Analytics // Security Monitoring
9/6/2013
11:58 PM
Connect Directly
RSS
E-Mail
50%
50%

5 Signs Of Trouble In Your Network

Companies analyzing the voluminous data produced by information systems should make sure to check user access and configuration changes, among other log events

Whether to improve performance, gather business intelligence, or detect security threats, log management boils down to three steps: Collect the logs, store the data, and analyze the data to identify patterns.

Yet, while the collection and analysis of log data is one of 20 critical security controls identified by the SANS Institute, most companies do not regularly collect and analyze their logs unless required by regulations. With so much data, information technology professionals can be confused as to where to start, says Nicole Pauls, product manager for SolarWinds, a maker of IT management and monitoring software.

"When people come to log management, they are flooded with a lot of data," she says. "What people are trying to find are the anomalies, the patterns that hint at something going on, but it's difficult."

Good security log analysis revolves around four principals, says Ben Feinstein, director of operations and development for Dell SecureWorks' Counter Threat Unit. First, companies need to monitor the right logs, including data from firewalls, virtual private networking (VPN) appliances, Web proxies, and DNS servers. Next, the security team must collect data on what "normal" looks like inside the company's network. Third, analysts must identify the indicators of attacks in their log files. Finally, the security group must have a procedure for responding to incidents identified by log analysis.

"Just pulling all these logs into your SIEM systems is not going to get you anywhere if your security team does not know what bad or suspicious looks like to your monitoring system," Feinstein says.

Here are five types of events that companies should be checking, according to security experts.

1. User access anomalies
The Windows security log and the records of Active Directory domain controllers are a good first stop to finding malicious activity on the network. Changes in permissions, users logging in remotely from unknown locations, and users accessing one system and using that system to access another are all possible signs of malicious activity, says Kathy Lam, product marketing manager for HP ArcSight.

"When we look at the types of attacks and how hackers have been getting into the environment, they have typically been inside a network posing as a user for months to longer than a year," she says. "By really looking at the baseline and seeing how current activity deviates from that can really pinpoint attacks."

Especially important are privileged accounts -- those users who have administrator permissions on various systems in the network. Because those accounts have more power in the network, they should be monitored more closely.

[Enterprises have been leveraging big data tools and technologies to analyze everything from consumer buying patterns to competitors' product strategies. See How Enterprises Can Use Big Data To Improve Security.]

2. Patterns that match threat indicators
Companies should also run comparisons between the data in their logs and whatever indicators of compromise they are able to obtain, whether through established blacklists or a more complete threat-intelligence service, SecureWorks' Feinstein says.

Threat indicators can help companies identify suspicious IP addresses, host names, domain names, and malware signatures in firewall, DNS server, or Web proxy logs.

"Web proxy logs are a powerful point of visibility into the Web traffic that is traversing your network -- how your endpoint systems are reaching out to the Web," he says.

3. Configuration changes outside the "window"
Attackers who have gained access to a system will typically try to change configurations to further compromise and gain a more certain foothold in the network.

Because most companies limit configuration changes to a limited time each week, month, or quarter, those malicious configuration changes -- whether to open the system up to attack or just turn off logging -- can be a certain sign that an attack is in progress, says Sanjay Castelino, vice president with SolarWinds.

"Those changes typically happen inside a very narrow window, and so if there are changes happening to the configuration outside of that window, you are going to want to know," he says.

Such analysis can help in certain cases. The rules created to manage security products are typically very complex, and it can be difficult to detect whether the rule is malicious by simple analysis, Castelino says. Instead, security teams will find it easier to flag any changes made outside of a specific maintenance window, he says.

4. Strange database transactions
Because databases are such an important part of a company's infrastructure, the business should monitor database transactions to detect malicious activity. A query that attempts to select and copy a large range of data, for example, should be more closely scrutinized.

In addition, monitoring database communications is not enough. While logging transactions can hamper database performance, a journal of what transactions actually occurred becomes invaluable during investigations of whether any compromise resulted in a successful data breach, says Rob Kraus, director of research for security-management firm Solutionary's Engineering Research Team (SERT).

"When clients ask us what records were accessed and what records can we prove were not accessed, the trail leads up to the database," he says. "If they were not logging, it makes it a real challenge. In the end, unless you are logging database transactions, you cannot say which records were touched."

5. New device-user combinations
Before mobile devices and the bring-your-own-device trend, companies could treat any new devices connecting to the network as suspicious. Now that's no longer a good indicator, SolarWinds' Castelino says.

Instead, companies should link devices to their users and treat changes as incidents, he says.

"You probably still want to flag a device, but you may want to flag devices and users together," he says. "Because if I bring my tablet to work, no one else should be logging in with it."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ANON1250191116861
50%
50%
ANON1250191116861,
User Rank: Apprentice
11/15/2013 | 12:35:10 AM
re: 5 Signs Of Trouble In Your Network
GǪ did not realize log management was a skill. Software can read the logs, add the data samples to a database, and then queries the database to perform statistical analysis. How hard is that??? 8-? Humans DO NOT look at the logs other than to code software that does as to provide summary results. The logs of something could be 10's to hundreds of millions of lines, but who cares? As long as software reads everything, does statistical analysis of the data, and email admins notice of reports are available on the web; everything will be fine.
Computer Scientists can solve the problem via software. Computer Engineers could probably do it all in hardware & firmware if they are asked to. ;-)

AI (artificial intelligence) is my key to things as AI is the future.
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
9/20/2013 | 11:39:44 AM
re: 5 Signs Of Trouble In Your Network
Indeed, another report conducted by the Ponemon Institute and Security Innovation also concluded that the majority of organizations do not have a formal application security training program. Companies still have a lot of security issues GÇô here are more key findings from the report on the current state of application security maturity: http://blog.securityinnovation...
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-6651
Published: 2014-07-31
Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php.

CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-3488
Published: 2014-07-31
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

CVE-2014-3554
Published: 2014-07-31
Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement.

CVE-2014-5171
Published: 2014-07-31
SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network.

Best of the Web
Dark Reading Radio