How better log monitoring can prevent data breaches

Recent high-profile data breaches reaffirm that the threat from data thieves is both persistent and pervasive. Could better log monitoring mitigate or even prevent these types of security catastrophes?

security log monitoring

Evidence suggests that high-profile data losses at major retailers such as Home Depot, Sony, Target and Michaels Stores are a major ongoing trend, not a one-and-done anomaly of the IT infrastructure on which most companies rely.

The wholesale loss of millions of customers’ personally identifiable information (PII) to hackers and other ne'er-do-wells creates a crisis of public confidence that can directly impact corporate financial results -- and yes, Virginia, IT professionals really can lose their jobs in the aftermath of such corporate hacking incidents.

Rather than re-examining how these attacks could have been prevented in the first place -- if that's even possible -- we posit that the mitigation of these events isn't purely about prevention; it's about detecting intrusions at the earliest possible moment and reacting immediately to limit any data loss.

A key tool in recognizing data intrusions is the lowly log file, a standard feature of almost every operating system, application, server platform and related software in the corporate IT world.

[Related: Target CIO Resignation Puts Retail CIOs on Alert ]

Isolated Is as Isolated Does

Like many others in IT, we used to firmly believe that only an isolated computer -- that is, one that is not connected to an internal corporate network or to the Internet -- is totally immune to hackers. However, the Stuxnet malware attack on the Iranian nuclear program in 2010 proved that even computers on a totally isolated internal network can be infected with malware, in this case most likely via a previously infected USB drive that was used to load software updates onto industrial process computers controlling centrifuges used in the uranium enrichment process.

It was an epiphany to see that what we used to call the venerable "sneakernet" -- moving software between computers via a floppy drive, USB drive or other removable media -- is still exposing isolated computers to destructive malware, even in the highest-security environments imaginable.

As a matter of fact, many companies disable USB ports and removable drives on corporate computers precisely to avoid such a circumstance. We are pretty confident that all USB ports and drives that use removable media on those "isolated" Iranian process logic controllers have in the intervening years been turned off or perhaps even physically removed.

The Log Ride

Log files have always been the lowest-tech, most verbose way to monitor the health and operation of IT software and hardware. In many cases, the level of log file messages can be configured from no log messages written, all the way up to highly detailed log file messages that can track every activity occurring to or within your software and hardware.

The good thing about log files is that you can easily create gigabytes of data just by configuring log files to collect said data. The problem is that finding specific information and pertinent warnings in those gazillions of log file messages is a daunting task. Log file parsing software has been available for many years, but just installing and configuring log file monitoring on your mission-critical IT components isn't going to produce much valuable information, owing to the sheer amount of data that log files can capture.

Protect and Serve(rs)

Step 1 is to turn on log file auditing for all hardware and software in your infrastructure. Step 2 is to acquire log file monitoring software that can parse those log files and create alerts, constantly vigilant for any indication of network intrusions or malware attacks.

1 2 Page 1
Page 1 of 2
7 hot cybersecurity trends (and 2 going cold)