When I get to the section on system logging when teaching Learning Tree’s System and Network Security Introduction many participants roll their eyes. There are few ways to make that material anywhere near exciting. At least there were until now. As I read about the recent attack on the US Office of Management and Budget, I found what is – at least to me – one of the most interesting comments, “They entered the network — we’re not quite sure how because of lack of logging,” according to Ann Barron-DiCamillo, Director of the DHS U.S. Computer Emergency Readiness Team.
Ms. Barron-DiCamillo did not make it clear whether there was no logging or not enough logging, but the issue is still the same: logging may be boring, but it is an essential security tool.
I am not privy to the operation of their systems nor to what logging capabilities are available. In general, though, most systems are capable of logging virtually every action taken. Much of that logging is disabled, of course, because of the sheer volume of the data and because it is unlikely ever to be needed. Indeed the auditing systems usually allow restricting auditing to sensitive files or folders. Auditable events include access, modification, and deletion among others. There are three specific important issues for every system log:
The latter is perhaps the most challenging. Many organizations use log analysis software to aggregate and analyze log data. That’s valuable and essential, especially where a large amount of activity is logged. However, if the system logs access to a file as “Success” the default configuration of log analysis software may not consider that an issue, particularly if the action was performed by a system account. The analysis software has no idea whether that account had been compromised or not. And Success audits may not be reported in a summary report. Even if it were, a human has to be assigned to read those reports and act on any issues.
If your system log analysis doesn’t show an issue, it is still important to keep the raw data. By analyzing it after the fact, one might find what data was accessed by a compromised account, for instance. Log data may not tell everything one wants to know in all cases. It may be difficult to configure and time consuming to analyze, but it seems likely that proper logging could have helped the investigation in the OPM case.
What are your log generation, maintenance and analysis challenges? Let us know in the comments below.
To your safe computing,