Security, Log Management & Burying Stumps

Burying Stumps

Recently I've been planning and executing a plan to fix some of the landscaping around my house (as a side note, try not to plan this to happen in the middle of July when it’s 90 degrees). In talking with people who have experience with landscaping projects we seem to always hit the topic of digging up and burying stumps, and whether this is a good idea or a bad idea. For the short term, it seems like a good idea. The stumps take up space in the ground so you need less fill (which saves money), burying is cheaper than grinding them down or having them hauled away, and you don't have to look at an ugly stump. The downside is that 7-10 years down the road, the stumps begin to rot and you are left with sinkholes in your yard.


stump-small.png

I can't help but think that many organizations are treating security problems like an old stump. You know they are there, plenty of options exist to get rid of them, and you choose the cheapest and quickest solution to deal with them. However, down the road this comes back to haunt you, and sinkholes start appearing in your IT infrastructure, people fall in them, water begins to pool, and eventually your entire security model collapses.

"Log Management"

I couldn't resist the obvious analogy and use this as an opportunity to relate to log management. Your security strategy should, preferably in some "prolific" way, revolve around the logs generated by all the devices connected to your network. The devices on your network are either passing around or storing the information vital to your organization, or providing services that keep your business going. Logs will give you regular tidbits of information about how these devices are doing. The information contained in your logs can not only tell you if someone is burying stumps, but who is burying them and where they are putting them.

Recent breaches have certainly shown that organizations have "buried some stumps". Using your logs, you can uncover useful information and avoid many pitfalls. Logs, along with SecurityCenter 4's dashboard feature, help you answer questions such as:

Who is trying to login to my systems and failing?

LoginFailuresByUser

This dashboard displays login failure events and anomalies for each user.

Several recent breaches relied upon brute forcing usernames and passwords. This type of behavior can be spotted by viewing the logins in the above graph.

Are people abusing databases?

Boundary-sql-traffic

This dashboard displays inbound and outbound SQL traffic observed by the Passive Vulnerability Scanner.

SQL injection is still commonly exploited to harvest sensitive information, such as usernames and password hashes from organizations. The above dashboard will show when an anomaly such as this is detected.

Are people running programs on my systems?

LCE-Process-events


This dashboard displays program execution trends, when new programs are found or invoked in new ways and also indicates any anomalies.
 

Seeking Out The Stumps

I hear from a lot of organizations saying, "There are no big ugly problems on my network!" The question then becomes, how can you be so sure? Problems in your network are not always so apparent.

A good measure for "network ugliness" is to track the application of Microsoft patches across all of your systems:

MSTrend

This dashboard trends missing Microsoft patches in a variety of tables and trend lines.

The above graph depicts Microsoft patches applied across all systems being monitored by year, allowing you to gain some historical insight into how your organization is doing applying Microsoft patches.

Another good question to answer is, "Are the hosts on my network participating in a botnet?":

BotnetByAsset

This dashboard displays assets on your network that are participating in a known botnet.

Hosts participating in a botnet have been infected by some kind of malware, which could just being lying dormant in your network or participating in launching a DDoS attack. In either case you need to seek out these hosts and perform incident response.

Conclusion

Organizations have similar problems keeping up with the security of the devices on the network. Problem areas can hide, and implementing solutions "just for now" only exacerbate the problem. Monitoring your logs and network traffic can provide insight into your network and help find the "buried stumps".

More from the Tenable Blog