Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


08:30 AM
John H. Sawyer
John H. Sawyer

Top Excuses For Foregoing Security Monitoring, Logging

Monitoring for security incidents can be tough. It's tougher when you don't know what to look for. Now imagine trying to investigate an incident when you don't have any logs to analyze.

Monitoring for security incidents can be tough. It's tougher when you don't know what to look for. Now imagine trying to investigate an incident when you don't have any logs to analyze.In this day and age, it's simply irresponsible for organizations to shrug the value and basic need of having a centralized logging infrastructure. Instead, they make excuses for why it can't be done and let the logs autorotate themselves into the ether.

There are two excuses I hear repeatedly regarding why organizations (of all sizes) don't enable logging, centralize the logs, and monitor them in some way.

1. The first is they simply don't have the manpower to devote to log monitoring. Really? I guess if you're talking about devoting a full-time person to watching logs as they scroll by on the screen, then sure, I wouldn't want to allocate any manpower to that task either. It'd be a boring, monotonous job that would likely end up with a lot of turnover.

Have you ever had to deal with a security breach? How about one that led to notification -- or should have led to notification -- but management swept it under the rug? Those investigations can be lengthy, and the more systems involved, the longer it takes. Having the logs from all of your systems in one place can drastically cut that time.

Setting up a logging infrastructure, configuring automated reports that get e-mailed on a regular schedule, and a few real-time alerts using Splunk or OSSEC HIDS takes a lot less time than the typical multisystem breach investigation. And when done right, it can even prevent a breach or at least prevent serious collateral damage.

2. The second excuse that gets thrown at me (complete with a sad face) is that centralizing logs is too expensive. If you're looking to put an expensive SAN behind your logging solution, then it can definitely be pricey. Since the logs are generated for free, you should take advantage of them -- at the very least throw some cheap storage at the problem.

You can get a 2 TB hard drive for around $100, so buy one, shove it into that server sitting in the corner, install Linux running syslog or Windows running Kiwi Syslog Daemon, and start sending logs to it. Then at least you'll have them for when the stuff hits that fan, which is much better than staring at your CIO with a dumb look on your face when he asks why you can't figure out what happened or how long it has been going on for.

Storage needs aside, the software needed to centralize logs is available freely. Sure, plenty of vendors will sell you some expensive log management appliance that will suck down the logs and make them available via a pretty Web interface, but you can do that for free with Linux (same OS the appliances are running) and Splunk (using the free edition of Splunk that is limited in some features).

Even the software to get the logs from the systems doing the logging is free if it's not already included. For example, to get the logs from Windows systems, Snare and LASSO are great, free options that push Windows Event Logs and some text-based logs (e.g., IIS and DHCP) to a syslog server.

As we approach the looming PCI deadline, logging is something companies will be scrambling to implement as they try to fill in all the boxes on their compliance checklists. Once they realize it really isn't that hard, they'll be asking why they weren't doing it sooner.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI.
PUBLISHED: 2021-04-14
Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system funct...
PUBLISHED: 2021-04-14
An issue was discovered in the /api/connector endpoint handler in Yubico yubihsm-connector before 3.0.1 (in YubiHSM SDK before 2021.04). The handler did not validate the length of the request, which can lead to a state where yubihsm-connector becomes stuck in a loop waiting for the YubiHSM to send i...
PUBLISHED: 2021-04-14
AjaxSearchPro before 4.20.8 allows Deserialization of Untrusted Data (in the import database feature of the administration panel), leading to Remote Code execution.