eIQviews

Welcome to the latest series here on eIQviews. Over the next 10 days, we’ll discuss a number of reasons that log data is not enough. And no, Bunny (from the movie) will not be making a guest appearance. Sorry to disappoint your folks.

If you ask nicely, maybe they won't turn logging off!

The first of the reasons that log data is not enough is so simple, sometimes you kind of forget about it. Actually, given the amount of time we spend harping on it, I’d hope you don’t forget, but let’s go through it anyway. Log management systems are driven by log data. Security information and event management (SIEM) systems are driven by log data as well. Yes, I know, that’s quite an insight. But one of the first things that even the least savvy attacker is going to do upon compromising a device is to (you ready?) turn logging off.

I know, it can’t be that simple. But in many cases it is. The attacker turns off the logging, does their evil tidings, turns logging back on and the log management and/or SIEM system doesn’t know the difference. Sure, you can set most log management systems to alert if you don’t get logs for a certain amount of time. How long do you think it takes the bad guys to make changes and install malware on a device? Right, not that long.

So unless you have a very short time period defined in that alert (think minutes, not hours), which will create a lot of noise and false positives, you are going to miss the attacker that shuts down logging. So your fancy log management system, which is supposed to make you compliant, isn’t much help.

Then again, we all acknowledge that compliance does not equal security. And neither does log management. Thus, the first reason that log data is not enough.