Schuyler Dorsey [Security Consultant]
As both attacks and networks grow more complex, it becomes increasingly difficult to secure the infrastructure and its data. One of the key components to retaining network security is ensuring you have insight or visibility as to what is actually happening in your network. For total visibility, you need to be able to combine nouns, verbs and timestamps to build a timeline of who did what and when. The need for total visibility extends beyond security best practices and can certainly aid in troubleshooting; however, monitoring for and responding to a security incident is when it is most crucial to have this visibility data.
It is a common misconception network devices and endpoints will automatically log everything needed, by default. Unfortunately, the default logging levels of most network devices and operating systems leave much to be desired. Here are some example default logging configurations which may leave gaping holes in your investigations:
- Many network switches will not log local failed login attempts by default.
- Windows will not log failed changes to group memberships or accounts.
- Windows will not log file creation, deletion, or execution.
- Many network firewalls will log very minimal traffic information.
So, if we take the example of a malware attack on an organization, and your infrastructure is configured with default logging settings, it would be extremely difficult to track down how the malware originally entered the network (patient zero), what actions the malware took on the endpoint(s), what other internal and external IPs the infected endpoint(s) connected to and ultimately, what malicious actions the malware performed.
In addition to enhanced logging providing this insight, building a proper timeline of the malware infection can also help remediation efforts. As an example, if we assume the proper logging is in place, we would be able to know what file was initially downloaded and executed, what IPs it connected to in order to download its payload, what files were created and deleted as a result of the malware installing itself, and what registry keys were altered to ensure malware persistence.
Once all this logging is enabled, it begs the question, how can it be efficiently managed? The answer is a Security Information & Event Management (SIEM) platform. Not only do SIEM solutions provide a central repository and dashboard for all the logs in the enterprise, most will come with signature/correlation rules to automatically try to detect malicious actions based on those logs. The most important thing to remember, though, is the SIEM can effectively review and analyze only the information it receives. So if your infrastructure’s logging posture is not configured effectively, the SIEM will be ineffective.
A healthy logging posture is crucial in ensuring network visibility; visibility is the only way to effectively monitor and respond to malware and/or Advanced Persistent Threats.
Contact your Account Manager at Keller Schroeder for more information about these products and how they might benefit your organization.