DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Data Engineering
  3. IoT
  4. Using Event and Log Data to Assure Security and Compliance

Using Event and Log Data to Assure Security and Compliance

Organizations that exert themselves to make the most of their log and event data can expect to improve their security posture and to meet or exceed basic compliance requirements and regimes.

Ed Tittel user avatar by
Ed Tittel
·
Oct. 10, 16 · Opinion
Like (1)
Save
Tweet
Share
3.29K Views

Join the DZone community and get the full member experience.

Join For Free

All the way back in 2007, security industry analyst and expert Dr. Larry Ponemon of the eponymous institute wrote for Network World that “data breaches are a pervasive problem for most organizations in the United States today.” Nobody is prepared to argue that this situation has improved much, if at all, 9 years later in 2016. However, those organizations that exert themselves to make the most of their log and event data can expect to improve their security posture and to meet or exceed basic compliance requirements and regimes.

What Can Companies and Organizations Do to Make Better Use of Log and Event Data?

An old, but still good SANS Whitepaper addresses this question very nicely and also explains how they might do so, and why it’s a good idea. That paper also makes some excellent observations, including:

  1. Logging solutions are commonly underutilized. According to the author – with whom I concur –storing logs centrally and using them to produce canned compliance reports demonstrates no additional security intelligence. Logs need analysis, sometimes painstaking analysis, to produce useful and actionable intelligence.
  2. Event monitoring and management tools are seldom exercised thoroughly. Tools such as SEIM (Security Event and Information Management) systems are seldom put to work as thoroughly as they could or should be. Here again, this requires ongoing analysis and often also, event correlation, to make sure that the information available from event monitoring is properly compiled, understood, and used.
  3. Meeting compliance mandates must be more than a checkboxing exercise. Beyond making sure that they meet compliance mandates, companies and organizations should keep working to improve and enhance the effectiveness and workability of their security programs, policies, and controls. Too many audit teams stop short of this, simply by checklisting requirements met and leaving it at that.

If auditors work with security and operations teams in IT, they can develop processes to use logging and event data for a variety of security purposes. These include measuring the effectiveness of security controls, asset identification, assignment and use of access rights and privileges, definition of job roles and responsibilities, and much more.

What Kinds of Benefits Can Logging and Event Management Tools Deliver?

Improved visibility and security for systems, applications and data repositories. Regular attention to event and log data tells auditors and administrators where the action is and how users interact with systems and services, and the data they produce and consume. Careful examination of such traffic also provides telltales for potential security gaps or points of attack that can be further analyzed for hardening or replacement, if necessary. This is also where the rubber meets the road for analysis of security controls, particularly those related to assignment and delegation of access rights and privileges and most commonly used job roles or security groups.

Application and system troubleshooting. Log and event data often provide important clues from information and status entries, and especially from error messages and alerts. Savvy IT pros know that when performance or access problems are reported (or observed, in a sufficiently pro-active environment), error and status messages will most often point from effect toward causes, and then eventually to repairs or workarounds.

Intrusion Detection System (IDS) tuning decisions and changes will often emerge from log and event data. As network or security admins observe how security systems behave, such as IDS, IPS, firewalls, proxy servers, and so forth, they will quickly see how well security settings and filters are working. Repeated failures can indicate settings or filters in need of change; end-user workaround that bypass policy or legitimate security concerns can also show a need for further tightening while tuning, and better user training on topics such as Acceptable Use Policy (AUP) or Not Safe for Work (NSFW).

Improved access controls may emerge from a detailed study of network intrusion attempts conducted during the penetration testing phase(s) of a security audit. This can be especially helpful in catching and eliminating grants of excessive rights and privileges.

Identify applications in need of maintenance because of failed login attempts logged during normal operations. Programmers can be apprised of the applications demonstrating such failures, and the input data that provoked failed logins. Such information makes it much easier for programmers to diagnose causes, and then (hopefully) to repair them.

The paper concludes with brief analyses of how organizations can go beyond “mere compliance checking” to establish improved security postures. It recommends that they use security and event logging data for troubleshooting equipment and applications, for forensics investigations, and for security incident response and boundary security systems. It also observes that such data has value for monitoring health and status of systems and networks, building security awareness and savvy, and raising the bar for stronger and better-informed security management and compliance reporting. I couldn’t agree more!

security Event Data (computing) application Event monitoring Intrusion detection system Network Event management

Published at DZone with permission of Ed Tittel, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Building a Scalable Search Architecture
  • Beginners’ Guide to Run a Linux Server Securely
  • 7 Awesome Libraries for Java Unit and Integration Testing
  • Easy Smart Contract Debugging With Truffle’s Console.log

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: