovation , Legal Nerd | Permalink | Comments (0)
Gartner Says We’re Cool!
by Lex van den Berghe
LogLogic Customer Evangelist
For years, we've been drinking our own Kool-Aid, saying that log management is cool. It's more than just a check box on your list of regulatory compliance initiatives – at LogLogic we turn water into wine by collecting all sorts of information from every machine in your business and we make sense of it. Once you know what's in your logs, you can get a better idea of your security and operational posture. Just as business intelligence (BI) systems help enterprises make sense of endless streams of data, we take the Tower of Babel and translate it into one language.
If you don't believe me, check out Gartner's new report, "Cool Vendors in Storage Technology and Systems, 2009," published last Monday by a variety of Gartner analysts and researchers. The report says, "“Bandwidth reduction and greater safeguards against internal and external threats via log management will result in cost savings to the customer in time saved and threats avoided.”
We are the only log management and security company included. Why? Without log management, 30% of an enterprise's data would be lost. It would literally slip through the cracks. While other companies have focused on starting with the security perimeter to protect information assets, we have always focused on the "lowly log" as the root of the challenge, and that means collecting every single piece of information possible. How else would you get a comprehensive picture of what's happening to your data?
So, how do we store and help you search all of that information, which is often more than a terabyte of new data each day?
First, we've started with a Linux appliance that can be deployed on premise, as a managed service or even as a virtual appliance. From there, customers have a wide range of options and flexibility to use our compliance suites or build their own applications on top of our platform to gain back value from their logs. But, we didn't stop there. By building a solid logging foundation, you can monitor and manage security events, database activities and regulatory compliance for any industry. You can search for events just like you would search for information using Google, and you can do it in a fraction of the time it would take you to manually process this information or to deploy multiple solutions from multiple vendors.
The truth is, logging is cool. It's time to jump on the bandwagon if you haven't already – check out our latest article on the convergence of security information and event management (SIEM) and log management in Network World.
Posted by Lex Van den Berghe on April 01, 2009 in Innovation , Log Management & Intelligence , LogLogic News | Permalink | Comments (0)
From Native to Instrumented
According to Wikipedia:
To log is a verb derivative of the noun logbook; the verb form means to record in a logbook, and may have been coined in the 1820s. The term logbook itself stems from the practice of floating a stationary "log" (actually a wooden block attached to a reel via rope) to provide a fixed point of reference for the purpose of measuring a ship's speed (see Knot (speed)). Computer scientists adopted the verb to log circa 1963 to describe the systematic recording of specific types of data processing events.
Logs have been around since the dawn of computers. It's been used by computer scientists, IT administrators, security analysts and network operators to perform analysis, troubleshooting and forensics for over 45 years. In most cases, however, users refer to logs as pieces of information that devices and applications generate on their own. For example, routers and switches generate logs that detail their status and what they are doing. Firewalls generate logs showing the various connections passing through, or not. Operating systems and utilities generate logs to communicate accesses to different parts of the system. Web proxies generate logs to describe user surfing activities. These logs are what one would consider to be "native logs."
One type of logs that users don't generally talk about, or event consider, are logs that are generated by agents or systems monitoring network or applications. This type of logs is called "instrumented logs." The most well-known type of instrumented logs is probably IDS logs. IDS monitors the network and reports any attacks that are happening. These reported events are usually considered as logs. However, there are other types of "instrumented logs" that users don't normally consider as logs. For example, most of the application performance management (APM) tools use agents or other means to retrieve information or statistics from various applications. These information are then sent to a central server for processing. In most cases, these information are not considered to be logs, but they do fit the definition of "systematic recording of specific types of data processing events."
Another example of instrumented logs are what Adrian Lane discussed in his blog post "Database Activity Monitoring & Event Collection Options." In this post, he mentioned several methods that monitor monitor database activities via sensors that either monitor the OS stack or the database memory. All of these methods generate "instrumented logs" that are sent to a central server for archival and analysis.
At the end of the day, whether it's "native" or "instrumented" logs, they are still pieces of valuable information that must be collected, archived, and analyzed. Also, the way these logs are analyzed are the same regardless whether it's "native" or "instrumented." As Jon Oltsik said,
In today's dangerous security landscape, no data is considered "noise" anymore. Rather, security analysts now want access to terabytes of historical data for analysis. Furthermore, this underlying data has become more complex..
.
.It means collecting, normalizing, and storing a ton of data. It means sophisticated algorithms and processor-intensive query engines.
As sophisticated enterprises move up the stack (Network to OS to Applications) in their log management projects, we will likely see more and more of the log data come from sensors instrumenting the applications. This type of "instrumented" logs provide another rich set of information, sometimes richer in information compare to their "native" counterparts. Existing log management and security event management solutions can then take advantage of this set of information for compliance management, threat management and fraud detection.
Posted by on January 23, 2009 in Innovation , Log Management & Intelligence | Permalink | Comments (0)
Logging Poll #9 Analysis: Log Protection and Security
This is the analysis of my last poll; the responses are here and also below.
First, the most obvious conclusion: people still don't care much about log security; I am saying that since this was BY FAR the least popular of my polls. Only 24 people responded, so everything below is pretty unscientific. A good way to explain it: look at the recent media? Do these people care about their key business data and their customer data security? Nope. So, how do we make them care about securing their log data?
Second, it is entirely unsurprising that 83% of respondents want "Authenticated access to log server." In fact, I'd opine that 100% of people want authenticated access to any of their servers :-) But, this was my "red herring" to set the baseline for the rest of the questions...
However, this is where the buck stops: other security measures are notably less popular.
Third, "Logging all access to logs" is my favorite and I am happy to see it reported as popular. But do people really do it? Do you log access to log server OR log access to actual logs? Think about it... I suspect a lot of people who do the latter still answered "yes" to this question. So, does your system allow you to log all access to log data? If not, get LogLogic! :-)
Fourth, "Reliable / acknowledged network transfer of log data" and "Encryption of log data in transit " are two true "no-brainer" security features; they took the next spot at 45% and 50% of those who answered. They are simple, they are easy, they make sense - and, obviously, they don't make logs entirely secure so you need to do more. Why only 50%? Where is THE OTHER 50%?!
Fifth, "all things crypto" are below 40%. "Cryptographic hashing of stored logs", "Cryptographic signing of stored log data" and "Encryption of stored log data" all hover at around 30%. I attribute them to general disregard of log security AND reliance on "system security" (separate server, etc) over "data security" measures for log protection.
Finally, I am embarrassed to admit that I missed the obvious security measure: "Separate server for logging, not accessible from the Internet." Happily, one of my readers added this using "Other security measures" choice. Indeed, this is a good point - and a good idea to do it. Another option mentioned there was "Destroy old logs." Indeed, it helps log security by preventing unauthorized access to logs.
Possibly related posts:
Posted by on September 05, 2008 in Innovation , Log Management & Intelligence , Risk Management , Security | Permalink | Comments (0)
Anton Logging Tip of the Day #16: Virtually There - Journey Into VMWare ESX Log Analysis
Following the new "tradition" of posting tips of the week, I decided to follow along and join the initiative.
So, after a long delay, Anton Logging Tip of the Day #16: Virtually There - Journey Into VMWare ESX Log Analysis
CISecurity guide for VMWare (here) and DISA STIG for virtual machines (here) both mandate collection and analysis of VM platform logs; none goes into enough details on what to look for in logs. Let's try to shed some light on security-focused log analysis of VMWare ESX v. 3.x logs.
First, at least until ESXi becomes the default choice, one needs to keep in mind that ESX has "Linux-inside" and thus diving into /var/log will not reveal any "alien technology" (well, not much of it :-)). However, one of the most useful logs is /var/log/hostd.N which is not a descendant of Linux standard logs. Extensive VM event records are written into this file.
Let's focus on various types of logins to the ESX platform and identify logs that indicate a successful and failed attempts to log in. Here are a few useful examples to analyze:
Successful logins:
- May 30 09:20:42 esx2 su(pam_unix)[9405]: session opened for user root by jhonny(uid=1626)
This is a classic Linux root login message; you can watch for these by searching VMWare ESX logs for "session AND opened AND user AND root." Notice the user name of the user who switched to root.
- May 30 09:20:34 esx2 sshd(pam_unix)[9364]: session opened for user jhonny by (uid=0)
This is also a classic Linux message for a normal (non-root) user login.
- [2008-05-25 06:57:48.774 'ha-eventmgr' 111639472 info] Event 40645 : User jhonny@1.1.1.1 logged in
This is a VMWare -specific application login to ESX. You can track such events by username, by event ID or by keywords "event AND logged AND user" (if you are using search)
Failed logins:
- May 30 09:20:31 esx2 sshd[9356]: Failed password for jhonny from 1.1.1.1 port 54773 ssh2
Another classic Linux message from the ESX system; a failure to login due to incorrect password.
- May 27 12:06:59 esx2 sshd[4756]: Failed password for illegal user jonny from 1.1.1.1 port 30594 ssh2
A message indicating a failure to login due to incorrect username (note a typo).
- May 25 07:03:48 esx1 sudo: jhonny : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/bin/bash
This ESX Linux platform message should also be familiar to Linux/Unix admins: it indicates multiple sudo password failures; look for such messages in the logs.
BTW, do you need to be reminded to track NOT only failed, but also successful login events?! This applies to virtual as well as physical environments.
Overall, you must prepare for the future by learning to analyze VMWare logs, just like you handled "legacy OS", such as Linux/Unix and Windows.
As I said before, I am tagging all the tips on my del.icio.us feed; here is the link: All Security Tips of the Day.
Posted by on August 27, 2008 in Innovation , Log Management & Intelligence , Security | Permalink | Comments (0)
Even More Critical Logging Questions - Answered
I recently did this webcast on logging for accountability (slides and recording here) and people asked a lot of good questions. Here are some of the answers for them as well as our blog readers.
Q1: How do you handle variety of log sources? There are so many, almost beyond my capability.
A1: Sorry to ponder the meaning of "is" here, but what is meant by "handle"? It is really not that hard to collect logs from a large number of diverse sources, given the right tools (as long as the logs can be delivered via syslog or grabbed as files). Now, there will certainly be challenges when the volume of logs gets large, but if by "handle" you mean "collect + store", it is really not that hard, again, given the right tools. Now, if "handle" means "make sense of what all those logs are trying to tell you," it is a different story altogether. It is indeed pretty hard to extract the meaning of all those logs automatically.
Q2: You talked about the importance of logging; however for an intermediate or novice admin what are the starting steps .. what are the minimal logs they should start at once?
A2: Answered in "Log Management - Day 1" If you want a simple list of logging things to "enable today," I cannot really answer it since I know neither your needs, nor your environment. Remember, "requirements first - tools second!"
Q3: What regulations, rules or guidance exist regarding sharing or visibility of logs to users?
A3: PCI DSS says in Requirement 10.5: "Secure audit trails so they cannot be altered.
10.5.1 Limit viewing of audit trails to those with a job-related need
10.5.2 Protect audit trail files from unauthorized modifications"
NIST guidance for FISMA also says something similar (for example, look in NIST 800-92 doc). Overall, log protection and security are mentioned in many other regulations as well, all the way to ISO and COBIT.
Q4: How I can learn what exactly I need to log?
A4: Let me answer "how can I learn" part and not the "what exactly I need to log part," as it is actually answerable (also see discussion on "MUST-DO Logging for PCI?") . To learn what you need to log, first ask "Why?" (and then see this) - basically establish what you want to accomplish with logs, then catalogue your systems, then figure how to tweak the logging knobs - and then actually go and tweak them.
Q5: What is "more control" and what is "less control" that you mention in the webcast? Can you give an example?
A5: OK, I did say that "sometimes when you implement more controls, you actually have less control." What do I mean? If you buy a firewall (a network security control) and then - over time, of course - configure it with 7800 rules (!) that are supposed to give you control over who can and cannot access your network, you will not gain control over your environment. You will actually be less in control of who is touching your network, compared to, say, having only 20 rules.
Q6: What about mandated NIST controls for government systems? Auditing is a specific control for Moderate and High risk systems. What list of events do you recommend for auditing?
A6: This is too long to answer here, but NIST 800-92 Guide is a really good source of such info ("Guide to Computer Security Log Management [PDF]") Also, see my presentation on NIST 800-92 Guide in the Real World.
Q7: The issue that many organizations get stuck on is the monitoring process, and defining what exceptions to monitor for? Is there guidance for this? How much of it is system specific and how much is applicable generally to all systems?
A7: I outlined some general ideas back in 2004 via this presentation; it is mostly general, but also has pointers to specific system. Keep in mind that it is focused on security, not operational monitoring (which is often no less important - in fact, often MORE important).
Enjoy! Sorry for being brief with some of the answers.
Other questions that I answered in the past:
Posted by on August 07, 2008 in Innovation , Log Management & Intelligence | Permalink | Comments (0)
Tomorrow's Logging Problems - Part II
I would like to continue the discussion I started in my previous post called "Today's Logging Problems - Then Future Problems - Part I." Specifically, upon outlining some problems with logging, I will now forecast what will happen with them in 18-24 months.
- Which problems will be solved and forgotten?
- Which ones will simply go away?
