Skip to content

Limitations of Logs

March 30, 2009

As we continue our series on log management (check out: Why do we care about logs anyway?), let’s discuss some of the clear limitations of logs and why we say log data is not enough. The reason we at eIQ continually harp on this concept is that far too many organizations gather their logs and think they are done. Especially those just trying to “check the compliance box.”

There are two main reasons that logs can be somewhat limiting in detecting attacks.

  1. Logs (by definition) are backwards looking – Logs are great and important, especially for investigations and compliance reporting. But when trying to determine if you are under attack, looking in the rear view mirror can be too late. By the time your logs see it, it’s already happened.
  2. Logs are really corroborating evidence – Once an attack is launched, there are records of that attack and that is important to isolate the root cause and to eventually remediate the issues.

So what kind of data should we also gather to supplement the information in the logs? From a threat management perspective, there are a number of other important data types.

  • Configuration data – most attacks have some impact on the configuration of a device. Maybe it’s a different setting or the opening of a non-standard port. Or turning off logging. Usually there is some kind of trail, unless the devices have some well-known vulnerability that can be exploited.
  • Vulnerability data – Vulnerabilities are not a sure path to exploit, but certainly can be. So it’s important to understand what devices are exposed to what, if only to tighten thresholds around specific attacks.
  • Asset data – One of the most important pieces of asset data is installed software. Because another typical “tell” of an attack underway is to see if any new software has been installed on a device. This isn’t always indicative of a compromise, but most Trojans and other attacks do involve additional executables on a device.
  • Performance data – Understanding if a device is operational and looking for abnormal utilization can be indicative of a compromised device. As with the other data types, performance data by itself is not conclusive, but can certainly be used to define the issues, determine the attack vectors, and understand how critical the issues are.
  • Network Flow data – The last data type we’ll mention is network flow data. This is information that comes directly from your routers and switches and provides a lot of information about which devices are talking to one another. Tracking anomalous network traffic can yield clues to attack behavior. For example, if an internal web server is sending data to an external source, it could indicate a problem.

Yet gathering all of these information types is only the first step in threat management. First of all, information in different silos is not really information at all, it’s just data. So all of these disparate data sources must be analyzed and correlated to ensure clear corroboration of the different data types.

Data doesn’t help you understand what you need to investigate and how quickly. And that is what most security professionals really need to understand.

Fundamentally, log management solutions just gather information. Although broader than a typical log management product, eIQ’s SecureVue focuses on monitoring all of these data types and providing information to help security professionals prioritize their activities. But you’ll still have to deal with the threats.

This goes beyond log management and enters the domains of anti-malware, intrusion prevention, and application control, among other technologies. Knowing what is happening is just one part of the battle (though it’s most interesting to us), doing something about it is a totally different discipline.

The next piece in our log management series will delve into some of the nuggets of information found in log files, and how to use them.

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: