Zen 2.0

LogLogic’s going to have a booth in RSA (#1142) and I will probably be there for booth duty. If you are there, please come on by to say hi. I would love to meet some of you.

I have been buried under piles of work and haven’t had much time to write. After spending almost every waking hours managing the product roadmap, analyzing the competition and market, talking to customers, and responding to RFPs, I’ve pretty much spent the rest of the time catching up on sleep. (Did I tell you I REQUIRE 9 hours of sleep or I get very grumpy?)

In any case, just want to let everyone know that I haven’t fogtten about this blog and will write more soon.

Automated and Secure Log File Analysis Service - SLAC.

An Intelligent Log File Analysis System to keep you informed about your Web Servers safety and your Checkpoint FW-1. No software required!

Interesting idea…I am just not sure that administrators will feel safe enough to send their corporate logs to an external service like this.

Obviously there’s precedence, Counterpane is a monitoring and log analysis service.

What do you think?

DON’T Ignore Lowly Log Analysis by Douglas Schweitzer.

Ever take a look at the computer security hardware and software products available these days? The number of them is staggering. They promise to (and for the most part do) help keep your workstations and servers secure. Nonetheless, although these routers, firewalls and intrusion-detection and -prevention systems spit out valuable information in the form of log files, too many organizations ignore or discard those logs.

My company, LogLogic, is looking to fill a “log analyst” position. Title to be decided but the requirements are

- understanding the log formats and transport mechanisms
- researching different log formats to identify common categories (to help design the back end)
- parsing and normalizing the logs for the necessary information, based on requirements
- mapping the reports to parsed information or vice versa
- identifying useful reports and alerts based on the log information

If you or someone you know are interested in such a position, please email me your resume.

Thanks

I am looking for some log samples to help us test our product. It would be much appreciated if you can help with any of them. You can send them directly to me at zhenjl@gmail.com.

The log samples you send will remain confidential and will be used ONLY for internal testing. If you are ok with it, I can also share the log samples here on this site for everyone. I can also help anonymize the logs if needed.

Cisco Secure IDS
Enterasys Dragon
ISS RealSecure
Juniper OneSecure
McAfee IntruShield
TippingPoint UnityOne
Brightmail
IronPort
Microsoft Exchange
Postfix Postfix
Sendmail Sendmail
Cisco Catalyst Switch
Cisco Global Site Switch (GSS)
Cisco Router
Veritas FileSystem
IBM AS/400
Apache Httpd
IBM IHS
Microsoft IIS Web Server

Thanks very much for your help.

Anyone want a gmail account? Email me if you are interested.

Security information management: is it either software or managed security services?

Man, does this really worth $3395!!??

By year-end 2004 vendors will have generated $174m from the security information management software market. The strong drivers for this solution will propel the market forward over the next four years, at a CAGR of 35%, to reach approximately $575m by year-end 2008.

I was talking to a couple of friends (a CSO and a security architect) about the usefulness of current dashboards the other day at Patxi’s. One of the complains is that the current dashboards are all flashy stuff and they don’t provide any explanation of what you see in the charts or graphs, nor do the dashboards explain the potential causes of any anomalies that show up in the dashboards. They wanted the products to explain more to them what’s going on and why.

I was talking to another friend (a marketing person this time) and she had mentioned that it would be nice the CIOs can use the dashboards to show the business units that IT has kept their end of the promise. For example, it would be nice if the CIO can show a chart to the BUs and say “here’s all the attacks and problems we have had in the past month”, then show another chart and say “here’s the uptime of the critical servers. As you can see, even though we have been attacked constantly, our web servers and database servers have stayed intact and running at 100% uptime!”

What do you think dashboards should show? How do you think the dashboards can be used by CIOs and CSOs? Please let us know your thoughts by posting your comments here.

The following is what I posted to the loganalysis mailing list. The original question was regarding how to retrieve Web server logs (Apache for Windows) and Application specific logs (written in text format).

You can accomplish this in a couple of ways.

One, you can write a batch script on Windows box and use AT scheduler to upload them periodically to your unix server, using either ftp or curl to upload.

Two, you can setup a sshd server on your Windows box, using Cygwin or some stripped down version of Cygwin. E.g. http://www.certaintysolutions.com/tech-advice/ssh_on_nt.html.

Note that the solution on that link is pretty old, but follow the same instructions using the latest cygwin binaries can get you a ssh2 package.

Once sshd is setup, you can setup rsa key authentication and from your unix box, scp or sftp the files from the windows box.

Three, setup ftp on the WIndows box, then use curl/wget/ncftp on the unix box to grab files off the Windows box. Similarly, you cansetup a web server that has the log dir accessible. Then use curl/wget from the unix box to grab files via HTTP.

Four, share the log dir, then use Samba to mount the shared dir and copy files that way.

All of the options have security concerns, so be sure to think hard before picking a solution.

There are also concerns about log rotation and what not that you will need to consider as well.

I think one of the most frequently asked questions in log management is how to get the Apache logs to the log management server.

Here are a couple workarounds.

• https://lists.balabit.hu/pipermail/syslog-ng/2001-February/001208.html
• http://www.precision-guesswork.com/sage-guide/apache.html

The first option is probably what most people are looking for.

Other options include transferring of the Apache logs after it has been rotated. We will discuss this in more details later.

My article on “War on IP Leakage” has been posted on ComputerWorld.

Eventlog to Syslog Utility from Purdue University.

The Eventlog to Syslog utility is a program that runs on Microsoft Windows NT, 2000, or 2003 server, monitoring eventlog messages. When a new message appears in the eventlog, it is read, formatted, and forwarded to a UNIX syslog server. Depending on the facility and priority of the message and the configuration of the syslog server, the message will be logged to a message file or displayed on the console.

GO BOILERMAKERS!!

SC Magazine has a new article today on measuring security performance.

Five recommendations were made:

• Recommendation #1:  Establish a Risk Baseline
• Recommendation #2 – Conduct Real-Time Measurements of Changes in Risk Levels
• Recommendation #3 – Benchmark the “Mean Time to Repair” for Security Problems
• Recommendation #4 – Compare Baseline Information to Desired Outcome
• Recommendation #5 – Use SIM Technology to Automate This Process

Even though I agree with some of the assessment in this article, I have to say this article lacks substance.

First, other than the MTTR, there’s no other concrete metrics that the CIOs and CISOs can get out of this article.

Second, most of the terms and formulas are straight out of the CISSP manuals. And these are fairly high level with not much concrete information to work with.

Third, this is a sales pitch for SIM products. SIM solutions, unfortunately, cannot automate the whole process. Much of the process requires much more than a SIM solution. Some requires manual work and some requires other technology solutions.

A new organization, Security Metrics Consortium, was established a while back to

empower security professionals with the ability to continually measure their organization’s security posture by defining real-world, standardized metrics.

Haven’t seen a whole lot from them yet, but they are probably worth watching for.

Did I post this one before?

I am not sure any of the companies mentioned in the article are actually doing anything to define a new log format standard, other than maybe IBM’s Common Event Infrastructure and Common Base Event format. But even IBM’s making a single log extremely complicated.

Security point products such as IDSes, anti-virus gateways, and vulnerability scanners tend to use proprietary formats for reporting, recording network events, and issuing alerts.

Word!

This is one of the biggest problems for any company trying to aggregate and report on logs. It continues to be one of those areas that require huge effort.

And the standard formats that do exist — such as SNMP and syslog files — are limited in what they can convey.

Well, SNMP and syslog are really just event or log transport standards. They don’t limit what information can be conveyed.