eIQviews

As we continue down our analysis of why log data is not enough, the next issue we discover is installed software. Most malware (at least persistent malware) will do some kind of installation of the malicious code to steal data, which could be sniffing network traffic or key strokes or account numbers. The list goes on and on. Many log management or security information and event management (SIEM) products will look at logs to figure out if some software was installed.

So that should solve the problem, right? The host log says software was installed and then you’ll know malware has been installed, act decisively and be the hero. Well, not so much. Do you know how many times a day a typical enterprise installs software on it’s managed devices. Hundreds? Thousands? More? It’s very likely too much for human analysis to figure out. What about those fancy correlation engines that will look for bad software? Hmm. For that to work, it needs to have a list of “good” software – which is always changing. I hope you are good with coding and regular expressions, because you’ll need to build a number of custom rules to make that work in a SIEM product.

The key is to be able to ENFORCE POLICY. As we discussed in Reason #3 about configuration data, the key to reacting faster to emerging threats is to detect something different, anomalous, and not normal. By establishing a set of policies for what software is allowed and then detecting when a device violates that policy, you can reduce the noise of watching every software install.

All of the anti-virus companies are talking about their shiny new, white-listing widget, and justifiably so. Taking a positive security approach (only allowing authorized software to run on managed devices) will definitely reduce the likelihood of infection. So this idea of monitoring for new software installs is sort of a poor-man’s white-listing.

Which is really the point of this entire series. There are many defensive techniques that are required to keep pace with today’s attackers. Just relying on a log management toaster or a SIEM “in a box” is not going to get the results you are looking for. Aggregating, parsing and even correlating on log data is just not enough.