- Which ones will persist and in fact increase?
- Finally, which new ones might emerge?
First, I'll predict that "Not knowing what to log" problem will be mostly solved in 18-24 months; at least as far as major regulations go, people will have a pretty good idea a) what the auditors want them to log (and review!) b) what they need to log for solving their problems. Now, esoteric log sources and custom application might still present a challenge from that point of view, but for basic "staples" (firewall, network gear, major OS) the mystery will be over (again, see "Tell me EXACTLY what to log for PCI?" for some reference)
Next, the problem of "Log volume" will definitely get worse, much worse. One might think that 100,000 each second is a lot of log - but there WILL BE more at many companies! Big application log explosion is coming, fueled by the need to address logging in areas where such motivation was lacking before (basically, custom and vertical applications) as well as harness the power of "uncommon" logs for such tasks as fraud analysis or SOA monitoring. Keep in mind that even though in some areas logging is not a preferred way of monitoring and auditing activities (see this discussion on database logs here), application logging will still explode on us ...
The problem of "Log diversity" (the fact that most logs all look different in format and meaning) will get worse before it will get better - and better it WILL get since standards are being developed. We will see people struggling with all sorts of bizarre log data in the coming years. Virtualization (on logs and VM), web services and SOA, various ERP applications and even cloud services will increase the diversity of logging in the coming years.
Similar to the above, a problem of "Bad logs" (ones that are subjective, miss key information, require groping for a crystal ball to understand, turn log analysis into a painful experience or are useless in some other way) will also follow the pattern of the above log diversity problems - it will get worse before it gets better (via the CEE standard effort that now covers the OpenXDAS effort as well!) I noticed that people started asked me questions about "how to do application logging right?" and "what to tell application developers about logging?" which almost never happened in the past. More on this in the future!
"Getting the logs" has gotten much easier in recent years; agentless collectors like Project Lasso (which, BTW, just got updated) and grabbing files remotely via secure protocols made application log collection easier (TCP syslog and buffering also helped). Next, Windows 2008 will make it MUCH easier for the whole Windows kingdom due to their use of web services. However, in the future it might resurface as we try to collect logs from unusual places, again, clouds come to mind as well as virtual environments (e.g. how do you get logs off a dormant VM?). What's the next frontier in this area? Log discovery - automatic finding and identifying log files on systems in order to analyze and retain them.
All this, however, pales in comparison with my favorite "uber-challenge", "Making sense of logs in an automated fashion" - this baby is definitely not going away in 2-3 years. Much more research is needed to make that "log->conclusion" jump automatically without head-scratching, invoking ancient deities and making wild guesses. Once there, we can attempt to reliably handle "proactive logging" (i.e. analyzing various failure or compromise precursors in logs and then predicting the future based on them), another Holy Grail of logging domain.
Anything new will emerge? Yes, I think awareness of the "Logging Gap" problem will grow. "Logging gap" happens when you combine "a need to log" with utter "inability to do so." For example, this will happen when people will know that they HAVE TO log, say, for compliance, but will have no way of doing it due to application or platform limitations. This will become one of the challenges and special "logging add-ons" will appear to close the logging gap and create additional logs where activity audit is desperately needed, but native logging is not helping to achieve it.
Also, I think people will finally wake up to "Log security" challenges - i.e. producing for use as evidence, compliance attestations, etc. Log security is not getting the attention it deserves, but I think this challenge will finally emerge in full force in the next 2-3 years. BTW, my next poll addresses that (vote)
Anything else I missed? Share away!
Related posts:
Posted by on August 06, 2008 in Innovation , Log Management & Intelligence | Permalink | Comments (0)
Today's Logging Problems - Then Future Problems - Part I
Remember my write-up about an ideal log management tool? Somebody asked me: "That's great that you have such a clear vision of a future log management technology - but tell me first what future business problems will such 'ideal tool of the future' solve?" First, I pointed at the fact that there are plenty of log-related problems today which we are not even close to solving. We need to solve the problems of today first, before we can get to solving the future problems.
So, what I consider to be the biggest log-related problems of today?
- Not knowing what to log - whether for compliance, tracking attackers or troubleshooting system problems. Remember all the comedy about "Tell me EXACTLY what to log for PCI?" If not, reread it!
- Log volume - there are too many log messages (seriously, 100,000 each second is a lot of log - but there is more at large companies!), and, which is worse, a lot of them are of unknown value to the users (might be useful, might not - but you never know in advance); thus, log clutter networks, systems and brains of security/system analysts.
- Log diversity - logs all look different (at least while standards are being developed) and no single person have the skill set to understand more than a few types. PIX admin groking SAP logs? No way!
- In light of the above, just pure bad logs are also a major challenge - logs that miss a key piece of info (like the infamous "login failed" without the username of the user failing to login) or are useless in some other way are sadly common.
- How about getting the logs from all the places where they are located (think application logs here) - it is a problem if you want to expand your operational awareness to applications.
- Finally (not really, the list can go on and on), making sense of logs in an automated fashion is still a #1 challenge (IMHO) - we are getting better creating tools for humans to go through logs (via reports and search), but log->conclusion process still requires a human, and a darn smart one.
Now, when you read the above think "end user", not "log management vendor" challenges. Along the same line, this picture from 4th SANS Log Management Survey shows how people perceive the logging challenges:
as well as my logging challenges poll (analysis here):
Now, let's think of logging problems of the near future, say in 2 years. But you'd have to wait for the next post for this :-)
Posted by on July 31, 2008 in Innovation , Log Management & Intelligence | Permalink | Comments (0)
Log Management Project - Day One
Inspired by this and this here (and this too). It started from this example, coming from another domain:
“You’re hired on at a new company placed in charge of securing their online business. You know next to nothing about the technical details of the infrastructure other than they have no existing web/software security program and a significant portion of the organizations revenues are generated through their websites.
What is the very first thing do on day 1?”
At about the same time, I saw a message posted to one of the mailing lists where the poster wondered: "I’ve been asked to look into finding a replacement to our current log management/auditing system. This is a field I haven’t even come close to touching before, and really don’t know the ideal things to look for (or ignore), etc. I’ve been searching through SANS site as well as googling, and I’m not coming up with a lot of great starter information. " And then he asks "Where should I start?"
This is indeed a really good question! Let's rephrase the above for the case of logging:
"You’re hired on at a new company placed in charge of TAKING CONTROL OVER THE LOGS. You know next to nothing about the technical details of the infrastructure other than they have no existing LOG MANAGEMENT process and tools... What is the very first thing do on day 1?”
So the "Day 1" of a log management project. What's up?!
The very first thought that should cross you mind before you even do whatever first thing you wanted to do is "WHY?"
"Log management" is a solution, not a problem. What is your problem that you now have a mandate to solve? In other words "Why log management for you?" Logs server way too many different purposes so that proceeding without asking "Why?" is dangerous.
What is it that motivated your boss (or his boss, or whoever) to decide to "address this", to "take control over logs?" Was it a new compliance mandate, PCI perhaps? Was it a recent incident where investigation hit the wall due to utter lack of logs? Was it a new corporation-wide IT efficiency improvement project? Was it a lawsuit where an e-discovery request was not satisfied and thus fine was levied? Was it a hot IT project that is impossible to complete without having a tool to analyze logs?
This "need" is very important since logging is a huge realm and not focusing on the need is akin to starting a journey into a hostile wilderness without a map - in other words, it might be fun for a while, but it will probably end badly.
Next, what do you actually do first? Figure out what logs are needed for this effort and what systems produce them (and who is responsible for them!) Analyzing SAP logs for J-SOX is a VERY different effort from analyzing Cisco ASA logs for network troubleshooting.
Only at this point you can start thinking about "tools:" parsers, logs, databases, reports, alerts, indexing and other technical things as well as capacity planning, scalability, etc. This is the stage where you learn the lingo and learn to cut through marketing messaging to get to the actual tool capabilities.
So, remember: given mandate to "tame the logging monster", think "WHY?" first!
Posted by on July 29, 2008 in Innovation , Log Management & Intelligence | Permalink | Comments (0)
Logging Poll #8 Analysis: Essential Log Context
In my poll #8, I asked a question: what information is most important when analyzing a particular log record. Live results are here and final count is also below:
What can we conclude?
First, good documentation never hurts - indeed, the most popular information to look for when facing a new log record is documentation on what it means. While some software vendors are great in this regard, many other don't bother documenting their logs or document them only when customers complain.
Second, I was not sure that the second popular choice would be "Other logs from about the same time (this and other systems)." This strongly points at huge value of cross-device log analysis (see this recent log entry on that), where all the logs are consolidated and analyzed together (it goes without saying that time is synchronized OR at least corrected across those logs). Indeed, if you are confused about a log and documentation is not available, reviewing "what else was/is going on?" is smart. Trusting log time stamps across many systems is also key for that.
Third, having IP addresses in logs is great, but human-readable names are better: IPs in logs needs to be mapped to DNS or Netbios names. Indeed, given that often such names reveal where the system is, who might own it, what its function is, etc this information is not just a mapping, but true log information enrichment.
Fourth, so, what's next? The above 3 top responses are indeed universally useful, but the next choice digs deeper: flows, packets, connections and other network information does complement logs and is often studied in combination with logs (e.g. see a strange log entry then go see who connected to the system at that time or where the system itself connected to).
Fifth, next comes a group of pretty much everything else: other logs from the same system, logs about the same system as well as loosely defined 'similar' log entries. These come handy, but are not top choices. In fact, from this I conclude that people think that A LOT of additional context information is needed to make sense of a confusing log entry.
Sixth, what was surprising? I thought that identity lookups (e.g. IP to real name or other user identity information) would score higher. I also suspect that people were confused by "logs ABOUT the same systems" (what I meant is, for example, use firewall logs that mention the system which log we are now analyzing) and this should score higher.
Seventh, anything fun in the "Other" category? Yes, there were a few insightful ones: first, results of a Google search (such as for the info from the log entry in question)! Very true indeed. Also named were logs from the same daemon/program (how can I miss it?), logs from previous incidents and information on the logging system owner. All very useful indeed. Thanks for good ideas!
Next poll coming up soon!
Past logging polls and their analysis:
Posted by on June 09, 2008 in Innovation , Log Management & Intelligence | Permalink | Comments (0)
Cross-Device-Type Log Management vs Device-Specific Log Management
Now, I have to first admit that, in general, dealing with logs on a device-specific basis is a utterly inefficient. What I mean here is when you gather Windows logs in one place, Linux logs in another place, database logs in yet another place; all in different formats, all in different systems not connected to each others, all managed by different people who don't talk to each other (and sometimes hate each other). Basically, this situation is "logs at their worst": all different, all disjointed and, as a result, all next to useless.
However, there are rare situations where you can choose device-specific log management approach without wasting time and money. For example, you might be motivated by the fact that tools that can handle one specific type of log data (e.g. Windows-only, web server-only or Cisco PIX-only) are usually many times less expensive than cross-device log management tools. The table below clarifies it:
| Use Case vs Approach | No log consolidation - logs remain on systems they are produced | Device-specific log consolidation and analysis | Cross-device log consolidation and analysis from all log sources |
| Alerting based on log strings (keywords) that indicate security or operational problems | Impossible or tremendously hard to manage across many systems | Acceptable - alerts on each log type are handled by different teams | Superior - all logs are available for analysis when the alert is triggered |
| Reviewing logs for troubleshooting server problems | Acceptable - server logs are sufficient for | Better - one can also look at logs from other similar servers | Better - but same as device-specific log analysis since only one type of logs needs to be reviewed |
| Log review for compliance with PCI DSS | Not acceptable - log management is mandated by Req 10 | Impossible or very inefficient - as many types of log data needs to be collected and reviewed | Optimal - all PCI relevant logs can be collected and reviewed in one system |
| Looking for records of a specific user activity | Impossible or tremendously hard since hundreds of systems might need to be searched | Inefficient - several different systems needs to be accessed to review all records of user's activities (and then data needs to be manually correlated) | Optimal - one query gives all traces of the user activity |
| Log review for incident response or forensics investigation | Impossible or tremendously hard since hundreds of systems might need to be searched for evidence | Inefficient - several different systems needs to be searches for evidence and then data manually correlated | Optimal - all log evidence can be found, reviewed and analyzed on one system, neither hundreds, nor several |
Also, while looking at logging tools, one needs to make a distinction between tools that can collect all sorts of logs but only allow you to analyze one log type at a time (e.g. sawmill) vs tools that can collect all sorts of logs AND allow you to analyze all of them together (e.g. LogLogic). The former tools still fall under "device-specific log management" despite their ability to gather hundreds of different log types.
The bottom line: in most cases, cross-device, uniform log management provides huge value, especially if your motivation for log management is compliance or incident response.
Posted by on June 02, 2008 in Innovation , Log Management & Intelligence , LogMatters | Permalink | Comments (0)
More Log Management Questions Answered
I did this VERY fun webcast with WhiteHatWorld this week and a lot of good questions about log management came up. I am answering them here for my readers.
Q1: Is a preferred log management program to consolidate the log data and then allow us to review them?
A1: The answer is "Yes!" for a vast majority of use cases consolidating logs work better than the silo'ed approach. Also, this will be answered in a longer dedicated post within a few days.
Q2: Is it feasible to use a log management tool to try to determine whether application events / failures are being caused by infrastructure issues?
A2:Wow, fantastic question! The answer to this is "Yes, if you have the right logs collected." In most cases, to get to the bottom of such issues requires having BOTH application (e.g. PeopleSoft or Oracle) and infrastructure logs (e.g. Windows or Solaris).
Q3: What the typical retention schedule for logs which might be required logs for compliance issues?
A3: I wish I can give a simple answer for this, but there is none. Well, PCI DSS makes it simple: 1 year for logs from in-scope systems. Other regulations are not as clear and the numbers, or - more often! - guesses at such number range from 90 days to 7 years and more. 90 days to 1 year is a common retention policy for security (on the longer side of this range) and operationally (on the shorted side of this time range) useful logs. Check this out for a few ideas for long you might need the logs.
Q4: Once you have logged the events, what do you do with them?
A4: This question truly opens up a whole Universe of questions, issues, challenges, etc. But here is my attempt at a short answer: a) you collect the logs and now you can search through them in case you need (incident, system failure, etc) to b) you summarize them and notice the trends - overall know what is going in your environment c) you analyze them in real time to trigger alerts on "critical" log messages - failures, attacks, etc. See this slide deck for some useful pointers.
Q5: Why do I create a log policy?
A5: Log policy is a clear and simple document that show what you log on each system (and why): it helps you to configure logging across all the systems as well as helps to know what information you have in your environment (should an auditor ask, for example). A log policy also defines log retention, log review practices, etc. NIST 800-92 Guide to Security Log Management [PDF] is a good source of info on this subject.
Enjoy!
Posted by on May 23, 2008 in Innovation , Log Management & Intelligence | Permalink | Comments (0)
Anton Logging Tip of the Day #15: Fear and Loathing in Event 560 (and 562 and 567)
Following the new "tradition" of posting a security tip of the week (mentioned here, here ; SANS jumped in as well), I decided to follow along and join the initiative. One of the bloggers called it "pay it forward" to the community.
So, Anton Logging Tip of the Day #15: Fear and Loathing in Event 560 (and 562 and 567)
This tip digs into a seemingly simple, but really VERY esoteric subject: monitoring file access and modification via a Windows event log. Now, some people - who never studied this subject - tend to have a very simplistic view of this: just enable Object Access auditing, then right-click on a file or directory, click Security->Advanced->Auditing and then pick what types of events will be logged and by what accessing entities (i.e. users or computers). OK, so this will produce some logs, that is for sure. But are they useful?
First, why are we doing this? We typically need to know the following when we audit file access in Windows (or any other OS for that matter) for security (monitoring and investigation) or compliance:
- Time/date
- Computer where it happened
- User who touched the file
- Application he used to access the file
- File name + location (directory, share, etc)
- Type of access (read, write, create, delete, etc)
- Status (i.e. success or failure)
Can we get this from the above logs? No.
What? No!?! Really?
Yes, really. We can get some of the above, some of the time, not all of the above, all of the time. Here is an example, we are looking at event ID 560 (picture) and then at an extract from its description field.
Event:
Description (selected field):
Object Server: Security
Object Type: File
Object Name: C:\0\TestBed\simple_text_file.txt
Image File Name: C:\WINDOWS\system32\notepad.exe
Primary User Name: Anton
Primary Domain: XXXXXX
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
ReadEA
WriteEA
ReadAttributes
WriteAttributes
WTH is that? Well, we know that the user 'Anton' has successfully read? wrote? changed attributes? did something? with a file named "C:\0\TestBed\simple_text_file.txt" using a program named "C:\WINDOWS\system32\notepad.exe." That's the best we can get, in this case! We may try to look at event IDs 562 and 567, but this missing information (i.e. the exact action performed) will not be added.
BTW, there will be a few more dozen (sometime hundreds!) of the 560s, 562s and 567s produced - all from just opening the text file in a notepad. The above event is notable for having BOTH "notepad" and "simple_text_file.txt" in the same event; others will have either of the two.
Anything else gets in the way? Yes, lots! MS Office will write to all files, even just opened for reading (with no user modifications to the content whatsoever), which will screw up your log monitoring efforts. If the file is on a share, more information will be missing (e.g. username might be).
So, how to use Windows event logs for file access tracking?
- Enable logging (as described above)
- Pick events 560 (most useful) and 562, 567 (useful too)
- Look for fun filenames that might be touched by the users (have a list of files and users handy)
- Figure out what programs were used to access them (this is called "Image File Name" in "WinLogSpeak")
- Ponder the 'Accesses' section of each event until your brain turns blue :-) or until you decide whether such access is authorized or not...
Overall, this is still very useful for file access monitoring, but the process is somewhat painful.
BTW, I am tagging all the tips on my del.icio.us feed. Here is the link: All Security Tips of the Day.
Posted by on May 08, 2008 in Compliance , Innovation , Log Management & Intelligence , Security | Permalink | Comments (0)
Logging Poll #8 Context for Log Analysis
So, my next poll is up - and it is fun (but more technical): what information is most useful when trying to make sense of a log entry?
Vote here! Analysis will be posted here in a few weeks.
Past polls:
Posted by on May 05, 2008 in Innovation , Log Management & Intelligence , LogEd | Permalink | Comments (0)
Critical Log Management Questions - Answered!
Here are some interesting log management questions I got asked some time ago; reposting here for our blog readers.
Q1: For those companies that have successfully implemented enterprise-wide logging, what were the big nasty surprises that they encountered?
A1: Here are a few:
- political boundaries within the organization: "these are our logs, and you are not getting them"
- privacy laws: some logs cannot be collected in some countries; some cannot cross the border, some cannot be seen by some people, etc. This is true mostly in EU, less in US.
- legal blocks: work with legal before deploying any org-wide log management; legal might try to prevent certain data from ever being created (for fear of being legally discovered later)
- log volume: underestimating log volume is common and pretty nasty
- related to the last one: vendors being "optimistic" about their tool scalability
- time synchronization (of course!), specifically, lack thereof.
Q2: For those companies that have successfully implemented enterprise-wide logging, what was their implementation approach?
A2: Typically, 2-3 vendor PoC or pilot first. Then with the chosen vendor: phased approach based on location + type of log source (e.g. firewalls, then routers, then OS, then proxies, etc) + network topology (e.g. DMZ, then internal) + log source criticality (e.g. critical servers first; the rest next). This might be handy to look at.
Q3: What kind of storage requirements have been experienced by those organizations who have successfully implemented enterprise-wide logging?
A3: Massive? :-)
Here is a simple example: PCI DSS is a bit more aggressive than NERC since it mandates 1 year of log retention vs NERC 90 days, so: 1 year worth of logs is = 365 days x 24 hours x 3600 seconds x 1 (one!!!) busy firewall with 100 log messages each second x 200 bytes per message average (e.g. valid for PIX and ASA devices) = 588 gigabytes / year of raw log data uncompressed (assuming 10x compression you'd get about 60GB of compressed log data per year)
Store it in RDBMS? Multiple it by 2-3. Have an index? Add about 30%.
The bottom line is: terabyte is the unit to measure logs.
Q4: At the organizations that have successfully implemented enterprise-wide logging, how logging impacted network and system performance?
A4: Too broad a question, so here are a few pointers:
- logging affects performance much more on some types of systems compared to other types: most painful examples are databases where some people (can't find a link...sorry) report performance loss of up to 40% if logging all SELECT statements and other data retrieval commands (you need to log selectively on these); in other cases (e.g. web servers) there is no performance loss and logging is "always on"
- log collection: agents impact system performance (long post on this subject): a little when they run (everybody knows this) and A LOT when they crash (few people think about it - agent software memory leaks are not uncommon); unlike agents, remote agentless log collection barely affects system performance (unless you have one of the few esoteric cases)
- log transfer and network performance: look for compressed (logs compress really well), TCP-based transfers; syslogging over UDP uncompressed has a chance of doing a pipe saturation DoS on your network. Yes, people say "use a dedicated LAN," but this is definitely wishful thinking for many. Also, raw UDP syslog in large quantities over WAN = insanity :-)
Q5: What were some successful strategies for obtaining buy-in from system owners and operators in regards to turning logging on?
A5: OK, also too broad a question, but here are some pointers:
- provide them a useful service based on their logs (e.g. performance measurement, availability monitoring, compromise detection :-), or other security metrics, etc)
- help them with their compliance mandates (e.g. create reports that they can show to the auditors that "bug" them)
- give them tools to better solve their problems (e.g. allow access to a log management tool so that can investigate issues better, search the logs, check on their users, etc)
Q6: How the organizations that have successfully implemented enterprise-wide logging dealt with unusual devices (=log sources) that have no log management vendor support?
A6: They were in massive pain - if they choose a log management vendor wrong. You need to look for vendors that have "universal log source support" with NO requirement for a custom rules or custom collector/connector/agent development. LogLogic have generic text log collectors that can grab and analyze unknown logs. Typically this is done via some form of text indexing that works across all logs, including those from unknown, vertical, esoteric or custom-developed log sources
Hope it was useful!
Posted by on April 24, 2008 in Compliance , Innovation , Log Management & Intelligence , LogEd | Permalink | Comments (0)
From Log Apathy to Log Enlightenment
So, I was talking to this small log management vendor the other day and he confided to me that his product faces fierce competition in his target market (which is, important to note, small to medium companies with 10-100 systems): and this competition is apathy.
More specifically, his prospects either just blow him off by saying "pah, who needs logging!" or they profess their undying love of all things logging - and then still don't buy his product (which is priced, shall we say, "to go")
Admittedly - and somewhat tongue-in-cheek, these are the same companies that form the core of today's botnets (due to various reasons including their scarce resources) and enable RBN to deliver high-quality malicious services to criminal enterprises worldwide. Still, if you happen to have thoughts along the line of "who needs logs?" or "ah, logging? it will come later!", you really deserve a nice fat check from RBN and other malicious "hacking" syndicates since it is extremely likely that your overall attitude towards security is just as misguided...
But how to progress from such ... what was before the Stone Age? ... Sharpened Stick Age? to modernity? Most companies go through the following stages in regards to their logging:
- Deep log ignorance: "Logs? What are those?"
- Shallow log ignorance: "Later...later...later... #37 on the TODO list."
- Log collection: "We gather and store dead log data...cold."
- Log searching: "We will dig into the pile when we have to ... hopefully never!"
- Log analysis and reporting: "We know our logs - and what they mean"
(also see my post "Natural Flow of Log Management" for some specifics)
Of course, compliance (PCI DSS and others) helped move people from 1. and 2. to 3., but, sadly, people often get stuck at 3. (just collection) or 4. (collection + maybe search) and never progress to Logging Enlightenment of 5.
Yes, PCI DSS and other regulations mandate not just log collection, not just dead cold log storage, but also log review (daily, in case of PCI DSS Requirement 10), but "review" happens to be the item that gets overlooked all too often.
Why is that?
I think the reason is that log analysis is still too hard and still not automated enough for an average organization. Yes, I did see some corporations that built their own log analysis systems that - surprise! - exceeded the best available from the vendors [at the time]. However, a typical company IT department would not have Ph.D. poring through hardcore text mining research papers in order to improve their home-grown log analysis AI. They expect the vendors to eat the logs, chew on them for a bit - and then spit out the answers.
Are we there yet? No, but we will be!!!
Posted by on April 22, 2008 in Compliance , Innovation , Log Management & Intelligence , Security | Permalink | Comments (0)
RSA 2008 Summary
So, RSA 2008 has come and gone. Now that everybody has recovered from the information overflow, it is time for summaries and reflections. Before we begin, go read my RSA Impressions (Part 1,2,3,4). Next, read what others said about RSA 2008 (via my del.icio.us feed). Then reflect on past RSA shows (2006, 2007).
Ready now?
First, what was the theme? Unlike in the past, I personally couldn't pick any. The candidates were GRC (and compliance + risk management) , DLP (and other data-leak/-theft technologies), IAM (and identity enablement), but none quite measured up to being a show "theme."
What I saw too much off? Even though their numbers have shrunk, I still saw too many NAC vendors there (Lockdown, here we come!). One of my friends joked that there were more "GRC vendors" than NAC vendors, but both were in low enough numbers to make it a trend. As far as loud noises back from RSA 2007, "identity-driven this or that for security" was still very visible. What is also bizarre is that people still start log management companies. I saw a couple of new ones - amazing, isn't it? Yes, it is a hot space, but come on! Accept that LogLogic is the leader and be done with it :-)
Overblown messages? "Information-centricity." It was cool and hot :-) and new when Hoff said it. But when it trickled down to keynotes of some "trailing edge" vendor executive, it became boring and stale. And, while we talk about "information centricity" people must still worry about "A" (availability) first (see this discussion).
What I didn't see enough of? VOIP security. Somehow this previously hot trend is quieted down. Also, I saw a lot of web application security vendors, but I think that is still not enough as this is an area with a raging fire, not just "some hotness." Also, I expected to see more vendors messaging around (and, actually helping with!) fraud. Dan Geer's Verdasys kinda mentioned that, but pretty much in passing. Is fraud handled outside of security (and thus out of RSA)? I am not sure.
What I didn't see at all? I didn't see much "market consolidation" - no huge deals, no vendors of note "taken out", etc. Still a huge number of security companies around ... some with products that seem deeply out of touch with today's threat landscape. One of the speakers said that nowadays "no single security pure-play expected to change the world", but it sure seems like many will try! Along the same line, Mike R said that such shows are 18-24 months ahead of what "normal" people deploy. This might explain the VOIP and other missing items.
As I said before, "consumerization" of IT - i.e. IT infrastructure, servers, laptops, storage, services, computing resources, applications, etc provisioned outside of IT departments was an elephant in the room. It is not simply "unmanaged IT" or "consumer-grade IT for business", it is the whole "not-IT-department IT" phenomenon. Yes, via mashups it even includes "non-IT application development" (read this fun 451Group report on that). Security implications of this are nothing short of ginormous.
In light of this, I liked how one presenter said this: "we lost the desktop" - meaning "1/3 is managed by users [not IT], 1/3 is unmanaged and 1/3 is compromised/ "managed" by hackers." Sad but true... Dave Aitel used to joke how in the future banks will have to "re-compromise" your PC so that some temporary security can be established for you to transact business with them. Are such horrifying times upon us already? Maybe desktop virtualization will help with this ...
Overall, RSA 2008 show was an enjoyable, enlightening and thought-provoking experience, as usual. I've heard it was the same even for people who didn't attend a single presentation - indeed, RSA is about people, not slides...
See you next year at RSA 2009!
Posted by on April 16, 2008 in Compliance , Innovation , Log Management & Intelligence , Risk Management , Security | Permalink | Comments (0)
On Trusting Log Timestamps
It is about time: specifically, timing logs. As I said in my Log Trust and Protecting Logs from Admins posts, the issue of trust is critical in the logging world. After all, logs = accountability; and the latter in unthinkable without trust. If we are to at least pretend that logs objectively record events and user actions, we need to unambiguously establish WHAT happened and WHEN. This post deals with the 'WHEN' issue.
So, can we trust that the time stamp in the log file or the one added by the log management system correctly describes when the recorded event actually happened?
We will start from locating the timestamps in logs. Most of the log formats, such as file-based logs (web servers and proxies, various application, some security gear, etc) and syslog, Windows event logs, database audit tables, etc contain a timestamp. Here are a few examples:
- Mar 20 10:03:47
- 19/Mar/2006:04:27:33 -0800
- Sun Mar 19 04:45:19 2006
In fact, once I saw somebody use a timestamp to define logs as "timed records of IT activity." So, time is critical for logs being, well, logs :-) At this point it is worthwhile to note that file-based logs will contain a timestamp IN the file, while syslog records arriving over the UDP or TCP port 514 connection are usually timestamped upon arrival BY the syslog daemon (using its own "knowledge" of time) - and then it shows up in the syslog files in /var/log.
Let's assess whether this "in-log timestamp" provides an adequate way of timing the actual events that are being logged. Answering this question is important for investigations and troubleshooting, but becomes nearly a matter of life and death in case of log forensics. Here are some fun cases and issues to consider:
First, what are the chances of a completely false timestamp in logs (BTW, today is Jan 1, 1970!) When might that happen? Typically when a logging system own clock is reset or not set correctly. This timestamp clearly should NOT be trusted. How do you then time this event? This is a separate story that will be discussed some other time...
Second, it’s always 5PM somewhere: in other words, what time zone are your logs in? EST? PDT? GMT? UTC? Or any of more than 24 other possibilities. If you have no idea, you should not trust the timestamp.
Third, are you in drift? Is your system clock? Those pesky drift seconds turn into minutes that then work to undermine the accuracy of timing the records (and thus your certainly and trust in evidence quality)
Fourth, syslog forwarder mysteries are plenty: some of the syslog messages will be delayed in transit and then be timestamped by the final recipient daemon, thus completely losing when the event was originally logged. Admittedly, this delayed syslog messages are rare, but as more people employ buffering syslog daemons (e.g. syslog-ng), it might happen more often.
Fifth, more esoteric, but still real (and really annoying!): some system logs will contain two timestamps. If you don't possess in-depth knowledge of this specific log, confusion has a chance to undermine the trust as well (so, which timestamp should I use?)
Sixth, most people will not think that they will fall to something that stupid: 24 vs 12 hour time. However, when facing an unknown (and poorly designed!) log format, beware that 5:17 might well be 17:17...
Finally, if you know that something got logged at 5:17AM, then when did it happen? Beware of "Log lag!" This issue is actually too tricky to give it justice here... The simplest example is when the process leaves a log record when it exits, not when it starts, which might happen days earlier (thus creating a log lag).
As we dive into more issues with timing logs, we also need to think about sequence timing and absolute timing. Sequence of logged events is a critical fact! Miss the sequence and the whole “house of cards” goes … But! Absolute time is also important! Can we be assured of both being correct all the time? (hint: no)
So, when you look at logs next time and you see a timestamp there - start thinking about all of this :-)
Posted by on April 04, 2008 in Innovation , Log Management & Intelligence , Risk Management , Security | Permalink | Comments (0)
Anton Logging Tip of the Day #14: More access_log Fun: What Are You Not GETting?
Following the tradition of posting a tip of the week (mentioned here, here ; SANS jumped in as well), I decided to follow along and join the initiative. One of the bloggers called it "pay it forward" to the community.
So, Anton Logging Tip of the Week #14: More access_log Fun: What Are You Not GETting?
In this tip, we will look at some bizarre artifacts that show up in web server access logs today. Here we have a production log from an Apache web server that is full of interesting (and sometimes ominous!) little mysteries that we will investigate in order to determine their impact on security and operational health of the site.
Logs do contain more mysteries than we have time, so we will focus on a few of them: specifically, unusual web request methods. Let's see who is trying to POST or use some other method (OPTIONS, HEAD, PUT or something - see a list here) on our site, instead of just GET'ting the content (GET command is used by web browsers to retrieve the pages, while POST is used to upload content, press buttons, etc - at least in "web 1.0" land - see earlier tip #12 where POST request was found in proxy logs)
Here is one little artifact that attracted my attention due to a POST request vs a web forum as well as a battery of slashes (which actually increases in subsequent request - of which there were many)
10.10.102.250 - - [12/Feb/2008:16:10:50 -0500] "POST /phpBB3////ucp.php?mode=register&sid=e5efaa77a777066c61f71808e9e57b19 HTTP/1.0" 200 14397 http://www.example.com/phpBB3///ucp.php?mode=confirm&id=7640df05c7e24b7acf7a68800fe6dc59&type=1&sid=e5efaa77a777066c61f71808e9e57b19 "Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2) Gecko/20021126"
... more...
10.10.102.250 - - [12/Feb/2008:16:12:29 -0500] "POST /phpBB3///////////////ucp.php?mode=login&sid=e5efaa77a777066c61f71808e9e57b19 HTTP/1.0" 200 9355 "http://www.example.com/phpBB3//////////////ucp.php?mode=login&sid=e5efaa77a777066c61f71808e9e57b19" "Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2) Gecko/20021126"
This one really is a mystery; what do we know about it? The server responded to the request OK (code 200), so the POST actually happened. The first request was a request to register with a web discussion board and the second was a request to login. Multiple slashes are actually ignored by the web server, so why put them in the request (no answer)? Also, I think that the User-Agent is spoofed ... do you know why? Finally, if I see something like that in my logs, I will definitely investigate it, primarily due to the fact that Apache responded with 200 OK code.
The next one is so classic it it dumb (and so dumb, it's a classic :-))
10.10.123.226 - - [12/Feb/2008:03:46:54 -0800] "POST /_vti_bin/shtml.exe/_vti_rpc HTTP/1.1" 404 - "-" "MSFrontPage/6.0"
10.10.123.226 - - [12/Feb/2008:03:46:55 -0800] "OPTIONS / HTTP/1.1" 200 20210 "-" "Microsoft Data Access Internet Publishing Provider Protocol Discovery"
It is probably one of the ancient IIS attacks (check out this fun BlackHat preso on that, circa 2003) - why would someone probe for it now is beyond me. In any case, Apache on Linux and "*.exe" don't mix :-)
The final log record is also fun:
10.10.101.222 - - [12/Feb/2008:15:33:22 -0800] "PUT /zk.txt HTTP/1.0" 405 223 "-" "Microsoft Data Access Internet Publishing Provider DAV 1.1"
The above uses a PUT request which is pretty much deprecated now; the purpose of the above is clearly malicious. In fact, modern Apache shouldn't even allow it, thus it responds with code 405 "Method Not Allowed." Nothing to worry about (even though some poor critter got owned with that! BTW, if you follow that link, check out HTTP response code 201 - if you see it in your logs, run! :-))
Overall, if you see too many POSTs or too many "GET then POST" sequences from the same IP in rapid succession, investigate it since no legitimate access should produce such a pattern...
As further reading, I heartily recommend this paper: "Detecting Attacks on Web Applications from Log Files"
Also, I am tagging all the tips on my del.icio.us feed. Here is the link: All Security Tips of the Day.
Posted by on March 12, 2008 in Innovation , Log Management & Intelligence | Permalink | Comments (0)
Poll #7: What tools do you use for Windows Event Log collection?
My next fun logging poll is here - please vote! It is about tools for centralized collection of Windows Event Log from servers and other systems. One of the somewhat surprising discoveries from my previous poll was that few people look at Windows logs; this poll drills down into it.
And, don't forget that ProjectLASSO Windows event collector allows people to grab Windows event logs remotely without those hated agents...
Past logging polls and their analysis:
Posted by on March 07, 2008 in Innovation , Log Management & Intelligence | Permalink | Comments (0)
Logging Poll #6 "Which Logs Do You LOOK At?" Analysis
This poll on looking at logs poll was relatively popular; lets see what we can learn (live results are also here).
First, what are the top 3 log types that people look at? They are:
- Unix/Linux server syslog
- Web server logs
- Firewall logs
How does that compare with the top 3 log types that people collect (see picture showing results from my previous poll below)?
These are:
- Unix/Linux server syslog
- Firewall logs
- Web server logs
Huh? They are the same - doesn't it just make sense? What are the possibilities here?
a. People only collect the logs they plan to look at, OR
b. People only look at logs they collect (duh!).
Strangely, I find a) unlikely; I think most people collect more than they can review and that the incident/issue response and compliance needs drive collection more than review or analysis.
Another observation is that all of the "big 3" log types are useful for security, operations and compliance and not just for security (like NIDS/NIPS logs). Is that why they are so popular?
Second, I was fearful that "I only look at whatever logs needed for the incident/issue investigation" will win. It didn't!!! This to me indicates that proactive log review is not as unpopular as I feared. Good! It is working.
Third, obviously, nobody (well, 4%...) looks at all logs they collect.
Fourth, much more people look at Unix/Linux logs than Windows server logs (factor of 3x); this is not entirely unexpected and my next poll will drill down into this.
Finally, I am SHOCKED that people don't look at NIDS/NIPS logs (only 11% do). Why have you deployed those "beasts" if you don't look at what they produce? Then again, maybe you haven't...
Next poll coming up!
Posted by on March 07, 2008 in Innovation , Log Management & Intelligence | Permalink | Comments (0)
Audit/Monitor Controls or Audit/Monitor BEFORE Control?
Back in 2004, Forrester paper called "The Natural Order Of Security Yields The Greatest Benefits" proclaimed that "the adoption of security has a natural order: 1) authentication; 2) authorization; 3) administration and 4) audit." Note that audit which, in this case, broadly includes audit, monitoring and detection, comes last. It seems to be fairly in line with common sense: you audit the controls after you put them in place; you monitor after you have authentication and authorization taken care of and you detect the violations after you organized your administration.
The paper clarifies: "With people and contexts defined, protective controls in place, and policies outlined, the fourth set of questions [i.e. regarding the audit] includes: “What happened?”, “What is happening?” or, especially, “Is it working?”
However, is this really so? Or, is this always so? First, when reality collided with plans, many of the organizations that followed that wisdom got mired in one phase (e.g. in trying to get authentication under control) and ended up having no audit whatsoever: in other words, they are flying blind while implementing controls! Second, in some cases controls (authentication, authorization, administration) will actually be impossible to implement, while audit will be possible. Imagine retrofitting a legacy application for granular authorization? Third, in some cases implementing prevention/control will be much more complicated, compared to implementing audit: thus, people will face a choice between a half-baked control to a full-blown audit capability? An example will be managing which file each user can access vs monitoring/auditing which file each user have accessed. The latter is doable, while the former is next to impossible. Another way to phrase it is "reactive but possible" vs "proactive but impossible" (hint: pick the former :-))
I think the idea of putting audit first in some cases is the way we'd need to progress. "Wow, what a blasphemy!", some might say ... After all, if you have not defined controls, what are you going to audit? But remember that audit is meant broadly in this context and thus the opposite question is very relevant: what are you going to control if you have no idea what is going on? People sometimes define a security policy based on how things should be (and then WSJ happens - refresh your memory of the "WSJ saga" here), but then spent years trying to bring policy and reality together (and end up with an environment which is "half-controlled") Won't it be better to audit first, then control? Or, at the very least, to run BOTH project at the same time so that improvements in control are audited and audit discoveries lead to control improvements!
Obviously, "do IDS before IPS" falls under the same principle: monitor first, [try to] control second. Here is another example: implement log management before identity management. Looking at logs will tell you what privileges the users actually use for doing their daily jobs. Then you can mix it up with what the idea access policy will be.
So, think about it! Questioning the common wisdom does often bring interesting insights.
Posted by on March 06, 2008 in Innovation , Log Management & Intelligence , Security | Permalink | Comments (0)
Audit/Monitor Controls or Audit/Monitor BEFORE Control?
Back in 2004, Forrester paper called "The Natural Order Of Security Yields The Greatest Benefits" proclaimed that "the adoption of security has a natural order: 1) authentication; 2) authorization; 3) administration and 4) audit." Note that audit which, in this case, broadly includes audit, monitoring and detection, comes last. It seems to be fairly in line with common sense: you audit the controls after you put them in place; you monitor after you have authentication and authorization taken care of and you detect the violations after you organized your administration.
The paper clarifies: "With people and contexts defined, protective controls in place, and policies outlined, the fourth set of questions [i.e. regarding the audit] includes: “What happened?”, “What is happening?” or, especially, “Is it working?”
However, is this really so? Or, is this always so? First, when reality collided with plans, many of the organizations that followed that wisdom got mired in one phase (e.g. in trying to get authentication under control) and ended up having no audit whatsoever: in other words, they are flying blind while implementing controls! Second, in some cases controls (authentication, authorization, administration) will actually be impossible to implement, while audit will be possible. Imagine retrofitting a legacy application for granular authorization? Third, in some cases implementing prevention/control will be much more complicated, compared to implementing audit: thus, people will face a choice between a half-baked control to a full-blown audit capability? An example will be managing which file each user can access vs monitoring/auditing which file each user have accessed. The latter is doable, while the former is next to impossible. Another way to phrase it is "reactive but possible" vs "proactive but impossible" (hint: pick the former :-))
I think the idea of putting audit first in some cases is the way we'd need to progress. "Wow, what a blasphemy!", some might say ... After all, if you have not defined controls, what are you going to audit? But remember that audit is meant broadly in this context and thus the opposite question is very relevant: what are you going to control if you have no idea what is going on? People sometimes define a security policy based on how things should be (and then WSJ happens - refresh your memory of the "WSJ saga" here), but then spent years trying to bring policy and reality together (and end up with an environment which is "half-controlled") Won't it be better to audit first, then control? Or, at the very least, to run BOTH project at the same time so that improvements in control are audited and audit discoveries lead to control improvements!
Obviously, "do IDS before IPS" falls under the same principle: monitor first, [try to] control second. Here is another example: implement log management before identity management. Looking at logs will tell you what privileges the users actually use for doing their daily jobs. Then you can mix it up with what the idea access policy will be.
So, think about it! Questioning the common wisdom does often bring interesting insights.
Posted by on March 06, 2008 in Innovation , Log Management & Intelligence , Security | Permalink | Comments (0)
Top 11 Reasons to Analyze Your Logs
As promised, here is another "Top 11 Reasons" which is about log analysis. Don't just read your logs (definitely don't just collect them); analyze them. Why? Here are the reasons:
- Seen an obscure log message lately? Me too - in fact, everybody have. How do you know what it means (and logs usually do mean something) without analysis? At the very least, you might need to bring additional context to know what some logs mean (example: IP address -> hostname -> server owner)
- Logs often measure in gigabytes and soon will in terabytes; log volume grows all the time - it definitely passed the limit of what a human can read a long time ago, it then made simple filtering 'what logs to read' impossible as well: automated log analysis is the only choice.
- Do you peruse your logs in real time? This is simply absurd! However, automated real-time analysis is entirely possible (and some logs do crave for your attention ASAP - e.g. major system failures, confirmed intrusions, etc)
- Can you read multiple logs at the same time? Yes, kind of, if you print them out on multiple pages to correlate (yes, I've seen this done :-)). Is this efficient? God, no! Correlation across logs of different types is one of the most useful approaches to log analysis.
- A lot of insight hides in "sparse" logs, logs where a single record barely matters, but a large aggregate does (e.g. from one "connection allowed" firewall log to a scan pattern). Thus, the only way to extract that insight from a pool of data is through algorithms that "condense" that collection of logs into usable knowledge (some say, visualization is the way to go)
- Ever did a manual log baselining? This is where you read the logs for a while and learn which ones are normal for your environment. Wonna do it again? Thought so :-) Log baseline learning is a useful and simple log analysis technique, but humans can only do it for so much before burning out.
- OK, let's pick the important logs to review. Which ones are those? The right answer is "we don't know, until we see them." Thus, to even figure out which logs to read, you need automated analysis.
- Log analysis for compliance? Why, yes! Compliance is NOT only about log storage (e.g. see PCI DSS). How to highlight compliance-relevant messages? How to see which messages will lead to a violation? How do you satisfy those "daily log review" requirements (again, see PCI DSS)? Through automated analysis, of course!
- Logs allow you to profile your users, your data and your resources/assets. Really? Yes, really: such profiling can then tell you if those users behave in an unusual manner (in fact, the oldest log analysis systems worked like that). Such techniques may help reach the holy grail of log analysis: have the system automatically tell you what matters for you!
- Ever tried to hire a log analysis expert? Those are few and far between. What if your junior analysts can suddenly analyze logs just as well? One log analysis system creator told me that his log data mining system enabled exactly that. Thus, saving a lot of money to his organization.
- Finally, can you predict future with your logs? I hope so! Research on predictive analytics is ongoing, but you can only do it with automated analysis tools, not with just your head alone (no matter how big :-)) ...
Past top 11 reasons:
- Top 11 Reasons to Collect and Preserve Computer Logs
- Top 11 Reasons to Look at Your Logs
- Top 11 Reasons to Secure and Protect Your Logs
Posted by on February 22, 2008 in Innovation , LogMatters | Permalink | Comments (0)
Logging Poll #5 "Top Logging Challenges" Analysis
OK, this poll was insightful! The raw results are here and below:
What can we learn from this?
First, what are the top challenges? It is with great regret :-) that I report that the #1 challenge is exactly the one I thought it would be: We collect logs but don't have time/resources to look at them. Yes, automated "analysis challenge" has only become more of a challenge as people deploy more tools that enable log collection on a massive scale (e.g. 75,000 logs/second). I dare to predict that we will finally have to tackle this one in the next year or two. In fact, this challenge rears it ugly head via another popular response, Lack of log analysis tools, which made Top 5 responses as well.
Second, even though I didn't make any predictions about the #2 entry, but I was surprised: No way to effectively search all logs is a very close #2 (obviously, 1 vote is not statistically significant here). Indeed, log searching is an elusive little problem, especially when we want to do it fast and on a large pool of logs. Even though I think we need to search less and discover more, the need to search logs will be with us forever (and, no, I don't think you need a special product just to do that ...)
Third, I am happy to report that this poll indicates that we finally broke the back of "the beast" of not having logs. Responses that point at not having logs (e.g. Logging is not enabled, We don't know what logging we must enable, etc) are not terribly popular (then again, maybe it is due to self-selection of the blog readers ...)
Fourth, infrastructure! Specifically, No infrastructure to manage the log volume we have is very popular as well (#4). This proves the point that I used to not take very seriously in the past (by mistake): when megabytes become gigabytes and those grow into terabytes, many things that used to trivial (e.g. moving logs from A to B, saving logs to disk, etc) become grand engineering challenges... Indeed, to manage high volume of logs you need a scalable log management solution (example)
Sixth, as I lamented, few care about log security (this counts as laments, I guess). Secure storage of logs is only bothering a few people. One word: yet! As of today, stored log hashing + (sometimes!) log transport encryption + (rarely!) encrypted archives are the state of the art.
Next poll is coming up!
Posted by on February 08, 2008 in Innovation , Log Management & Intelligence , LogMatters | Permalink | Comments (0)
SANS Security Laboratory Thought Leadership Interview With Dr Anton Chuvakin
Here is an insightful interview with me done by Stephen Northcutt at SANS. I share a bunch of thoughts on logging and log management. For example, what is my #1 logging pet peeve, what's the #1 logging mistake, will we ever see log standards, why are we looking at an increase in the number of log types we need to look at, etc.
It starts like this: "Dr. Anton Chuvakin from LogLogic has agreed to be interviewed by the Security Laboratory and we certainly thank him for his time! He is probably the number one authority on system logging in the world, and his employer is probably the leading vendor for logging, so we appreciate this opportunity to share in his insights."
Posted by on January 31, 2008 in Innovation , Log Management & Intelligence | Permalink | Comments (0)
Poll: What are your top challenges with logs and logging?
This poll is especially fun: What are your top challenges with logs and logging? Vote here.
Past polls were:
Posted by on January 21, 2008 in Innovation , Log Management & Intelligence | Permalink | Comments (0)
Logging Poll #4 "Who Looks at Logs?" Analysis
Time to analyze my final 2007 poll on logs. In it, I asked who actually looks at logs at the organization. Here is what came up: results are here and also included below.
What can we conclude from this?
First, an obvious conclusion is in order! No matter how many times one can utter the word "compliance," logs are still most useful for mundane (one would hope!) system administration. Yes, indeed, sysadmins are the primary consumers of logs - yesterday, today, and - likely! - tomorrow as well.
Second, I am saddened by the fact that application developers have not warmed up to logs, at least not en masse (and not according to this limited poll...). I am guessing when they start thinking of logging when creating their applications, they will be more aware of the fact that you can troubleshoot the applications using logs ...
Third, incident response team showing that low is some kind of fluke, I am sure. Everybody knows that logs are indispensable during incident response. Yes, even if only a little logging was enabled or even logging defaults left in place, logs often reveal answers unobtainable via any other mechanisms.
Next poll coming soon!
Posted by on January 08, 2008 in Innovation , Log Management & Intelligence , LogEd , LogLogic News | Permalink | Comments (0)
On Approaches to Database Monitoring
So, people sometimes ask me about how to do database logging/auditing/monitoring and log analysis right. The key choice many seem to struggle with for database auditing and monitoring is reviewing database logs vs sniffing SQL traffic off the wire. Before proceeding, please look for more background on database log management, auditing and monitoring in my database log management papers (longer, more detailed - shorter) The table below summarizes the situation with database monitoring and auditing - now you can make your choice more intelligently (items in bold are the ones I consider key):
| Pro | Con | |
| Sniff SQL traffic from the wire |
|
|
| Collect and analyze database logs |
|
|
Choose logs if you care for the relevant Pros (esp key ones) associated with them; choose sniffing if you care for the Pros and are NOT undermined by their Cons (e.g. difficulties of supporting encrypted traffic)
Of course, one can also opt for a combined approach which follows the ideas of "double the benefits - for double the cost"...
(*) Nobody really knows what it will be in each particular situation: 0-40% were observed under various conditions by various people ...
Posted by on December 17, 2007 in Innovation , Log Management & Intelligence , LogMatters | Permalink | Comments (0)
Protecting Logs from Admins: A Lost Battle?
One of the truly major challenges of log management is obtaining trusted logs of administrator activities, sometimes broadened to cover so-called "privileged users" (see my log trust pyramid post for more discussion). Many consider it to be the "lost battle" of logging. However, logging administrator access and actions is more important than ever today; it is one of the few workable ways of dealing with insider attacks.
So, I created this little table where I try to summarize some ways of protecting the C-I-A (confidentiality, integrity, availability) of various logs from administrators and privileged users (some successful and some very hard to pull off). Note that in the case of databases and applications, we need to protect their logs from DBAs and application admins and not from the underlying server platform admins.
UPDATE: table below might be corrupted in some blog readers; see the full table here.
| "C" - prevent admins from reading logs | "I" - prevent admins from changing logs | "A" - prevent admin from disabling logging | |
| Standard Unix | Very hard! Maybe stealth logging (sebek) | Remote logging via syslog to another server, append-only log files (via RBAC) | Very hard! But this is logged and thus can be detected (also: stealth logging) |
| Windows server | Very hard! Maybe stealth logging (sebek for Windows) | Pull the logs ASAP to a central server | Very hard! But this is logged and can be detected (also stealth logging) |
| Databases | DBA activity log stored outside the database (append-only access) | DBA activity log stored outside the database (append-only access) | DBA activity log stored outside the database |
| Firewalls and network gear | Remote logging via syslog to another server - no local logging | Remote logging via | Very hard! But this is logged and can be detected |
| IDS/IPS boxes | Remote logging to another server - no local logging | Remote logging to another server, inaccessible to admin | Very hard! But this is logged and can be detected |
| Misc enterprise applications | App admin log outside the app (not readable to application user) | App admin log outside the app (only appendable by the application user) | Very hard! But this is logged and can be detected |
UPDATE: table above might be corrupted in some blog readers; see the full table here.
Comments?
Posted by on November 26, 2007 in Innovation , Log Management & Intelligence , Risk Management , Security | Permalink | Comments (0)
Imagining an Ideal Log Management Tool?
