Ten Reasons Log Data is Not Enough: #3. What’s the Configuration, Kenneth?
September 10, 2009
As we resume our series on why Log Data is Not Enough, the 3rd reason we have underscores the importance of configuration data as part of the security analysis. As we’ve repeatedly mentioned, log management systems are driven by log data. And as we showed in Reason #1, logging can (and usually is) turned off – by savvy attackers anyway.
So how do you detect an attack, if you have no log data to analyze? Basically you need other data sources to figure out what’s happening and that is where configuration data comes in. Every device (whether it’s a firewall, switch, Windows Server, Linux Server, desktops, etc.) has a configuration and you can poll that configuration (with proper authorization) to figure out what’s going on.
Note you have to PULL the config data out of the device. It’s not going to just send it to you (like with log data), so this is actually a big deal to have in a security management platform. It’s a totally different way to gather data and is very hard to do in a scalable fashion with the reliability enterprises demand.
Once you have the configuration baseline, then you can compare new versions of the config to the baseline at a user defined interval. If something changes (like logging is turned off, a new service is turned on, or a registry change happens, for example), it will create an event in the system that can then be used with other data types to determine if it’s really an attack.
Remember systems relying just on log data can’t do this level of analysis. And those vendors that say they do require customers to buy a totally different product with a totally different management interface. Many of these other folks ONLY track network device configuration as well.
So this is another reason that Log Data is Not Enough, and those folks that know they need to go beyond compliance know they need to go beyond log management.
Controlling the browser, if you can
February 5, 2009
Andreas makes a number of good points in his weekly NetworkWorld column about Firefox add-ins. His general point is that software extensibility is good, but it must be controlled lest you introduce significant new risks to your environment. I couldn’t agree more. That’s why a lot of the work we at eIQ do with configuration auditing is such an important part of maintaining a secure environment.
Most security organizations don’t have the pull to really lock-down desktops. Sure they can mandate a standard build, but in most cases users can install software that they want, and sometimes that software becomes a problem. The reality is you can’t avoid these issues, but you need to figure out how to react faster and appropriately when an issue crops up.
The first step is to know what’s out there. A lot of organizations rely on asset management tools to assemble information on who is using what. You can also figure out what software is out of policy and decide whether to do anything about it. Sometimes it’s the better answer to turn the other cheek, in terms of getting rid of unauthorized software. But it’s not OK to not know it’s there.
Just as important as understanding what’s out there, you need to understand what’s changing. That’s why constantly revisiting the asset base and the device configurations are critical. And just doing one or the other isn’t enough. New software can (and usually does) change configurations and that can create security exposures.
To bring the point home, it’s probably unreasonable to expect that your users will allow you to totally control what software they are running. But you CAN and SHOULD know what they are running and be able to pinpoint when something changes to evaluate the security risk to your environment. That’s just good security practice.
eIQcast Episode 6: All about Configuration
February 4, 2009
This week, John and Mike tackle the concept of configuration and why it’s important to ensure devices are configured correctly, both from a security and an operations standpoint. We also discuss some of the configuration “standards” out there, like Center for Internet Security and some suggestions from the US Federal Government.
Running time: 12:23
Direct Link: http://eiqcast.podOmatic.com/entry/2009-02-04T07_15_13-08_00
Photo: “RCA 40A Ribbon Microphone” originally uploaded by jschneid
