It goes without saying that security logs are not the most interesting of topics. They are often viewed as a necessary evil, and in some instances they are even minimised to prevent storage or bandwidth issues.
Both of these approaches are wrong.
Boring or not, security logs are one of, if not the, the most fundamental aspects of your IT security controls. Without good security logs you don’t even know if your system has been breached, let alone what you need to do about it.
Logging is so fundamental to security that most of the time, you have to make a concious effort to turn it off. For most people, the hard part is actually just deciding on how much they want to store.
Unfortunately, even if you are sensible enough to have good logging turned on, there is one extra little step you need to take. Monitor the logs.
In January 2014, the US luxury department store Neiman Marcus announced it had been subjected to a major security breach (as reported by Krebs on Security) which may have compromised significant numbers of customer credit cards, charge cards and store cards. Some reports have stated that of the breached cards, over 9000 have been used fraudulently since the attack and this has fuelled significant debate over how it could have been prevented.
Based on a report published in February 2014, it seems the answer is actually – security logs. Bloomberg’s BusinessWeek reported an except from the post-incident forensic investigation stating:
The company’s centralized security system, which logged activity on its network, flagged the anomalous behavior of a malicious software program—although it didn’t recognize the code itself as malicious, or expunge it, according to the report.
So far, this is good news. Security logs capturing unexpected behaviour is a good thing and exactly how you would expect a SIEM system to work.
However, things didn’t go as well as it should have:
The system’s ability to automatically block the suspicious activity it flagged was turned off because it would have hampered maintenance, such as patching security holes, the investigators noted.
This is the first major problem people face with security logs and event monitoring. Too often they are perceived as getting in the way of business and turned off…
In all, the report by Protivi mentions 59,746 security alerts that were ignored or suppressed for one reason or another.
We are not saying that security logs alone would have defeated the attack here. However, if someone at Neiman Marcus had been alerted to the malicious activity, they could have done something. Instead, thanks to suppressed or ignored logs, the attack went through.
Security logs – what should you do?
Good security logs and good log management is critical for security. Top tips for implementing this are:
- Collect as many logs as possible. Hard disk space is cheap. Turn on all logging and store the logs as long as your business can justify. This really cant be overstated. Collect logs. If you have security logs you can be alerted to incidents and you can investigate. If you didn’t collect the logs you can never create them. Whatever you do, make sure you collect logs.
- Correlate the logs. You can do this with software or by “hand”. Correlation means having a way to know how one log entry relates to another.
- Set up alerting. No human being will ever pay proper attention to log files themselves. Even if you find one who does, software will be faster, cheaper and work 24/7.
- Fine tune your alerting. All logging creates false positives and false negatives. Tune the alerting until you get the right balance. Only you will know how important false positives are, so we cant tell you how to tune. We can tell you that you should tune. If you dont, your logs will swamp you. Just dont tune too much, otherwise you miss important things.
- Respond to your alerts. This is why tuning matters. Once you have tuned your system, alerts are important. If development or business processes generate alerts, fix the problem, dont suppress the alert. If you find yourself ignoring alerts, you’ve got something wrong.
Logging really is important. Security logs tell you what is happening on your network and support incident response. If you dont log, you are blind. If you dont enable logging before you get hacked it is too late for you.
Just as important, and as Neiman Marcus has shown, is actually paying attention to the alerts your security logs generate.
Security is important to every business, not just technology or government workers. Retail organisations are increasingly targeted by hackers and criminals and security threats are evolving. It is no longer possible to assume that because you work in an unregulated environment, security doesn’t matter. Security does matter, so make sure you do it properly.