The idea came from Jeremiah Grossman (here) when he described "The Best Web Application Vulnerability Scanner in the World" thus: "Within a few moments of pressing the scan button it’ll find every vulnerability, with zero false positives, generate a pretty looking report, and voila you’re compliant with GLBA, HIPAA, and PCI-DSS. Of course, we all know such a web application scanner is simply not possible to create for a variety of reasons."
So, let's imagine the ideal log management application.
- Logging configuration: the ideal log app will go and find all possible log sources (systems, devices, applications, etc) and then enable the right kind of logging on them according to a high level policy given to it
- Log collection: it will collect all the above logs securely (and without using any risky super-user access ) and with little to no impact to networks and systems
- Log storage: it can security store the above logs in the original format for as long as needed and in a manner allowing quick access to them - in both raw and summarized/enriched form
- Log analysis: this ideal application will be able to look at all kinds of logs, known to it and previously unseen, from standard and custom log sources, and tell the user what they need to know about their environment and based on their needs: what is broken? what is hacked? where? what is in violation of regulations/policies? what will break soon? who is doing this stuff? The analysis will power all of the following: automated actions, real-time notifications, long-term historical analysis as well as compliance relevance analysis
- Information presentation: this tool will distill the above data, information and conclusions generated by the analytic components and present then in a manner consistent with the user's role: from operator to analyst to engineer to executive. Interactive visual and drillable text-based data presentation across all log sources. The users can also customize the data presentation based on their wishes and job needs, as well as information perception styles
- Automation: the ideal log management tool will be able to take limited automated actions to resolve discovered and confirmed issues as well as generate guidance to users so that they know what actions to take, when full-auto mode is not appropriate. The responses will range from full-auto actions to assisted actions ('click here to fix it') to issuing detailed remediation guidance. The output will include a TODO-list of discovered items complete with actions suggested, ordered by priority
- Compliance: this tool can also be used directly by auditors to validate or prove compliance with relevant regulations by using regulation-specific content and all the collected data. The tool will also point at gaps in data collection as it applies to specific regulations that the user is interested in complying
In other words, this magic black box will have raw log data shoveled from one side and will have answers to key questions that concern the IT users and their managers on the other side.
Am I nuts? Well, can I dream for a second? :-)
Posted by on November 06, 2007 in Innovation , Log Management & Intelligence , LogMatters | Permalink | Comments (0)
Top 11 Reasons to Secure and Protect Your Logs
Following my now-famous Top 11 Reasons to Collect and Preserve Computer Logs and Top 11 Reasons to Look at Your Logs, here is the promised "Top 11 Reasons to Secure and Protect Your Logs"
- Let's review why you are reviewing logs. Will logs that might have been changed by somebody, somewhere, somehow still be useful for items 1-11 from here? No? Secure them!
- Logs in court? Challenges abound! To respond to them, one needs to protect the logs so you can claim that they are both authentic and reliable.
- A human error still beats an evil hacker as the main cause of IT problems. Are your logs safe from it? Available when needed? Protect them from crashes and other faults!
- PCI DSS just says so: "Secure audit trails so they cannot be altered." Want to do it- or pay the fines?
- Do you protect financial records? Identity info? Passwords? Some of it ends up in logs (even if by mistake) - thus making them sensitive, protected information. Secure the C-I-A of logs!
- Do you look at logs during incident investigation? Do you want them to be "true" or full of random (if creative...) "stuff", inserted by the guilty party? Secure the logs!
- Think that "attacks vs logging" are theoretical? Think again. Are your logs safe or vulnerable? Is your logging tool 0wned?
- Syslog + UDP = log injection + log loss. Are you protected (reliable TCP, confirmed delivery, encryption - SSH, SSL, VPN)?
- Why modify logs? No, really, why change logs? If you never change logs - and you never should, unless it is appending to them - hash them right away after collection to make them immutable.
- Logs are backed up on tape - who will see them? Well, whoever restores the tape, that's who! Encrypt them to protect them from accidental and malicious disclosure if tape is lost.
- Why log access to logs? Same reason why you had the logs in the first place - to review who did what. Who broke through and stole the logs? Who browsed them without permission? Only logs will tell - if you have them!
Overall, one need to strive for having no holes in log safeguards from log birth to analyst conclusion based on log information...
Possibly related posts:
Posted by on November 02, 2007 in Innovation , Log Management & Intelligence , LogMatters | Permalink | Comments (0)
Just What is Enterprise Class? Part V
Here is the final enlightening post from Dimitri McKay, our super-brilliant network and systems engineer from the East Coast, where he continues to discuss the meaning of the phrase "enterprise-class," which is certainly MUCH more than a marketing buzzword! Part I is here, Part II is here, Part III is here. Part IV is here.
Dimitri McKay says: "This is the final piece in the five part series entitled “Enterprise Class”. The term “Enterprise Class” for most of us has appeared on Bullshit-Bingo cards for years, but when we actually explore WHAT “Enterprise Class” is and how it pertains to a certain product, you can learn quite a bit about that product, and how it stands up to both the competition and how it stacks up against what it is and what it should be.
As of this writing, LogLogic has set free it’s next code-base, LogLogic4 Release 2. With added features and fixes, LogLogic fits the Enterprise all the more with each release.
13. Usability: Because of the large number of customers using LogLogic, the mission critical nature of the business problems being addressed, and the system complexity that is introduced due to the previous topics, usability is a critical factor for LogLogic. Our goal is to strike an appropriate balance between ease of use and complex functionality. Let’s face it. Using LogLogic to handle forensics, or compliance, or general reporting and alerting is an easy solution to a very complex problem. We are taking the chaos of a massive amount of log-traffic and we are taming it via the use of log forensics tools, summary reports, and real-time alerts.
When I was on the support team one of the biggest questions customers would call and ask after purchasing the LogLogic appliance was “Now what? What should I be looking for?” - and the answer LogLogic came up with was the compliance suites. The compliance suites are a phenomenal way of helping the customer hit the ground running. It’s simple. “Install this suite of search filters, alerts and custom reports. Then tailor it to your network. Now you’ve solved your compliance problems and/or government mandates.”
14. Compatibility/Maintainability: To minimize downtime as part of providing high availability, LogLogic must provide compatibility from one release to the next. Backward compatibility means that the when a new version of LogLogic is installed, it continues to work with the previously installed customizations and other systems witch which it interacts such as source devices and remote authentication services.
Forward compatibility means that when systems around the LogLogic are upgraded, the LogLogic must continue to function as it did before, even though the new software may support new log formats. When fixes are provided for LogLogic, downtime for installing the fix must be minimized by providing support for incremented updates such as patches and hot-fixes. LogLogic must also offer several solutions to handle updates such as automatic update via the web, or manual file updates due to the appliances being offline.
Thank you for reading my five piece foray into the Enterprise. Please feel free to email me your thoughts, comments, or post them below. Stay tuned to LogLogic as we journey where no other LMI vendor has gone before."
Posted by on October 31, 2007 in Innovation , Log Management & Intelligence , LogMatters | Permalink | Comments (0)
Log Collection Poll Results
My poll on log collection have been a great success and now the results are in. Here is the link to the running totals as of now (the graphic snapshot from yesterday can be seen here). Let's review and discuss the findings after running it for slightly over a week.
- First, which of my expectations were NOT met? Well, I did expect that firewalls will be #1, not Linux/Unix servers. Admittedly, the difference is not so big, but I am impressed: Unix syslog still rocks the logging world :-)
- Second, the top source of collected logs is also the hardest to analyze due to its lack of structure. Nowadays I treat syslog from Unix/Linux as "broken English" and not as "data." It is a dog to parse (that is why we are trying to find something novel)
- Third, I was amazed that database logs were THAT high on the list. Wow! All the evangelizing seems to have worked out :-)
- Fourth, Windows server log collection is still in the dumps - but we need it! Go grab LASSO and dump those event logs into syslog without pesky agents. Easy!
- Firth, other Unix logs - what are those? We might never know what the respondents meant: still, I think that these are binary audit logs and other fine-grained audit logging. Indeed, many people starting to look at BSM audits and other "ugly ducklings" of logging.
- Sixth, web server logs are gold - everybody knows it. The poll confirms this as well: they are #2. Some fun analysis tips from me are coming soon.
Next poll coming soon! Thanks a lot for responding!
Possibly related posts:
-
Top 11 Reasons to Look at Your Logs
-
Top 11 Reasons to Collect and Preserve Computer Logs
- Database log management
Posted by on October 26, 2007 in Innovation , Log Management & Intelligence , LogMatters | Permalink | Comments (0)
Simple Log-based User Profiling for Activity Monitoring
Recently I've been looking into detecting stolen/shared access account credentials. Now, how can you detect that? No NIDS will trigger, NIPS will let is pass, no unusual types of log records might ever by produced (especially if only limited logging is enabled). And what raises the stakes is that this type of activity is not only about "hacked" accounts, but also about insider abuse of accounts.
However, there will likely be changes in how normal log records are produced.
Let's summarize some known methods for using a simple user "profile" to detect account theft aka account sharing aka user impersonation aka access with stolen/shared credentials. It implies that we've been collecting the logs before the incident and have a solid trail of normal users and legitimate account owners.
- Unusual login source IP (e.g. normal user always comes from 10.0.X.Y or 10.1.X.Y, but now we see a login from 172.16.0.Z) - will work in some cases, but not for the free-for-all servers such as at a University
- Unusual login time (e.g. normal user always comes from 9AM to 5PM, now we see 3AM) - will work in most cases, but will fail if the attacker happens to be in the same time zone
- Unusual login session length (e.g. normal user always stays logged in for 5-20 minutes, now we see a 10 hour-long session) - works only if logout is logged; might not catch a lot of realistic but malicious connections
- Unusual login frequency (e.g. legitimate user logs in once a day in the morning, now we see dozens of connections) - will work for some cases, but others will be missed
- Unusual login failure/success ratio before a successful login (e.g. normal user always types the password right the first time, now we see failures than successes) - not too reliable, obviously
- Unusual list of user actions performed (normal user only reads these files, but now we see writes to a very different set of files) - will work most frequently, but needs more granular logging of file access, object changes, etc (audit logging) [more on this in the near future!]
So, if you have logs of user activities, at the very least, logins and logouts ( but having records of more user activities is always better!), for the last few weeks or months, one can compute the above profiles using historical data and then compare them with current numbers (very similar to some of the methods from my classic log mining presentation).
The final missing bit is for how long to collect your normal user behaviors: I discovered that 1 week to 1 month works pretty well. Less time yields unstable results and more time necessitates much more data crunching without much gain.
Posted by on October 12, 2007 in Innovation , Log Management & Intelligence , LogEd , LogMatters , Security | Permalink | Comments (0)
Just What is Enterprise Class? Part IV
Here is the next enlightening post from Dimitri McKay, our super-brilliant network and systems engineer from the East Coast, where he continues to discuss the meaning of the phrase "enterprise-class," which is certainly MUCH more than a marketing buzzword! Part I is here, Part II is here, Part III is here.
"10. Serviceability/Manageability: The scale of deployment of a LogLogic solution, whether it be managed remotely or locally, requires features which allow the solution to be managed effectively. FCAPS is an acronym which is often used to remember the following guidelines of security log appliance management:
Fault, Configuration, Accounting, Performance, and Security
The users of LogLogic must be able to monitor what is happening on the system itself, as well as the network around it and applications on it, and to have the ability to diagnose faults when they occur.
Fault diagnosis requires the ability to collect sufficient information about the fault when it occurs, preferably without having to reproduce the fault. We log our own appliance, and anything else on the network, and then alerts can be handled via SNMP traps sent to an SNMP trap receiver such as HP Open View or IBM Tivoli. The other option is an alert sent to a remote pager or mobile device, or even an email to the NOC/SOC personnel.
11. Customizability/Flexibility/Integrability: LogLogic is used to solve complex business problems on a large scale. For some it’s used for various compliance needs, such as PCI or SOX. To others, it’s an alerting or filtering tool, while forwarding a few of the log records on to a SEIM (typically, as much as it can handle, which is usually not as much as needed ...) or a specific other security tool. To others, LogLogic is used for general reporting, incident investigations or forensics. Regardless of how it’s used, LogLogic a different tool to different people.
LogLogic appliances are rarely rolled out as a single unit in an environment. Generally they are rolled out by location, by message per second (MPS) requirements... or by long term storage requirements, but any way you shake it, LogLogic architecture is designed to meet the needs of the Enterprise (and this is not to say that SMBs won't benefit from log management!).
Usually you’ll see several LX reporting/alerting appliances feeding back to a single long term storage ST appliance, but that’s not written in stone. Sometimes customers send all of their log data direct to the ST storage appliance (which handles a massive 75,000 messages per second) in order to take advantage of a single IP address destination. This, in my own humble opinion, is a good data center solution.
My point is, the architecture of the LogLogic appliances is a variable (but still easy!) which gives you total control. There is no firm “config” that is required for boxes to be placed in. Instead, the architecture is flexible, and allows for multiple configurations depending on the environment they reside in. This is the ability to remain agile.
Living in an enterprise world, we must adopt to new technologies as they become standards. Often some of the features on the LogLogic appliances overlap with other technologies already in use. Because of that, we have engaged the ability to utilize those technologies in those situations. One example is that LogLogic has but doesn’t always provide its own identity management functions. Typically there is another authentication management that the enterprise is already using, such as TACACS+ or RADIUS. The enterprise may have adopted particular standards to manage user databases and access control. For this LogLogic needs to be flexible in it’s architecture, allow customizability within the enterprise, and integrate well within the framework of the already existing environment.
12. Support: With any mission critical software deployment, the enterprise must have a reliable way of getting support for diagnosing problems and getting fixes and advanced replacements. This includes 24x7 availability for support personnel and an organization with the experience and expertise to understand how the appliances are used in enterprises. Our support is not only top-notch, but is also praised by our customers!
Thank you for tuning in to part lV of “Enterprise Class” where I’ve laid down WHAT enterprise-class really is, and how LogLogic has tackled it. I’d also like to thank our competitors who have been visiting my blog. You can imitate, but you’ll never duplicate us, boys!
Next piece will conclude the series ... stand by!"
Posted by on October 11, 2007 in Innovation , Log Management & Intelligence , LogEd , LogMatters | Permalink | Comments (0)
Just What is Enterprise Class? Part III
Here is the next enlightening post from Dimitri McKay, our brilliant network and systems engineer from the East Coast, where he continues to discuss the meaning of the phrase "enterprise-class," which is certainly MUCH more than a marketing buzzword! Part I is here, go read it first. Part II is here, go read it next.
"This is the third piece in the five part series titled “Enterprise Class”. Here we’ve gone through what IS enterprise class and how that corresponds to the LogLogic solution. Feel free to post your comments.
7.Performance: Performance is a broad topic. We’re not just talking local log collection performance, but also the ability to perform efficiently while in a distributed environment is critical to enterprise class hardware and software.
While the ability to add more LogLogic appliances allows more devices to be logged and application data to be collected, if the software does not perform with a high level of efficiency, the cost to deploy a system for the required number of devices will be prohibitive.
LogLogic’s top end reporting appliances handle 4000 messages per second sustained. That is a HUGE amount of traffic. if you’ve ever had to sift through it, you’d agree. Think about it. That’s 240,000 messages per minute. 14.4 million messages per hour. That’s 345.6 million messages per day. Grep that with your syslog server. Parse that with your SIEM. It’s not going to happen (not without an ENORMOUS price tag). And our log collection appliance do even more, way more: 75,000 messages per second sustained. Wow!
Performance on a LogLogic appliance is measured based on several factors: CPU usage, messages per second, and disk usage which are important not only for the main functions of the system such as receiving and parsing logs, but also for the ability to run reports and searches on those messages.
8.Security: Because LogLogic is used for mission critical functions, security is essential. LogLogic must ensure that users who are authenticated to the appliances only have access to the functions they need and access to the log sources that are determined by their job role. LogLogic must also offer the ability to encrypt data as it moves between appliances (which we do via LogLogic TCP) and to also offer the ability to use WORM or data at rest encryption (which is handled by the EMC Centera or NetApp for WORM and Decru for data" at-rest" encryption).
LogLogic also covers security with the ability to verify that the system is secure through audit trails, general protection of the appliance through a secure linux kernel locked down in the default install, perform self logging, and then hashing the raw logs which are kept in an immutable format. At LogLogic we take security serious, and the box is put through a variety of vulnerability assessments on a regular basis.
9.Documentation: Because LogLogic handles device support through a specialized group of folks we call “LogLabs” we are able to add devices at an expeditious rate. With each of those new devices comes the required measures to configure each of those devices for logging, and with that knowledge transfer that to documentation. Over time our Documentation Group has continued to grow. Knowledge management is essential to managing the enterprise class solution while alleviating the strain on any of the support or field engineering staff.
Check back soon, to see more about how LogLogic does Enterprise right. In the next episode I will run off on a tangent about usability and flexibility/interoperability/customizability and support! We are boldly going where no other LMI vendor has gone before!"
Posted by on October 04, 2007 in Innovation , Log Management & Intelligence , LogEd , LogMatters | Permalink | Comments (0)
Just What is Enterprise Class? Part II
Here is the next enlightening post from Dimitri McKay, our network and systems engineer from the East Coast, where he continues to discuss the meaning of the phrase "enterprise-class," which is certainly MUCH more than a marketing buzzword! Part I is here, go read it first.
"4.Scalability: To support a large number of devices in growing enterprises, SIEM and log management products differ a great deal in how they scale. Some of the SIEM products require you to add as many as three new appliances, (which all carry a hefty price tag) just for a slight increase in throughput. Others require you to forklift out your existing hardware to bring in new, bigger (and more expensive) equipment. In my own humble opinion these options are completely ridiculous.
The LogLogic scalability approach is uniquely simple. “Add log-traffic to your LogLogic appliances until you reach capacity on that box. Then add another box. Rinse and repeat. Each box does it’s own collection, does its own parsing, reporting and searching, and does its own storage. No special other boxes required. All encompassing solution.
Of course, with “Scalability” comes other requirements of how to add capacity not only vertically, but what of horizontal scalability? Such features would include the ability to report across all LogLogic appliances, manage users and their access rights across a global environment, and use some form of remote authentication such as TACACS+ or RADIUS. This distribution should be an asset, and not a limitation of the overall system scalability. All of these are addressed and in the current LogLogic 4.x.
5.High Availability: Due to the number of corporations and government agencies depending on LogLogic for regulatory compliance, system security and forensics, as well as heartbeat monitoring and troubleshooting, it’s safe to say that LogLogic is “Mission Critical”.
Because LogLogic is a “Mission Critical” system, it must support the internal and external capacity for zero downtime via high availability. This is accomplished via bonded NIC’s, hot-swap drives in various RAID arrays and Mirrored sets, hot swap redundant power supplies and most importantly... the ability to link the boxes together in an active pair. Should there be a failure in a LogLogic pair, both appliances are exact clones of each other, and the passive appliance jumps right into gear as the primary. In milliseconds. It’s genius.
In a perfect world, there would be zero downtime on “Mission Critical” systems. Here at LogLogic, we try to minimize that to as little as possible through the use of various forms of HA, and it shows. Have you seen our new hardware?
6.Reliability: Although high availability plays a part here, I prefer to think of reliability as the quality of the code-base, the product design itself, and the forward motion of feature sets and additional device support in a timely fashion.
LogLogic is built on a stripped down lean, mean hardened Linux platform. From there we didn’t go the route of a proprietary datastore which can start as a good idea and then turn into a huge hulking mess with nothing but frustrations stemming from using, maintaining and increasing the capabilities of, but rather we went with a solid database solution for storing meta-data. Industry standard. Well known. Easy to use. Robust.
Then we built in some brilliant parsers and a very straight forward GUI. Sprinkle that with some great features and a little bit of magic and you have a LogLogic appliance. Our upgrade plans and implementation are fast and furious. We release new device support monthly. Monthly additions. Monthly updates.
At the end of the day, however, extenuating circumstances happen. Should there be a hardware or software problem, LogLogic support is there to help. With 24/7 support and advanced replacement available to our platinum level enterprise class customers, all the bases are covered.
Build the appliance on a solid kernel, with a well known and well tuned database. Add HA, some of the finest engineering talent in the world, and a great support team, and LogLogic does enterprise right.
Stay tuned for the 3rd installment of “Enterprise Class”. LogLogic is going where no LMI vendor has gone before."
Posted by on September 27, 2007 in Innovation , Log Management & Intelligence , LogEd , LogMatters | Permalink | Comments (0)
Just What is "Scalability"?
Remember that discussion about syslog servers? While some people might try to sell you a mere syslog server for big money, others fall in the opposite end of the spectrum: they think that building a high-performance scalable log management system is as easy as installing a syslog on a machine ...
This fun story was related to me by Dimitri McKay, our network and systems engineer from the East Coast. He said: "Our biggest competitor in the field seems to be home-grown syslog servers. Although tons can be saved creating a generic "syslog server," at the end of the day, the resources and man-hours needed to maintain the thing offset the savings to total cost of ownership. I've seen several cases where a customer has a number of these servers running, 'grepping' their way through mountains of log data, and setting up script after script after script. Usually such a thing is started by someone very clever on that team, who gets bored, and moves on to something else, or some other job, and the syslog servers fall into disarray because nobody knows how and what to do with them.
When comparing an open source syslog server to a high-performance (75,000 log messages/second!) Loglogic ST, you do get what you pay for.
Specifically, one of our government customers hired a new employee who looked at the Loglogic ST3010 and expressed his disdain for commercial "out of the box" solutions. His exact words? "I can totally build that for like nothin'." So off our new friend goes, putting together a home-grown syslog server.
First, he starts with a Linux kernel, installs a syslog collector, and then opens the flood gates direct from the Loglogic ST3010 via log message routing. The syslog server suddenly becomes unreachable, non-responsive to pings, SSH attempts, the whole nine. The flood gate of log traffic was then turned off. Back to the drawing board.
Our new employee then comes back with two machines taped together in a cluster. The flood gates are opened, forwarding messages direct from the ST3010 to the home-grown solution, and the same result ensues. No response from pings, SSH, or even console access.
This continues on... three servers clustered, four servers clustered, five servers clustered... till the sixth server was added, and that's when our customer pulled the plug on his new hire. Too much time and hardware resources were being used in a project that was being done quickly and efficiently by one Loglogic ST3010 appliance. Why try to fix it, if it “ain’t broken!”
At the end of the day, you get what you pay for, and you pay for what you get."
Posted by on August 10, 2007 in Innovation , Log Management & Intelligence , LogMatters , Security | Permalink | Comments (0)
Anton Logging Tip of the Day #12: Proxy Log Fun - Proxy Log Analysis for Possible Information Leakage Detection
Following the new tradition of posting a tip of the week (mentioned here, here ; SANS jumped in as well), I decided to follow along and join the initiative. One of the bloggers called it "pay it forward" to the community.
So, Anton Logging Tip of the Day #12: Proxy Log Fun - Proxy Log Analysis for Possible Information Leakage Detection
You probably know that web proxies (such as Squid, BlueCoat SG and others) produce a lot of detailed logs, that record all web traffic flowing through the proxy as well as pass/block decisions made by the proxy's content filters and possibly embedded anti-malware tools. Proxy logs can be used for a whole range of things, from routine monitoring for Acceptable Use Policy (AUP) compliance to malware detection as well as possibly looking for security scourge of 2007 - web browser attacks by malicious or compromised web servers.
Specifically, in this tip we will learn how proxy logs can be used for detection of file uploads and other outbound information transfers vie the web. First, think what is the legitimate use of file upload functionality in your environment. For example, if using web-based mail services is allowed, then sending an attachment will include an upload. What else? The rest will be considered at least suspicious...
In addition to file uploads, some malicious or commonly unauthorized applications will use similar methods to steal or transfer data, that will be reflected in proxy logs. Looking for HTTP methods (such as POST) and content-type in combination with either known suspicious URL or user-agent (i.e. web client type) can often reveal spyware infections, actively collecting data. Admittedly, a well-written spyware can certainly fake the user-agent field so it is clearly not reliable, but still useful to add to our query above.
So, here are some of the criteria we will use to look for information uploads in Squid and BlueCoat SG proxy logs:
- HTTP method (logged as "cs-method" by BlueCoat) = POST (as opposed to the usual GET, used to retrieve web content).
- For information uploads: content type (logged as "RS(content-type)" by BlueCoat) = pretty much anything but "html/text" (which is the type used for uploading web form contents) - especially try content types "application/octet-stream", "application/msword", "application/powerpoint", "application/vnd.ms-excel", "application/pdf" and a few others to look for common file uploads.
- For spyware and application data transfers: user-agent set to anything but the common ones (i.e. not Mozilla, iTunes, LiveUpdate, etc) or even to "unknown." One can also try user-agent containing your favorite messaging app (e.g. "MSN Messenger", etc) and see which such applications are in use.
(if you feel adventurous, other interesting content-types to try are "application/x-javascript" and "text/javascript")
Here are the examples found in proxy logs using the above query, including some "classics" (while spyware specimen are a bit dated, this method of detecting them via logs is still relevant and useful):
- 1124376766.026 RELEASE -1 FFFFFFFF 4734C557F9315105CA6BE0FA56B94D55 200 1124276674 -1 -1 unknown -1/0 POST http://reports.hotbar.com/reports/hotbar/4.0/HbRpt.dll
- 1124392388.975 RELEASE -1 FFFFFFFF 810FFBF233584C330353CF0A8C31F5D2 503 -1 -1 -1 unknown -1/813 POST http://log.cc.cometsystems.com/dss/cc.2_0_0.report_u
- 2007-05-19 03:55:12 160 10.1.1.3 - - - OBSERVED "Spyware/Malware Sources;Spyware Effects;Web Advertisements" - 200 TCP_NC_MISS POST text/html;%20charset=utf-8 http bis.180solutions.com 80 /versionconfig.aspx ?did=5342&ver=1.0 aspx - 10.1.1.2 273 175 - - none - -
- 2007-05-21 03:10:40 4 10.1.1.3 Joanna- authentication_redirect_to_virtual_host PROXIED "Search Engines/Portals" - 307 TCP_AUTH_REDIRECT POST - http storage.msn.com 80 /storageservice/schematizedstore.asmx - asmx "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; MSN Messenger 7.5.0324)" 10.1.1.2 791 2566 - - none - -
- 2007-05-22 21:35:09 215 10.1.2.237 200 TCP_NC_MISS 217 8122 POST http kenobi.example.com /exchange/john.smith/Drafts1/RE:%2520CustomerList.xls-2.EML - - DIRECT kenobi.example.com - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)" PROXIED none - 10.1.170.42 SG-HTTP-Service - none –
The first three are traces of spyware (one was even identified by a BlueCoat content filter as "Spyware/Malware", the fourth is MSN Messenger-based activity while the fifth is emailing the Excel file via web mail.
