Perimeter
10/28/2011
01:00 PM
John H. Sawyer
John H. Sawyer
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Basic Baselining For Quick Situational Awareness

Baselines can be extremely valuable in knowing what's going on within your network, but they can't help if they're not created -- start with the basics

Last week, I had the pleasure of speaking on a panel called "Using Log Files and SIEM Data to Identify New Threats to the Enterprise." It’s a long, fluffy title, but the discussions were good and a common theme kept coming up despite the distinct difference in backgrounds among the other panelists (Joe Gottlieb, CEO, SenSage; Mary Landesman, senior security researcher, Cisco) and me. The theme was that to have an understanding of what’s going on within your network, you need to first have a basic understanding of what’s going on -- starting with a baseline of what’s normal.

Baselining activity in your network does not have to be complicated. Sure, it can get complicated, and that’s part of the reason why there are entire companies built around SIEM products with pretty dashboards to show what’s going on and when things deviate from the average level of normalcy. But -- not everyone can afford those products or have a network large enough to justify having one. Or, it might be that there is an immediate need to get a feel for the state of things. Whatever the reason, baselines can start out basic and grow to adapt to changing needs and knowledge of the systems involved.

Let’s start off with a basic example of where a system administrator could start doing simple baselining to understand what’s normal operation for one to many systems during a regular business day. The admin could start by taking a look at some of the critical systems to see how many events show up in the logs each day. The events could be broken down into the services generating the events or the types of events. For example, what's the average number of access and error messages in an Apache Web server's logs, or how many successful and failed logins do the Microsoft Active Directory domain controllers see?

Simply knowing the average number and type of events that occur on a daily basis gives an immediate awareness of what's normal and an opportunity to catch abnormalities as they arise. If there is a sudden jump in failed logins, for example, then there could be a brute-force password guessing attack. Start analyzing the logs to see what accounts were attacked and whether any successful logins occurred immediately after the failures, indicating an account might have been compromised. With Web server logs, it could indicate someone is scanning for vulnerabilities or exploiting a SQL injection flaw to pull out the contents of the back-end database.

This same basic baselining method can be applied to desktops, servers, Web applications, firewalls, intrusion-detection systems, and pretty much anything else that logs data. After getting a feel for what's normal day-to-day, the baselines can be adapted to see what's normal for certain days of the week, weekday vs. weekend, or even hour-to-hour each day.

As you become more familiar with the logs, what's normal, and how systems interoperate, additional ways to view the data in meaningful ways will come about. The biggest hurdle to logging is starting -- baselining is the same way. Just do it. You won't regret it. John Sawyer is a Senior Security Analyst with InGuardians. The views and opinions expressed in this blog are his own and do not represent the views and opinions of his employer. He can be reached at johnhsawyer@gmail.com and found on Twitter @johnhsawyer.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.