Are You Playing “Cold Case” with Your Logs?

Cold CaseTwo days ago, I attended an event about “big data” (yeah, another buzz word) and how to use it for security purposes. One of the presented talks was very interesting and almost changed my mind about our best friends (or nightmare)… logs!

When I’m talking about log management with customers, I always insist on the fact to work with “business cases“, for two major reasons. The first one is purely technical: to avoid a constant flood of events and to be able to process correctly the important ones. The second one is more focused on the business: to get a quick return on investment! Log management is often expensive and management will be happy if they get “something to eat” as soon as possible. Business cases can be related to internal requirements or to compliance requirements. PCI-DSS is a good example. Here are some reports that must be produced:

  • IPS reports
  • User accesses on devices
  • Account changes
  • Configuration changes

There is a big side effect with compliance requirements: organizations tend to do the strict minimum to be “compliant“. Still today, some companies see this as a stamp on a paper. Fail! Let’s put the “business” aside and let’s view the log management as a tool to perform incident handling or forensics researches. In this case, it will be more efficient if we would investigate across a broader amount of data. Sometimes investigations occur a long time after the incident. Incident handlers are playing like the Cold Case characters, trying to find who did what, when and where! And evidences could be located at so many places! Let’s take an IP address. We can find them in firewall, IDS or proxy logs but also:

  • In SMTP headers
  • In Excel sheets (low cost IPAM solution but commonly used ;-)
  • In configuration files

To increase the chances to find relevant information, the log management solution must collect and index as much data as possible. It’s the opposite of the compliance requirements. Do I change sides? Not completely but I think that both points of view must be taken into account with their pros & cons.

Post Navigation