Here are some other signs that will make the above log entry extra-suspicious is:
- A dead giveaway: upload happens to a "known bad" URL (e.g containing "gator" and others above)
- Upload happens to an unresolved IP address (do a "whois" on it!)
- Uploads happens to a port not equal to 80 (i.e. the URL contains a port such as http://10.1.10.10:31337)
- Upload has confidential file name in the log entry (e.g. somebody dumb emailing a sensitive file to himself - as discussed here)
Overall, this log analysis method is good for casting a broad net to catch not just spyware-infected systems, but also unauthorized applications (e.g. method=POST and user-agent=iTunes), instant messaging (e.g. method=POST and then by user-agent, content or URL), simple forms of data theft and document handling policy violations (emailing files to self via web mail: method=POST and sensitive file name present in the entry; also content-type set to popular Office file types) as well as other abuses of web access. As a result, proxy logs provide an extremely rich AND readily available source of data about threats that users face!
To top it off, one promising direction of future research is using web proxy logs to detect client-side exploits by malicious web servers (more on this in the near future!)
Possibly related posts:
Also, I am tagging all the tips on my del.icio.us feed. Here is the link: All Tips of the Day.
Posted by on August 07, 2007 in Innovation , Log Management & Intelligence , LogEd , LogMatters , Security | Permalink | Comments (0)
Survey Says: Log Management
LogLogic has teamed up with the SANS Institute to conduct an independent Research Study on the emerging need for log management and intelligence in the enterprise. Last year's study was pivotal in uncovering the logjam enterprises face estimating that up to 25% of all data generated in teh enterprise is log data.
Andrew Davies of the University of California at San Diego confirms this trend, "Rapid evolution of our entire enterprise IT infrastructure has resulted in exponential growth of data. This is requiring a reassessment and automation of log auditing methods."
In appreciation for your help, your name will be entered into a drawing to receive a Nintendo Wii being given to survey participants. The survey will close after the first 600 participants have completed the questionnaire.
The survey will take only ten minutes of your time and your email address will only be used to notify you if you have won the Wii.
Your valuable input will help us understand how to improve log management and intelligence to support your IT and business needs for everything from forensics to compliance.
SANS will keep individual information confidential and treat data collected from you in accordance with Market Research Association (MRA) Code of Ethics.
Posted by on April 09, 2007 in Innovation , LogLogic News | Permalink | Comments (0)
Global enterprises, governments turning to SOA
Research from Zapthink takes a look at the 'State of Worldwide Service-Oriented Architecture Adoption.' Analyst Ronald Schmelzer comments on the increasing global reach of SOA:
" . . . the net result is that no multi-national company can afford to avoid or overlook the issues associated with global distributed computing. Issues related to international regulatory compliance, internationalization and localization, support for multi-ethnic cultures, languages, and business practices must be the method de facto to be supported in any SOA initiative rather than an after-thought once the application is delivered in a particular language or cultural bias."
Schmelzer says that SOA adoption is not just happening in North America and Europe, noting:
"...substantial uptick in SOA adoption in Australia, India, Korea, China, Singapore, parts of Latin and South America, and the Middle East. Many of these global initiatives have a particular industry bent, such as a strong telecommunications presence in Korea, banking and insurance in Australia, government in Singapore, manufacturing and services in China and India, and retail in the Latin and South American regions."
Just last week a report in Defense News noted that the DoD is moving its web portals to a service-oriented architecture. It makes sense for the DoD to make sure that the right relationships between data can be connected, automating compliance and making data accessible in the most effective and cost efficient manner.
We're finding that the public sector is looking at SOA more and more as well at LogLogic. Log Management and Intelligence delivered as an SOA turns proprietary closed systems throughout the organization into ‘Open Log Services’ that can be re-used and repurposed, helping with all kinds of compliance from FISMA to PCI.
More findings on SOA at Zapthink.
Posted by on February 10, 2007 in Compliance , Innovation , Log Management & Intelligence | Permalink | Comments (0)
The SuperBowl, Log Data and TiVO
Superbowl 2007 is underway. TiVO is giving TV networks and ad agencies a chance to receive second-by-second data about which programs the company's 4.5 million subscribers and, more importantly, which commercials people are skipping. Silicon Valley-based TiVO has been doing this for the past five years.
The company relies on log data to determine the viewing habits of their subscribers to provide this data. TiVO calls that "unique Commercial Audience Measurement data" and started a research arm of the company that provides analysis of the second-by-second viewing patterns of a "nightly sample of 20,000 TiVo users, whose recorders report back to TiVo on what was watched and when. "
Having your log files mined for data is not required to use TiVO's service. The company's privacy policy informs users that they may ask to " to request that TiVO block the collection of Diagnostic Information logs."
Be interesting to see who wins the most viewed commercial tomorrow....
Posted by on February 04, 2007 in Innovation | Permalink | Comments (0)
Project LASSO Gets An Update
LogLogic-sponsored and community-supported open source project, LASSO has released a new update. This release provides a host of multithreading bugfixes in addition to an improved installation process. The LogLogic Windows Event Collector v3.0.2 provides an "agent-style" installation and provides greater system control for users. The source code is available for download at SourceForge.
LASSO runs on a central server and harvests information from log files on Windows servers. Log event collection is often used by enterprises to automate processes to ensure IT compliance with regulations, predict and remediate network health and provide immutable logs.
LogLogic initiated LASSO, a Windows-based open source software designed to collect Windows event logs, including custom application logs, and provide central collection and transport of Windows log data via TCP syslog to any syslog-NG compatible log receivers. Project LASSO is a viable open source alternative, or complement, to Microsoft’s Windows event collection infrastructure.
The current release of the LogLogic Windows Event Collector v3.0.2 has the following additional enhancements:
The code is more stable and has had several bugs fixed related to multi-threading. This resolves crashing problems seen at some user sites since the fourth-quarter Microsoft Windows Updates.
The Installer now will not allow more than one instance of LASSO on a computer, and it correctly handles uninstall of any previously existing version of Project LASSO before installing the new version. Configuration and history information (Lasso.ini, Hostlist.ini, HighWatermarks.log, Repository and Spool files) are preserved during the process.
Note that if you wish to simply uninstall Project Lasso without installing a new version, you may wish to manually delete the Repository and Spool directories afterwards, as they can be quite large.
The Installer now supports an “agent-style” install, where all Lasso.ini configuration parameters are specified in the installation dialogues, and the standard InstallShield® scripted install feature can be used to automate batch installation on multiple machines.
However, it is still necessary to manually configure the “LASSO Windows Event Collector” service parameters after installation. Please refer to the Lasso User Guide for the recommended settings.
There is a new Lasso.ini configuration parameter, which controls whether the initial DLL scan is done at start-up. Turning it off can speed up initial start times, for existing LASSO installations that already have filled the DLL Repository:
SkipInitDLLScan,0 Default value; does perform DLL scan at startup.
SkipInitDLLScan,1 Prevents DLL scan at startup.
LASSO is available under the GNU General Public License, it has been downloaded over 5000 times.
Posted by on February 01, 2007 in Innovation , Log Management & Intelligence | Permalink | Comments (0)
The Age of CSO Pragmatism
Security Incite's Mike Rothman has released The Pragmatic CSO: 12 Steps to Being a Security Master. Written for Chief Security Officers in the corporate world today, the book looks at the business reasons and impact of securing a network.
Mike gives you a sneak peek of the book here. But we found lots of reviews out there touting the book - including Richard Bejtlich's shout out over at his TaoSecurity blog. Richard writes:
The most important feature of "P-CSO" (as it's called) is that it is a business book. P-CSO teaches readers (assumed to be techies, for the most part) how to think like a businessperson who reports and interacts with other businesspeople. I took business classes in college and graduate school, and I run my own business. Most of the time, however, I'm doing technical work. I usually stay so busy that I don't consciously consider the sorts of business issues Mike describes.
We learned that Rothman plans to launch the Pragmatic CSO community in February. We hope to learn more from Mike this Monday night!
Posted by on January 31, 2007 in Compliance , Innovation , Risk Management , Security | Permalink | Comments (0)
How to Select a Log Management Approach
At the SANS Network Show in Las Vegas last Wednesday LogLogic's Anton Chuvakin presented a "standing room only" lunch session on "Selecting a Log Management Approach." We were asked to post the slides in which Anton takes a look at the key choices in log management and intelligence, along with best practices, drawing on LogLogic's customer experiences.
Anton tackles the key questions over whether to build with open source tools or buy a solution -- by giving you the questions you should ask your vendor and what to do about ROI and compliance. Choices, risks, and advantages of all options, as well as a look at strategies you can use today to harness your logjam are explored.
The slides are available as a pdf download.
Posted by on October 10, 2006 in Compliance , Innovation , Log Management & Intelligence | Permalink | Comments (0)
eWeek on LogLogic 3 - "Divine"
eWeek Labs gives LogLogic3 top honors for log source detection, installation, and reporting. Read what eWeek Labs has to say:
"IT managers who want to divine application, system and network problems with log data should consider the latest version of LogLogic's namesake platform... LogLogic 3 will play a significant role in reducing what we call "audit friction" while simultaneously pinpointing possible security problems, such as the creation of unauthorized accounts on systems that contain sensitive data..."
Posted by on July 17, 2006 in Innovation , LogLogic News | Permalink | Comments (0)
LX2000 | Five Stars & Best Buy From SC Magazine
LogLogic's LX 2000 just scored five stars and a "Best Buy" rating from SC Magazine. Here is some of what they had to say:
"The LX 2000 is as feature-rich as anyone could wish. Its displays are straightforward and one can perform a wide variety of analysis with relative ease. Coupled with the ST 3000 large-scale storage appliance, the LX 2000 becomes an extremely powerful tool for managing, analyzing and archiving huge amounts of data. Documentation comes as a set of PDF files on a CD. The manuals are clear and comprehensive, with all the detail needed for most tasks. Specialized tasks need to be referred to LogLogic support, and we found support for the LX 2000 to be first rate."
Posted by on July 07, 2006 in Innovation , Log Management & Intelligence , LogLogic News | Permalink | Comments (0)
A Short Primer On PCI Compliance
If you're a credit card merchant, service provider or retailer who processes, stores and transmits cardholder data, you have a fiduciary responsibility to protect that data. But with data volumes increasing exponentially and tolerance among regulators and consumers falling to new lows, meeting that responsibility is indeed challenging.
The Payment Card Industry (PCI) Data Security Standard, resulting from collaboration between Visa and MasterCard, provides a solid framework for safeguarding credit card data with 12 specific requirements, many of which can only be met with log management and intelligence. Included are specific mandates related to log data.
The PCI standard applies to store merchants, banks, service providers and card processors. And that's not all. PCI extends to all system components connected to cardholder data environments, including network components (firewalls, switches, routers, security appliances, etc.); servers (web, proxy, database, email, authentication, etc.) and applications, both internal and external. In other words, PCI compliance is a lot of work.
The process of complying with PCI compliance can be viewed in three stages:
1) Collection and storage-You must be collecting and securely storing all log data so that it is available for analysis, yet tamper-proof and secure.
2) Reporting-You must be able to prove compliance on the spot if audited, and present evidence that controls are in place for protecting data.
3) Monitoring and alerting-You must have systems in place, such as auto-alerting, to help constantly monitor access and usage so that administrators are warned of problems immediately and can rapidly address them. These systems should also extend to the log data itself - can you prove that log data is being collected and stored?
An LMI solution like LogLogic helps companies reduce the labor and costs associated with PCI compliance by automating these three steps. The solution provides collection and secure storage of 100% of log data collected from all devices, servers and applications, along with compliance-specific reporting templates that organize data quickly and accurately to satisfy auditors. Finally, the solution allows administrators to set custom alerts and continuously monitor network activity.
Complying with PCI, merchants and service providers not only meet their obligations to the payment system but create a culture of security and operations effectiveness that benefits everyone. PCI compliance limits risk and builds confidence in the payment industry, and safeguards data from all types of payment network fraud. Which goes to show that what is good for the bottom-line can also be good for the top-line.
Posted by on June 06, 2006 in Compliance , Innovation | Permalink | Comments (0)
September 2010
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | |||
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 |
Categories
Archives
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
Blogroll
Blogroll
Compliance
Good Reading
- Internet and Web Security Review
- Log Management ROI
- Log Management Best Practices
- SANS Institute Log Management White Paper