Purification


As discussed above at the reporting level your reports are most likely in a basic format, with a lot of information to parse through manually. Maybe `grep` is your most important tool ("find" for you Windows techs, and "inc" for IOS wizards) in combination with magic `awk` one-liners. This means you will spend a lot of time with analyzing your report (maybe) once in a month, and that's all fine if you don't have hundreds of devices logging hundreds of thousands lines per day. But at some stage you will hit a critical level where it just becomes too hard to do this manually. This is where you step into level five, reviewing.

This is the level you need to be at if your trying to comply to regulatory requirements. If not you will spend a lot of time explaining to the auditors why you aren't and what you have done with regards to compensating controls, which usually is harder than to bite the bullet and do this correctly from the beginning. As mentioned earlier you do not want to eye through thousands of lines of logs every day. I would even state that it will be impossible to do that on a daily basis, so you need some help. That help is called normalization of data. What it means is that the logs you bring in and need to analyze are "purified" and funneled into a format that is easier to parse either manually or automatically.

Your environment consists of many different devices, from different vendors. All of these vendors have their own development departments with great minds working towards giving you the ultimate experience with their products. Interestingly enough all them have the best way to log things, and they all have the best format to present data in. So what happens when someone is filling out a form on your web page? Your firewall will give you logs, your router/switch will give you logs, your web server and database will give you logs, and if files are created in an area checked by file integrity monitoring tool, this will also give you logs. So one external event (form submit) will give you at least five logs, all in different formats, but with similar, correlating information. Your log management gadget should be able to normalize this data so all of the logs are shown in the same way. This format will depend on which gadget you choose, but this behavior is preferred. It is also important that the raw logs are maintained "as is", since they have forensic value in case of investigations and/or law suits needing evidence. Only the interpreted (normalized) data should be worked with, and be the base data for your reports and alerts. If you need to dig deeper into nitty gritty details you should of course look into the raw logs.

You may think this is weird science, and it certainly is not for the faint hearted, but this level is actually where the fun begins. If you proceed slowly (yes, it is a mantra) and take in log source after log source, and don't try to take everything in at once, you will end up with clear understanding of what the logs can provide in point of interesting information and at the same time you can filter out the noise which you normally are not interested in seeing. For instance, the form submitted in the example above, you don't want/need to see in your reports, it is considered as normal traffic patterns and belongs in the noise group of information. Something out of the order in submitting that form would be similar traffic but with the submitted data containing XSS attempts or SQL injections. Another example could be a sudden increase in form submitting traffic (unless you just promised free t-shirts in a campaign advertised on major TV networks).

And now you are dangerously close to stepping up to the monitoring level...

Comments

Post a Comment

Popular posts from this blog

Overhead lines

Image
One would think that in a climate such as this in southern Australia someone would come up with a better idea than keeping all lines (cable, electricity, telephone etc) up in the air. The wind can be pretty furious at times and city planners insist on planting trees which are known to grow over time. No doubt arborists are having fun coming up with ideas how to keep city planners and power utility companies happy. Once upon a time these cables were drawn in a similar way in Stockholm, where I have lived most of my life. At some point the phone companies decided this wasn't going to work in the long run. IMHO it would make sense to dig ditches into the ground and place all cables there (at least in the cities). Of course it will cost, but I also believe there is an algorithm that will give a number that will turn black a few years time after investment (ROI). Until then I will walk around this country with a smile on my face looking at the funny trees growing along city ...
Read more

R.I.P. Google Reader

For years my preferred application for reading RSS-feeds has been Google Reader. It has proven reliable, fast and most of all - clean in its interface. No clutter, pix or ads. Just plain information from sources of my choice. Now Google has decided to call it quits. Sad day. Call me an information junkie, and I'm fine with it. But I am a bit baffled by the comments on this decision to lay Reader to rest. An amazing majority of comments seem to be asking the question: is RSS an outdated technology? Really? What else is out there in terms of gathering information/news/updates/searches in one application, keeping this in one application, in one unified format? Facebook sucks with its censorship. Tumbler... oh well... no. I am terribly sorry, I just can't think of anything else to use. Here are some thoughts on Reader from Gigaom interview with Chris Wetherell. So I switched to Vienna . It seems to do the job fast and relatively clutter free. I'll go with that for a whil...
Read more

Sweden 2 Australia

So last year I was in for a big surprise. We had been talking about moving to Australia for a loooong time. But something always got in the way. Then pieces suddenly started falling into place. And by saying "suddenly" I mean really really fast. Just for fun I looked at the intranet career pages at work every now and then. Once in a while something popped up that I liked and sort of thought "wow, that would be great". So it went on until February 2016 when I saw THE ad. SIEM specialist in Australia. Suits me nicely I thought and told my wife about it. She of course told me to apply and a couple of days later I was ready to submit my letter. Back to the Jobseeker site and... it was gone... disaster! I had no choice but to go back home and deliver the sad news. Maybe it was the way it was meant to be. We'll just stay in Sweden and grow old. Weeks went by, and I thought maybe something similar would appear from nowhere and make my day, but nothing surfaced. N...
Read more