(Source: sdecoret/Shutterstock.com)
The attention focused on data security and the continuous push for cloud computing, data analytics, and artificial intelligence (AI) underscore the advantages that data aggregation and analysis brings businesses. A niche area benefiting from these new tools is the real-time processing of large amounts of security logs to help detect and track down security problems. The number of business intelligence tools providing these capabilities are more accessible now than ever before. More organizations are incorporating these new tools as a regular part of their data security toolkits to help filter, parse, and visualize data to help spot trends or highlight anomalies. The proliferation of the Internet of Things (IoT) means there are more devices than ever to track and manage. As a result, it has gotten more challenging to keep tabs on every IoT device and know when they are functioning correctly or have had their security compromised. If you don't already, consider using some of these tools and techniques and making centralized logging of security events a part of your organization's overall security control program to help ensure potential nefarious attackers don't go unnoticed.
Event logging is an important function of any device or application. Devices log events to record specific activities such as:
Often you can customize which events a device will log. It is essential to understand the tradeoffs when choosing how much data to log to avoid overwhelming your network or system while ensuring you collect the right data to base decisions.
Event logging is a critical security control. A single attack may trigger multiple events on different devices. Security incident responders must often query the events from multiple devices to piece together the attacker’s path. For example, attack reconnaissance by probing network ports may trigger a “port scan” event on a firewall. Some attackers will attempt to escalate their privilege on a system and the resulting super-user activity may be logged as well. The time and origin of an attacker that used stolen credentials to log into a system may be found as login events in authentication service logs. Firewalls, intrusion detection systems, application servers, and other gateway devices may also include critical information that aids defenders. Suffice to say, security investigations will go much faster if all these events across multiple devices are already in one location.
These events certainly serve as important clues to a security investigation, and savvy attackers know this. They may tailor their activity to try and “fly below the radar” and avoid triggering unwanted events. In some cases, attackers will attempt to clear the logs on a compromised device to cover their tracks. This action sometimes creates its own event—“the event log has been cleared”—that you can look for and alert on. Of course, clearing the events on a device does not erase the events that have already been forwarded to a centralized logging server—one of the most important reasons why centralizing your logs is so crucial for incident response and investigations.
Setting up a centralized log does not need to be complicated. You can set up a basic system in just a few hours depending on the number of enrolled devices. A simple base system might consist of a Linux syslog server configured to receive events forwarded from other syslog-enabled devices. This is often the case as many embedded and IoT devices run firmware, bare-bones Linux, or Linux-like operating systems that support syslog-messaging forwarding of their events built in.
Generally, syslog services rely on configuration files that instruct them how to parse and write incoming messages (events) to simple text files (or in some cases directly to a database). Syslogd was one of the original syslog services to process syslog messages. Over the years, enhanced syslog services have been developed, including syslog-ng and rsyslog, that provide even more flexibility to parse incoming syslog messages based their attributes.
If you need more capabilities beyond a simple centralized logging server, you may want to consider a Security Information Event Management (SIEM) platform or an advanced log analytics platform that extends centralized logging with additional search, analytics, correlation, visualization, and reporting capabilities. One example is the popular Elastic Stack that includes Elasticsearch, Logstash, and Kibana. Some platforms publish their own preconfigured Docker container images, which makes it easy to evaluate them in your test environment.
Here are a few other tips to help keep in mind when setting up your centralized logging service.
Setting up centralized logging is an important piece to your security program and will provide critical information when you need it most. Even small environments using a basic log server to collect the events from their hosts and IoT devices will benefit from the visibility a service like this can provide.
Jeff Fellinge has over 25 years’ experience in a variety of disciplines ranging from Mechanical Engineering to Information Security. Jeff led information security programs for a large cloud provider to reduce risk and improve security control effectiveness at some of the world’s largest datacenters. He enjoys researching and evaluating technologies that improve business and infrastructure security and also owns and operates a small metal fabrication workshop.