Using Event and Log Data to Assure Security and Compliance

All the way back in 2007, security industry analyst and expert Dr. Larry Ponemon of the eponymous institute wrote for Network World that “data breaches are a pervasive problem for most organizations in the United States today.” Nobody is prepared to argue that this situation has improved much, if at all, 9 years later in 2016. However, those organizations that exert themselves to make the most of their log and event data can expect to improve their security posture and to meet or exceed basic compliance requirements and regimes.

What Can Companies and Organizations Do to Make Better Use of Log and Event Data?

An old, but still good SANS Whitepaper addresses this question very nicely and also explains how they might do so, and why it’s a good idea. That paper also makes some excellent observations, including:

1. Logging solutions are commonly underutilized. According to the author – with whom I concur –storing logs centrally and using them to produce canned compliance reports demonstrates no additional security intelligence. Logs need analysis, sometimes painstaking analysis, to produce useful and actionable intelligence.
2. Event monitoring and management tools are seldom exercised thoroughly. Tools such as SEIM (Security Event and Information Management) systems are seldom put to work as thoroughly as they could or should be. Here again, this requires ongoing analysis and often also, event correlation, to make sure that the information available from event monitoring is properly compiled, understood, and used.
3. Meeting compliance mandates must be more than a checkboxing exercise. Beyond making sure that they meet compliance mandates, companies and organizations should keep working to improve and enhance the effectiveness and workability of their security programs, policies, and controls. Too many audit teams stop short of this, simply by checklisting requirements met and leaving it at that.

If auditors work with security and operations teams in IT, they can develop processes to use logging and event data for a variety of security purposes. These include measuring the effectiveness of security controls, asset identification, assignment and use of access rights and privileges, definition of job roles and responsibilities, and much more.

What Kinds of Benefits Can Logging and Event Management Tools Deliver?

Improved visibility and security for systems, applications and data repositories. Regular attention to event and log data tells auditors and administrators where the action is and how users interact with systems and services, and the data they produce and consume. Careful examination of such traffic also provides telltales for potential security gaps or points of attack that can be further analyzed for hardening or replacement, if necessary. This is also where the rubber meets the road for analysis of security controls, particularly those related to assignment and delegation of access rights and privileges and most commonly used job roles or security groups.

Application and system troubleshooting. Log and event data often provide important clues from information and status entries, and especially from error messages and alerts. Savvy IT pros know that when performance or access problems are reported (or observed, in a sufficiently pro-active environment), error and status messages will most often point from effect toward causes, and then eventually to repairs or workarounds.

Intrusion Detection System (IDS) tuning decisions and changes will often emerge from log and event data. As network or security admins observe how security systems behave, such as IDS, IPS, firewalls, proxy servers, and so forth, they will quickly see how well security settings and filters are working. Repeated failures can indicate settings or filters in need of change; end-user workaround that bypass policy or legitimate security concerns can also show a need for further tightening while tuning, and better user training on topics such as Acceptable Use Policy (AUP) or Not Safe for Work (NSFW).

Improved access controls may emerge from a detailed study of network intrusion attempts conducted during the penetration testing phase(s) of a security audit. This can be especially helpful in catching and eliminating grants of excessive rights and privileges.

Identify applications in need of maintenance because of failed login attempts logged during normal operations. Programmers can be apprised of the applications demonstrating such failures, and the input data that provoked failed logins. Such information makes it much easier for programmers to diagnose causes, and then (hopefully) to repair them.

The paper concludes with brief analyses of how organizations can go beyond “mere compliance checking” to establish improved security postures. It recommends that they use security and event logging data for troubleshooting equipment and applications, for forensics investigations, and for security incident response and boundary security systems. It also observes that such data has value for monitoring health and status of systems and networks, building security awareness and savvy, and raising the bar for stronger and better-informed security management and compliance reporting. I couldn’t agree more!