Security, Log Management & Burying Stumps
Recently I've been planning and executing a plan to fix some of the landscaping around my house (as a side note, try not to plan this to happen in the middle of July when it’s 90 degrees). In talking with people who have experience with landscaping projects we seem to always hit the topic of digging up and burying stumps, and whether this is a good idea or a bad idea. For the short term, it seems like a good idea. The stumps take up space in the ground so you need less fill (which saves money), burying is cheaper than grinding them down or having them hauled away, and you don't have to look at an ugly stump. The downside is that 7-10 years down the road, the stumps begin to rot and you are left with sinkholes in your yard.
I can't help but think that many organizations are treating security problems like an old stump. You know they are there, plenty of options exist to get rid of them, and you choose the cheapest and quickest solution to deal with them. However, down the road this comes back to haunt you, and sinkholes start appearing in your IT infrastructure, people fall in them, water begins to pool, and eventually your entire security model collapses.
I couldn't resist the obvious analogy and use this as an opportunity to relate to log management. Your security strategy should, preferably in some "prolific" way, revolve around the logs generated by all the devices connected to your network. The devices on your network are either passing around or storing the information vital to your organization, or providing services that keep your business going. Logs will give you regular tidbits of information about how these devices are doing. The information contained in your logs can not only tell you if someone is burying stumps, but who is burying them and where they are putting them.
Recent breaches have certainly shown that organizations have "buried some stumps". Using your logs, you can uncover useful information and avoid many pitfalls. Logs, along with SecurityCenter 4's dashboard feature, help you answer questions such as:
Several recent breaches relied upon brute forcing usernames and passwords. This type of behavior can be spotted by viewing the logins in the above graph.
This dashboard displays inbound and outbound SQL traffic observed by the Passive Vulnerability Scanner.
SQL injection is still commonly exploited to harvest sensitive information, such as usernames and password hashes from organizations. The above dashboard will show when an anomaly such as this is detected.
Seeking Out The Stumps
I hear from a lot of organizations saying, "There are no big ugly problems on my network!" The question then becomes, how can you be so sure? Problems in your network are not always so apparent.
A good measure for "network ugliness" is to track the application of Microsoft patches across all of your systems:
The above graph depicts Microsoft patches applied across all systems being monitored by year, allowing you to gain some historical insight into how your organization is doing applying Microsoft patches.
Hosts participating in a botnet have been infected by some kind of malware, which could just being lying dormant in your network or participating in launching a DDoS attack. In either case you need to seek out these hosts and perform incident response.
Organizations have similar problems keeping up with the security of the devices on the network. Problem areas can hide, and implementing solutions "just for now" only exacerbate the problem. Monitoring your logs and network traffic can provide insight into your network and help find the "buried stumps".