James D. Brown, CTO, StillSecure

Log Management can mean everything from consuming logs and placing them into a central location for search and review to performing smart filtering and notifications, to zeroing in on particular areas of interest such as system and application health, configuration auditing, and security event identification and response. It’s this latter form that I mean to discuss as I continue my series on layered security, and as I’ve done in the past, I’ll be talking about why no one security tool can provide sufficient security for your environment.

What is it? 

StillSecure’s take on log management is actually what we call Security Event Log Management (SELM) to reflect the fact that we focus on security events only, and not on other areas. We analyze log events and notify our customers and/or take preventive action if we detect attacks in progress, or evidence of an actual compromise.

While we only analyze potential security events, we archive all log data (including system and application health and configuration auditing data) for a minimum of 12 months in case you need the data later for audits, forensics, or other reasons.

How does it work? 

Our Network Security Appliance collects data from the servers, switches, and endpoint we protect. We do this by collecting data from multiple log sources in a protected environment, either by taking raw log information from syslog, or by installing a lightweight agent on the protected hosts.

We send all this log data up to our server farm where it’s split into two separate paths: an archive path for long-term (at least 12 months) storage, and an analysis path. The archive path compresses and securely stores the log data in case it’s needed in the future. The analysis path is where each security related log event – determined by a complex set of rules developed by our Security Alert Team (SAT) – is assessed and the customer notified if we see potential evidence of system compromise or attacks in progress.

Why do I need it?

Security Event Log Management is yet another layer of security, deployed with the goal of making it ever more difficult for an attacker to breach your network unnoticed and unstopped. SELM actually catches the side-effects of an attack in progress or what that’s already occurred by looking at how the system reacts to the attack in its logs.

Security Event Log Management is yet another layer of security, deployed with the goal of making it ever more difficult for an attacker to breach your network unnoticed and unstopped. SELM actually catches the side-effects of an attack in progress or what that’s already occurred by looking at how the system reacts to the attack in its logs.

The classic example of this is identifying multiple login attempts from a single IP address. In this case, other security measures see nothing wrong, because the attacker is connecting to a port that you’ve allowed through your firewall, the attacker is acting according to accepted protocols as far as IDPS and WAF are concerned, so they don’t flag anything. However, an intruder that is allowed to go unchecked and try different passwords over and over may eventually get lucky and gain remote access to your system.

With SELM, our Security Operations Centers will not only identify that the attack is occurring, but they will take steps to block further traffic from the offending IP address, especially if the source IP address has a reputation as an attacker host. Finally, we’ll notify you of the attempted breach, so that can take any other necessary steps, like auditing your user accounts, changing your firewall configuration, or adding a VPN to prevent the exposure of the attacked service.

Another important benefit of SELM is protection against trusted agents like malicious employees. In this case, SELM continuously ships log evidence off the attacked servers to a protected server off-site where the data is analyzed and archived, and where it’s available should the attacker try to later cover their tracks. The data is stored exactly as it’s sent from the server (with the minor exception of reversible lossless compression), so the chain of evidence is preserved. That will give you the ammunition you need to take steps to recover your losses.

Why managed Security Event Log Management?

Like most security solutions, if you don’t monitor them 24×7, don’t keep all your signatures up to date, or you’re not sure how to tune, manage, and analyze their output, you’re not getting meaningful protection. SELM is no different: it’s useful only if you’re also vigilant.

Further, having to set up a remote log storage facility that complies with best practices such as the PCI DSS or SSAE-16 is expensive, and you have to go through an annual audit to maintain compliance. A lot of times, it’s just too costly and too distracting for your business to go through all that hassle.

With StillSecure’s Security Event Log Management, you get expert monitoring and response, full integration with a variety of other security services, preventive action, and 24×7 notifications so you can sleep at night knowing you’re protected. You also benefit from StillSecure’s Security Alert Team and their efforts to continually find new ways to detect attacks visible through logs.

Coming up next … 

In my next post, I’ll talk about how File Integrity Monitoring fits with the SELM picture to provide even more protection and exposes even more side-effects of an attack that again may not be detectable by IDPS, or WAF.

Tags: , , ,