Presentation by Deepen Chapagain, CEO, NepWays, on "Power of Logs: Practices for network security" at "Braindigit 9th National ICT Conference 2013" organized by Information Technology Society, Nepal at Alpha House, Kathmandu, Nepal on 26th January, 2013

1. The Power of Logs
Practices for Network Security
Deepen Chapagain
CEO, Nepways Pvt. Ltd.
Lecturer, DOECE, Pulchowk Campus

2. Contents
 Introduction to computer security
 General measures taken
 Logs
 Log management:
 Definition
 needs

3. Contents ….
 What it can do ?
 How to do it ?
 Log management: for small and mid-sized companies
 Log management for large companies
 Something you could try

4. Security
 Boils down to the CIA triad
 Confidentiality
(Only allowed people should read )
 Integrity
(Only allowed people should update)
 Availability
(available for authorized people)

5. Measures
 Authentication
 Is some-one – (username)
 Knows something –(password, pin)
 Has something – (card, key, thumb)

6.  Firewalls
 Write rules to block
 Write rules to allow
 Pass in on le0

7.  Anti-virus, Anti-XXX
 IDS/ IPS
 Signature based or Anomaly based
 Apply application specific signatures
 Identify unexpected events
 Expect the unexpecteds

8. All in all
 Perimeter defense with firewall
 Defense with anti-virus
 Authentication
 Analysis with IPS/IDS
 POLICIES for security

9. But
 Do right people always act right ?
 Wikileaks got all the data from someone inside
 Wrong person can still login ?
 Authentication doesn’t always work
 Wrong device accessing ?
 Similar problem with firewalls
 Malicious attempt ?

10. Summary
 You can’t just rely on security measures applied
 There have been breaches atop them
 And we have always lost

11. Not yet

12. Logs, the super hero
 Record of every activity
 With enough information to track things
 Every devices and applications.
(Programmers: what about yours ?? )
 System logs
 System is up/down
 Time changed
 Application logs
 Files accessed/ created/ deleted
 Applications started/ stopped
 Configuration changed

13.  Authentication logs
 Successful/ Failed login
<133> Dec 16 04:46:00 outpost01.Outpost24.cph MSWinEventLo
g 1 Security 1235213 Fri Dec 16 04:45:56 2011
540 Security deepen User Success Audit
OUTPOST01 LogonLogoff Successful Network Logon:
User Name: deepen Domain: OUTPOST24 Logon ID: (0x0,0
x952AA2A9) Logon Type: 3 Logon Process: NtLmSsp Aut
hentication Package: NTLM Workstation Name: OUTPOST24
Logon GUID: - Caller User Name: - Caller Domain: -
Caller Logon ID: - Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.15.1 Source Port: 0
1227421

14.  Firewall logs
<166>Feb 24 2012 15:17:19: %ASA-6-
106015: Deny TCP (no connection) from 192.168.15.37/59224
to 173.194.69.108/993 flags RST on interface inside
 Device logs
 Etc/Etc

15. So what can I do with logs
 Look at them and smile
 Continuously have an eye on them
 Setup a mechanism to isolate threats
 Identify whatever is going on
 If there is some problem, call on the logs
 You can’t stop a murderer but if he knows he will be
caught, he won’t probably do it

16. 2011:12:30 01:12:43 Kathmandu Shyam
singh shot at by Ram Singh near
Indrachowk with a single bore russian rifle
right on his 32 cm chest
2011:12:38 01:21:43 Kathmandu Ram Singh
driving towards Pharping on a Tucson with
number ba 40 cha 1111

17. Log Management
 Configuring log collection
 Configuring log retention
 Making it usable
 Searchability
 Threat isolation
 Ability to act
 Ability to report

18. LM issues
 How many servers ?, How many users ?
 How many logs ?
 Depends on the size of network, and activity
 But several millions a day is quite common
 On compressed file, it can be several GBs per day

