A10 2017 – Insufficient Logging and Monitoring

How do you know that your site works as it supposed to? How do you know if it’s down? I was thrilled to realize that most of admins say – well, if nobody calls me on the phone, then it’s fine. But what if you’re in charge of a web hosting platform with thousands of web sites? And let’s say one-minute downtime costs a million? You’d better start planning some monitoring solution before it’s too late.

a1

Wise people say that there are two kinds of systems, the one that is already hacked and the one that is going to be hacked. So, your job in cyber security is to make things as difficult for attackers as possible. But even then, anything could happen – zero days, new hacking technique, inside job, anything. So, if you have no idea what is going on, you won’t be able to plan anything!

One of my clients ran several windows servers and CIO claimed that all log files must remain clean of errors. If you have any experience in system administration, you know it’s not possible. Something always happens here and there. But CIO told every admin to make it happen, and admins just filtered logs to make it clean for him. Even aggressive penetration testing didn’t raise an alert.

a3

No need to say that it didn’t end well for anyone. Logging has to be enabled to collect all kind of relevant events – logins, failed logins, high-value transactions, general failures and so on.

In fact, people in charge are usually aware of this fact and enable logging everywhere they can. But there’s a catch – who’s going to read all these logs? Single web server can produce thousands of log entries.

Fortunately, it’s 2018 and there are all kind of AI system to analyze logs. They fall in SIEM category – security information and event management. These systems came a long way from simple log collectors to intelligent monitoring solutions. But as with all AI solutions you just can’t let it do all the job. SIEM has to be taught what to do.

So, what’s the plan?

First of all, you must develop a logging and a monitoring plans and determine requirements for logging and monitoring. Next thing is to determine sources of potential compromise indicators. It might be hard at first, but decent audit might help this job.

Once we’re done with planning we have design and implement monitoring solution. This is where you decide what software you’re going to use to monitor your system. And unfortunately, budget is one of the key factors.

a2

And remember, errors and warnings are the signs that your system works. It’s like a human – If nothing ever hurts, you’re probably dead.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s