Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

5 Signs Of Trouble In Your Network

Companies analyzing the voluminous data produced by information systems should make sure to check user access and configuration changes, among other log events

Whether to improve performance, gather business intelligence, or detect security threats, log management boils down to three steps: Collect the logs, store the data, and analyze the data to identify patterns.

Yet, while the collection and analysis of log data is one of 20 critical security controls identified by the SANS Institute, most companies do not regularly collect and analyze their logs unless required by regulations. With so much data, information technology professionals can be confused as to where to start, says Nicole Pauls, product manager for SolarWinds, a maker of IT management and monitoring software.

"When people come to log management, they are flooded with a lot of data," she says. "What people are trying to find are the anomalies, the patterns that hint at something going on, but it's difficult."

Good security log analysis revolves around four principals, says Ben Feinstein, director of operations and development for Dell SecureWorks' Counter Threat Unit. First, companies need to monitor the right logs, including data from firewalls, virtual private networking (VPN) appliances, Web proxies, and DNS servers. Next, the security team must collect data on what "normal" looks like inside the company's network. Third, analysts must identify the indicators of attacks in their log files. Finally, the security group must have a procedure for responding to incidents identified by log analysis.

"Just pulling all these logs into your SIEM systems is not going to get you anywhere if your security team does not know what bad or suspicious looks like to your monitoring system," Feinstein says.

Here are five types of events that companies should be checking, according to security experts.

1. User access anomalies
The Windows security log and the records of Active Directory domain controllers are a good first stop to finding malicious activity on the network. Changes in permissions, users logging in remotely from unknown locations, and users accessing one system and using that system to access another are all possible signs of malicious activity, says Kathy Lam, product marketing manager for HP ArcSight.

"When we look at the types of attacks and how hackers have been getting into the environment, they have typically been inside a network posing as a user for months to longer than a year," she says. "By really looking at the baseline and seeing how current activity deviates from that can really pinpoint attacks."

Especially important are privileged accounts -- those users who have administrator permissions on various systems in the network. Because those accounts have more power in the network, they should be monitored more closely.

[Enterprises have been leveraging big data tools and technologies to analyze everything from consumer buying patterns to competitors' product strategies. See How Enterprises Can Use Big Data To Improve Security.]

2. Patterns that match threat indicators
Companies should also run comparisons between the data in their logs and whatever indicators of compromise they are able to obtain, whether through established blacklists or a more complete threat-intelligence service, SecureWorks' Feinstein says.

Threat indicators can help companies identify suspicious IP addresses, host names, domain names, and malware signatures in firewall, DNS server, or Web proxy logs.

"Web proxy logs are a powerful point of visibility into the Web traffic that is traversing your network -- how your endpoint systems are reaching out to the Web," he says.

3. Configuration changes outside the "window"
Attackers who have gained access to a system will typically try to change configurations to further compromise and gain a more certain foothold in the network.

Because most companies limit configuration changes to a limited time each week, month, or quarter, those malicious configuration changes -- whether to open the system up to attack or just turn off logging -- can be a certain sign that an attack is in progress, says Sanjay Castelino, vice president with SolarWinds.

"Those changes typically happen inside a very narrow window, and so if there are changes happening to the configuration outside of that window, you are going to want to know," he says.

Such analysis can help in certain cases. The rules created to manage security products are typically very complex, and it can be difficult to detect whether the rule is malicious by simple analysis, Castelino says. Instead, security teams will find it easier to flag any changes made outside of a specific maintenance window, he says.

4. Strange database transactions
Because databases are such an important part of a company's infrastructure, the business should monitor database transactions to detect malicious activity. A query that attempts to select and copy a large range of data, for example, should be more closely scrutinized.

In addition, monitoring database communications is not enough. While logging transactions can hamper database performance, a journal of what transactions actually occurred becomes invaluable during investigations of whether any compromise resulted in a successful data breach, says Rob Kraus, director of research for security-management firm Solutionary's Engineering Research Team (SERT).

"When clients ask us what records were accessed and what records can we prove were not accessed, the trail leads up to the database," he says. "If they were not logging, it makes it a real challenge. In the end, unless you are logging database transactions, you cannot say which records were touched."

5. New device-user combinations
Before mobile devices and the bring-your-own-device trend, companies could treat any new devices connecting to the network as suspicious. Now that's no longer a good indicator, SolarWinds' Castelino says.

Instead, companies should link devices to their users and treat changes as incidents, he says.

"You probably still want to flag a device, but you may want to flag devices and users together," he says. "Because if I bring my tablet to work, no one else should be logging in with it."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ANON1250191116861
50%
50%
ANON1250191116861,
User Rank: Apprentice
11/15/2013 | 12:35:10 AM
re: 5 Signs Of Trouble In Your Network
GǪ did not realize log management was a skill. Software can read the logs, add the data samples to a database, and then queries the database to perform statistical analysis. How hard is that??? 8-? Humans DO NOT look at the logs other than to code software that does as to provide summary results. The logs of something could be 10's to hundreds of millions of lines, but who cares? As long as software reads everything, does statistical analysis of the data, and email admins notice of reports are available on the web; everything will be fine.
Computer Scientists can solve the problem via software. Computer Engineers could probably do it all in hardware & firmware if they are asked to. ;-)

AI (artificial intelligence) is my key to things as AI is the future.
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
9/20/2013 | 11:39:44 AM
re: 5 Signs Of Trouble In Your Network
Indeed, another report conducted by the Ponemon Institute and Security Innovation also concluded that the majority of organizations do not have a formal application security training program. Companies still have a lot of security issues G here are more key findings from the report on the current state of application security maturity: http://blog.securityinnovation...
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5216
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...
CVE-2020-5217
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could b...
CVE-2020-5223
PUBLISHED: 2020-01-23
In PrivateBin versions 1.2.0 before 1.2.2, and 1.3.0 before 1.3.2, a persistent XSS attack is possible. Under certain conditions, a user provided attachment file name can inject HTML leading to a persistent Cross-site scripting (XSS) vulnerability. The vulnerability has been fixed in PrivateBin v1.3...
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.