Halkyn Security Blog
Specialist Security & Risk Management Consultants

Security logs can save your systems and data

It goes without saying that security logs are not the most interesting of topics. They are often viewed as a necessary evil, and in some instances they are even minimised to prevent storage or bandwidth issues.

Security logs aren't interesting but they are very important.

Security logs aren’t interesting but they are very important.

Both of these approaches are wrong.

Boring or not, security logs are one of, if not the, the most fundamental aspects of your IT security controls. Without good security logs you don’t even know if your system has been breached, let alone what you need to do about it.

Logging is so fundamental to security that most of the time, you have to make a concious effort to turn it off. For most people, the hard part is actually just deciding on how much they want to store.

Unfortunately, even if you are sensible enough to have good logging turned on, there is one extra little step you need to take. Monitor the logs.

In January 2014, the US luxury department store Neiman Marcus announced it had been subjected to a major security breach (as reported by Krebs on Security) which may have compromised significant numbers of customer credit cards, charge cards and store cards. Some reports have stated that of the breached cards, over 9000 have been used fraudulently since the attack and this has fuelled significant debate over how it could have been prevented.

Based on a report published in February 2014, it seems the answer is actually – security logs. Bloomberg’s BusinessWeek reported an except from the post-incident forensic investigation stating:

The company’s centralized security system, which logged activity on its network, flagged the anomalous behavior of a malicious software program—although it didn’t recognize the code itself as malicious, or expunge it, according to the report.

So far, this is good news. Security logs capturing unexpected behaviour is a good thing and exactly how you would expect a SIEM system to work.

However, things didn’t go as well as it should have:

The system’s ability to automatically block the suspicious activity it flagged was turned off because it would have hampered maintenance, such as patching security holes, the investigators noted.

This is the first major problem people face with security logs and event monitoring. Too often they are perceived as getting in the way of business and turned off…

In all, the report by Protivi mentions 59,746 security alerts that were ignored or suppressed for one reason or another.

We are not saying that security logs alone would have defeated the attack here. However, if someone at Neiman Marcus had been alerted to the malicious activity, they could have done something. Instead, thanks to suppressed or ignored logs, the attack went through.

Security logs – what should you do?

Good security logs and good log management is critical for security. Top tips for implementing this are:

  • Collect as many logs as possible. Hard disk space is cheap. Turn on all logging and store the logs as long as your business can justify. This really cant be overstated. Collect logs. If you have security logs you can be alerted to incidents and you can investigate. If you didn’t collect the logs you can never create them. Whatever you do, make sure you collect logs.
  • Correlate the logs. You can do this with software or by “hand”. Correlation means having a way to know how one log entry relates to another.
  • Set up alerting. No human being will ever pay proper attention to log files themselves. Even if you find one who does, software will be faster, cheaper and work 24/7.
  • Fine tune your alerting. All logging creates false positives and false negatives. Tune the alerting until you get the right balance. Only you will know how important false positives are, so we cant tell you how to tune. We can tell you that you should tune. If you dont, your logs will swamp you. Just dont tune too much, otherwise you miss important things.
  • Respond to your alerts. This is why tuning matters. Once you have tuned your system, alerts are important. If development or business processes generate alerts, fix the problem, dont suppress the alert. If you find yourself ignoring alerts, you’ve got something wrong.

Logging really is important. Security logs tell you what is happening on your network and support incident response. If you dont log, you are blind. If you dont enable logging before you get hacked it is too late for you.

Just as important, and as Neiman Marcus has shown, is actually paying attention to the alerts your security logs generate.

Security is important to every business, not just technology or government workers. Retail organisations are increasingly targeted by hackers and criminals and security threats are evolving. It is no longer possible to assume that because you work in an unregulated environment, security doesn’t matter. Security does matter, so make sure you do it properly.

Similar posts
  • UOC – Cybersecurity Conference ... Cybersecurity is big news with governments and businesses suffering at the hands of cyber attacks. As a result of this, the University of Chester (UoC) STEMs society is hosting a Cybersecurity Conference on the 28th March 2017. The primary aim is to raise awareness of Cybersecurity. In addition, it will provide an opportunity to build professional networks and encourage career [...]
  • Dashboards vs Security – are th... Metrics, Dashboards and Security Like them or not, metrics are a fundamental part of every organisation. Security doesn’t get to a free pass. It is a rare CISO who doesn’t demand dashboards showing how all the security controls are performing. Therefore for most organisations, this is a fight long lost. This may not always be a [...]
  • Security Incident Response Really Doe... Incident response is one of those things you really hope you’ll never have to use, but know you will. Or at least you should know! Even with the best security, there will come a day when you are up to your eyes in chaos. Either a live security incident or, worse still, picking up the pieces [...]
  • North Wales Cyber Security Cluster &#... The North Wales Cyber Security Cluster is meeting on 21 April at Solvings Ltd, in Mold, Flintshire. Solvings provide a great location and the cluster is a wonderful opportunity to learn about cyber security. Access to cluster meetings is free and everyone is welcome. No prior knowledge is needed. There really are no stupid questions! Clusters [...]
  • Ransomware: Don’t panic –... Since Cryptolocker appeared in late 2013, it seems hardly a day can go by without some ransomware attack hitting the news. The variations all have entertaining names like Teslacrypt, Locky, PayCrypt (etc). The impact on the victims can be monumental. Tracking sites show new versions appearing several times a day – much faster than most [...]

Recent Tweets Recent Tweets