Analytics // Security Monitoring
11:58 PM

5 Signs Of Trouble In Your Network

Companies analyzing the voluminous data produced by information systems should make sure to check user access and configuration changes, among other log events

Whether to improve performance, gather business intelligence, or detect security threats, log management boils down to three steps: Collect the logs, store the data, and analyze the data to identify patterns.

Yet, while the collection and analysis of log data is one of 20 critical security controls identified by the SANS Institute, most companies do not regularly collect and analyze their logs unless required by regulations. With so much data, information technology professionals can be confused as to where to start, says Nicole Pauls, product manager for SolarWinds, a maker of IT management and monitoring software.

"When people come to log management, they are flooded with a lot of data," she says. "What people are trying to find are the anomalies, the patterns that hint at something going on, but it's difficult."

Good security log analysis revolves around four principals, says Ben Feinstein, director of operations and development for Dell SecureWorks' Counter Threat Unit. First, companies need to monitor the right logs, including data from firewalls, virtual private networking (VPN) appliances, Web proxies, and DNS servers. Next, the security team must collect data on what "normal" looks like inside the company's network. Third, analysts must identify the indicators of attacks in their log files. Finally, the security group must have a procedure for responding to incidents identified by log analysis.

"Just pulling all these logs into your SIEM systems is not going to get you anywhere if your security team does not know what bad or suspicious looks like to your monitoring system," Feinstein says.

Here are five types of events that companies should be checking, according to security experts.

1. User access anomalies
The Windows security log and the records of Active Directory domain controllers are a good first stop to finding malicious activity on the network. Changes in permissions, users logging in remotely from unknown locations, and users accessing one system and using that system to access another are all possible signs of malicious activity, says Kathy Lam, product marketing manager for HP ArcSight.

"When we look at the types of attacks and how hackers have been getting into the environment, they have typically been inside a network posing as a user for months to longer than a year," she says. "By really looking at the baseline and seeing how current activity deviates from that can really pinpoint attacks."

Especially important are privileged accounts -- those users who have administrator permissions on various systems in the network. Because those accounts have more power in the network, they should be monitored more closely.

[Enterprises have been leveraging big data tools and technologies to analyze everything from consumer buying patterns to competitors' product strategies. See How Enterprises Can Use Big Data To Improve Security.]

2. Patterns that match threat indicators
Companies should also run comparisons between the data in their logs and whatever indicators of compromise they are able to obtain, whether through established blacklists or a more complete threat-intelligence service, SecureWorks' Feinstein says.

Threat indicators can help companies identify suspicious IP addresses, host names, domain names, and malware signatures in firewall, DNS server, or Web proxy logs.

"Web proxy logs are a powerful point of visibility into the Web traffic that is traversing your network -- how your endpoint systems are reaching out to the Web," he says.

3. Configuration changes outside the "window"
Attackers who have gained access to a system will typically try to change configurations to further compromise and gain a more certain foothold in the network.

Because most companies limit configuration changes to a limited time each week, month, or quarter, those malicious configuration changes -- whether to open the system up to attack or just turn off logging -- can be a certain sign that an attack is in progress, says Sanjay Castelino, vice president with SolarWinds.

"Those changes typically happen inside a very narrow window, and so if there are changes happening to the configuration outside of that window, you are going to want to know," he says.

Such analysis can help in certain cases. The rules created to manage security products are typically very complex, and it can be difficult to detect whether the rule is malicious by simple analysis, Castelino says. Instead, security teams will find it easier to flag any changes made outside of a specific maintenance window, he says.

4. Strange database transactions
Because databases are such an important part of a company's infrastructure, the business should monitor database transactions to detect malicious activity. A query that attempts to select and copy a large range of data, for example, should be more closely scrutinized.

In addition, monitoring database communications is not enough. While logging transactions can hamper database performance, a journal of what transactions actually occurred becomes invaluable during investigations of whether any compromise resulted in a successful data breach, says Rob Kraus, director of research for security-management firm Solutionary's Engineering Research Team (SERT).

"When clients ask us what records were accessed and what records can we prove were not accessed, the trail leads up to the database," he says. "If they were not logging, it makes it a real challenge. In the end, unless you are logging database transactions, you cannot say which records were touched."

5. New device-user combinations
Before mobile devices and the bring-your-own-device trend, companies could treat any new devices connecting to the network as suspicious. Now that's no longer a good indicator, SolarWinds' Castelino says.

Instead, companies should link devices to their users and treat changes as incidents, he says.

"You probably still want to flag a device, but you may want to flag devices and users together," he says. "Because if I bring my tablet to work, no one else should be logging in with it."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
11/15/2013 | 12:35:10 AM
re: 5 Signs Of Trouble In Your Network
GǪ did not realize log management was a skill. Software can read the logs, add the data samples to a database, and then queries the database to perform statistical analysis. How hard is that??? 8-? Humans DO NOT look at the logs other than to code software that does as to provide summary results. The logs of something could be 10's to hundreds of millions of lines, but who cares? As long as software reads everything, does statistical analysis of the data, and email admins notice of reports are available on the web; everything will be fine.
Computer Scientists can solve the problem via software. Computer Engineers could probably do it all in hardware & firmware if they are asked to. ;-)

AI (artificial intelligence) is my key to things as AI is the future.
User Rank: Apprentice
9/20/2013 | 11:39:44 AM
re: 5 Signs Of Trouble In Your Network
Indeed, another report conducted by the Ponemon Institute and Security Innovation also concluded that the majority of organizations do not have a formal application security training program. Companies still have a lot of security issues G here are more key findings from the report on the current state of application security maturity: http://blog.securityinnovation...
Register for Dark Reading Newsletters
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-07-06
Cross-site scripting (XSS) vulnerability in the template preview function in Foreman before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted provisioning template.

Published: 2015-07-06
The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, ...

Published: 2015-07-06
Open redirect vulnerability in the Language Switcher Dropdown module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a block.

Published: 2015-07-06
Multiple cross-site scripting (XSS) vulnerabilities in the Tournament module 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via an (1) account username, a (2) node title, or a (3) team entity title.

Published: 2015-07-06
Cross-site scripting (XSS) vulnerability in the Node Field module 7.x-2.x before 7.x-2.45 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors involving internal fields.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report