Presentation by Deepen Chapagain, CEO, NepWays, on "Power of Logs: Practices for network security" at "Braindigit 9th National ICT Conference 2013" organized by Information Technology Society, Nepal at Alpha House, Kathmandu, Nepal on 26th January, 2013
1. The Power of Logs
Practices for Network Security
Deepen Chapagain
CEO, Nepways Pvt. Ltd.
Lecturer, DOECE, Pulchowk Campus
2. Contents
Introduction to computer security
General measures taken
Logs
Log management:
Definition
needs
3. Contents ….
What it can do ?
How to do it ?
Log management: for small and mid-sized companies
Log management for large companies
Something you could try
4. Security
Boils down to the CIA triad
Confidentiality
(Only allowed people should read )
Integrity
(Only allowed people should update)
Availability
(available for authorized people)
6. Firewalls
Write rules to block
Write rules to allow
Pass in on le0
7. Anti-virus, Anti-XXX
IDS/ IPS
Signature based or Anomaly based
Apply application specific signatures
Identify unexpected events
Expect the unexpecteds
8. All in all
Perimeter defense with firewall
Defense with anti-virus
Authentication
Analysis with IPS/IDS
POLICIES for security
9. But
Do right people always act right ?
Wikileaks got all the data from someone inside
Wrong person can still login ?
Authentication doesn’t always work
Wrong device accessing ?
Similar problem with firewalls
Malicious attempt ?
10. Summary
You can’t just rely on security measures applied
There have been breaches atop them
And we have always lost
12. Logs, the super hero
Record of every activity
With enough information to track things
Every devices and applications.
(Programmers: what about yours ?? )
System logs
System is up/down
Time changed
Application logs
Files accessed/ created/ deleted
Applications started/ stopped
Configuration changed
14. Firewall logs
<166>Feb 24 2012 15:17:19: %ASA-6-
106015: Deny TCP (no connection) from 192.168.15.37/59224
to 173.194.69.108/993 flags RST on interface inside
Device logs
Etc/Etc
15. So what can I do with logs
Look at them and smile
Continuously have an eye on them
Setup a mechanism to isolate threats
Identify whatever is going on
If there is some problem, call on the logs
You can’t stop a murderer but if he knows he will be
caught, he won’t probably do it
16. 2011:12:30 01:12:43 Kathmandu Shyam
singh shot at by Ram Singh near
Indrachowk with a single bore russian rifle
right on his 32 cm chest
2011:12:38 01:21:43 Kathmandu Ram Singh
driving towards Pharping on a Tucson with
number ba 40 cha 1111
17. Log Management
Configuring log collection
Configuring log retention
Making it usable
Searchability
Threat isolation
Ability to act
Ability to report
18. LM issues
How many servers ?, How many users ?
How many logs ?
Depends on the size of network, and activity
But several millions a day is quite common
On compressed file, it can be several GBs per day
19. We need
Large storage / (probably an automated retention )
Some tools for searchability
Indexing for search optimization
Better search interface to adhere to security needs
Ability to isolate threats
Signature based / pattern based
Ability to act
Make use of Captured knowledge
24. Primary events
Available exactly on the logs
Logs are structured, (though not always)
Signature based isolation
Write a pattern to match a failed login
Normalization
Write a pattern so that it captures info into normalized fields
Visibility across system and applications
25. Example
<133> Dec 16 04:46:00 outpost01.Outpost24.cph MSWinEventLog 1
Security 1235213 Fri Dec 16 04:45:56 2011 540 Secur
ity deepen User Success Audit OUTPOST01 LogonLo
goff Successful Network Logon: User Name: deepen Domai
n: OUTPOST24 Logon ID: (0x0,0x952AA2A9) Logon Type: 3 Logon
Process: NtLmSsp Authentication Package: NTLM Workstation Na
me: OUTPOST24 Logon GUID: - Caller User Name: -
Caller Domain: - Caller Logon ID: - Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.15.1 Source Port: 0 122742
1
25 04:11:10 makalu01 sshd[27128]: Accepted password for deepen
from 10.45.1.210 port 56008 ssh2
26. Secondary events
Derived from primary events
Pattern based identification
Correlation to identify events
Twenty failed logins for user adam
And then a successful login
All within 5 minutes
27. Forensic analysis
You see the article in wiki-leaks
Go to the log server
Spot who last accessed the file
Check the mail logs
Check the device logs
28. Example
Wbrb02.abc.com MSWinEventLog 1 Security
15339 Sat Jan 28 11:05:00 2012 560 Security
rym User Success Audit WBRB02Object Access
Object Open: Object Server: Security Object Type: File Object
Name: D:AuditTest Handle ID: 25224 Operation ID:
{1,3528361170} Process ID: 4 Image File Name: Primary User
Name: WBRB02$ Primary Domain: FT Primary Logon ID:
(0x0,0x3E7) Client User Name: rym Client Domain: FT Client
Logon ID: (0x1,0xCCB0105E) Accesses: ReadData (or
ListDirectory) Privileges: - Restricted Sid Count: 0 Access Mask:
0x1 15186
29. Active response
When the system detect something fishy on Real time
Email
Or send an active response
http
ssh
Or anything
30. Reporting for compliance
Having a report of security incidents
Keeping the records for future reference
Government policies
Of course compliance needs
PCI DSS
ISO
HIPAA, FISMA, SOX
31. For a small enterprise
Run some resource as a log collector
Structure the log files so that you can search when
needed
Simple grep will do tricks most of the time
You could have an hour a week … or a day
You could drill down when something is suspicious
32. For mid sized enterprise
You might need a dedicated server
Specialized application
Log collection
Millions of logs every day ?
33. For large scale businesses
The solution should be scalabale
Support hetergenous components
Searching across different units
34. Summary needs
Collects logs from multiple sources
Support multiple technology
Normalize and archive securely
Build views
Avail search-ability
Facilitate correlation and alerting
Facilitate reporting
35. Try yourself
Write an application that collects logs
On windows you can use something like snare or WMI to read the
logs
search on the logs for messages like failed login / successful login
You can find out if your brother tried to login / did so successfully,
With little more effort you can find out what files he accessed
If its your machine, then its your right to know what is going on