19. We need
 Large storage / (probably an automated retention )
 Some tools for searchability
 Indexing for search optimization
 Better search interface to adhere to security needs
 Ability to isolate threats
 Signature based / pattern based
 Ability to act
 Make use of Captured knowledge

20. Major systems
 Authentication servers
 Application servers
 Firewalls
 Security critical devices
 A Printer ??

21. Solution
 Central log collection
 Log normalization
 Knowledge
 Correlation across boundaries

22. Suppose a syslog server

23. How can you make use of it ?

24. Primary events
 Available exactly on the logs
 Logs are structured, (though not always)
 Signature based isolation
 Write a pattern to match a failed login
 Normalization
 Write a pattern so that it captures info into normalized fields
 Visibility across system and applications

25. Example
<133> Dec 16 04:46:00 outpost01.Outpost24.cph MSWinEventLog 1
Security 1235213 Fri Dec 16 04:45:56 2011 540 Secur
ity deepen User Success Audit OUTPOST01 LogonLo
goff Successful Network Logon: User Name: deepen Domai
n: OUTPOST24 Logon ID: (0x0,0x952AA2A9) Logon Type: 3 Logon
Process: NtLmSsp Authentication Package: NTLM Workstation Na
me: OUTPOST24 Logon GUID: - Caller User Name: -
Caller Domain: - Caller Logon ID: - Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.15.1 Source Port: 0 122742
1
25 04:11:10 makalu01 sshd[27128]: Accepted password for deepen
from 10.45.1.210 port 56008 ssh2

26. Secondary events
 Derived from primary events
 Pattern based identification
 Correlation to identify events
 Twenty failed logins for user adam
 And then a successful login
 All within 5 minutes

27. Forensic analysis
 You see the article in wiki-leaks
 Go to the log server
 Spot who last accessed the file
 Check the mail logs
 Check the device logs

28. Example
Wbrb02.abc.com MSWinEventLog 1 Security
15339 Sat Jan 28 11:05:00 2012 560 Security
rym User Success Audit WBRB02Object Access
Object Open: Object Server: Security Object Type: File Object
Name: D:AuditTest Handle ID: 25224 Operation ID:
{1,3528361170} Process ID: 4 Image File Name: Primary User
Name: WBRB02$ Primary Domain: FT Primary Logon ID:
(0x0,0x3E7) Client User Name: rym Client Domain: FT Client
Logon ID: (0x1,0xCCB0105E) Accesses: ReadData (or
ListDirectory) Privileges: - Restricted Sid Count: 0 Access Mask:
0x1 15186

29. Active response
 When the system detect something fishy on Real time
 Email
 Or send an active response
 http
 ssh
 Or anything

30. Reporting for compliance
 Having a report of security incidents
 Keeping the records for future reference
 Government policies
 Of course compliance needs
 PCI DSS
 ISO
 HIPAA, FISMA, SOX

31. For a small enterprise
 Run some resource as a log collector
 Structure the log files so that you can search when
needed
 Simple grep will do tricks most of the time
 You could have an hour a week … or a day
 You could drill down when something is suspicious

32. For mid sized enterprise
 You might need a dedicated server
 Specialized application
 Log collection
 Millions of logs every day ?

33. For large scale businesses
 The solution should be scalabale
 Support hetergenous components
 Searching across different units

34. Summary needs
 Collects logs from multiple sources
 Support multiple technology
 Normalize and archive securely
 Build views
 Avail search-ability
 Facilitate correlation and alerting
 Facilitate reporting

35. Try yourself
 Write an application that collects logs
 On windows you can use something like snare or WMI to read the
logs
 search on the logs for messages like failed login / successful login
 You can find out if your brother tried to login / did so successfully,
 With little more effort you can find out what files he accessed
 If its your machine, then its your right to know what is going on

36. Tools
 There are many free tools on the internet
 Try Splunk

37. Queries
deepen@nlocate.com
Thanks a Lot !!