Event logs are the basic text of what happens in your corporate systems. So why do so many companies ignore them?
We love this blog post by Constantine von Hoffman - http://advice.cio.com/security/17256/one-cheap-and-easy-thing-all-companies-can-do-boost-security which we have reposted below.
In fact, we had a vibrant discussion about this very topic internally yesterday. We might take a bit of exception to the assertion that log review is “cheap and easy.” I mean, if it were so cheap and easy, wouldn’t most organizations be doing it?
What we find in healthcare is that the logs are so voluminous because there are so many disparate systems and devices in play. Most organizations report to us that it is simply impossible, based on the way they are resourced, to have any kind of meaningful log review and log management program. Further, it is hard to translate for the “non-techies” in risk management how this process is vital to enterprise risk management. So what happens?
Higher performing organizations are collecting and archiving the logs from most of their systems so that they have them “handy” in the event that they need them to support an investigation or incident response. Maybe a few of those high performers review logs for their high value/high risk systems routinely. The highest performers have dedicated the resources required – through the internal investment in tools and/or staff or via outsourcing to an MSSP – to implement an operationally-relevant and compliance-aware log management program.
That said, more often than not, we encounter organizations that don’t know what they are collecting, how they have auditing capabilities enabled in their systems, and have no log review or log management program in place.
The operational relevance is obvious, but in healthcare, we have that little regulation better know as the HIPAA Security Rule that specifically culls out “user activity monitoring” as an implementation specification. An effective log management program goes a long way to meeting this compliance requirement.
Based on the recent summary report from the first 20 OCR audits, what was the single greatest deficiency or area of non-compliance vis-a-vis the HIPAA Security Rule? You guessed it (and if you are a regular reader, you’ve read it here before)…User Activity Monitoring.
In our discussions with OCR, it is clear that this facet of an organization’s information security program is going to continue to be carefully reviewed and scrutinized. So, whether via a formal audit, breach or complaint investigation, be prepared to have your log management program under the microscope.
It is our belief, from our 10+ years of experience and service to the healthcare industry, that few organizations are on a trajectory for IT security staffing to effectively implement an organic log management program. After all, your core business is healthcare and your team should be focused on the enablement of care. As we have mused in previous posts, maybe this is the time for organizations to make an active choice to engage security experts to support their security functional requirements, particularly those that really lend themselves well to outsourcing, like log monitoring and management.
Of course, at CynergisTek, we have a solution for this and we would be happy to talk with you more about what we are doing and how we have chosen to help our clients address this gap. But what we really hope this post compels, is a change in the conversation that you are having internally. Does it really make sense to build an information security empire within your healthcare organization or does it make better sense to be a healthcare center of excellence that practices good security? That is a strategy and tactical discussion that we would love to support you with if our experience can be of help.
Make it a good day!
The business equivalent to the personal -security sin of using the word “PASSWORD” as your password: Not collecting and reviewing the data from all your system logs. Chances are you’re not doing that. And you should feel guilty about it. But you can take some comfort in knowing you’re not alone.
“Relatively few do it,” says Sherri Davidoff, co-author of the startlingly well-written new book Network Forensics: Tracking Hackers Through Cyberspace. “Mostly it’s companies in the financial sector which are at risk of losing money directly from being attacked.”
The truth is most companies don’t know when they’ve been hacked. That’s not just Davidoff’s opinion. I’ve been told the same thing by folks in the security industry and in law enforcement. One agent from the FBI said he stopped counting the number of times he told IT execs about attacks that they knew nothing about.
Why does this happen? Companies don’t regularly review their event logs to see what’s going on in their own systems.
It astounds me that checking event logs is so uncommon. It’s kind of like checking to make sure you didn’t leave the key in your door lock, folks. You’re probably wagging your head in disbelief, too, because no CIO.com reader could be that clueless…could they?
Just in case you decide to pass this post along to someone who works at one of those other companies, I will explain why event logs matter:
- They contain lots of info directly relating to your network, like DHCP lease histories and/or network stats.
- They include records of network activity including remote login histories.
- Because they have been transmitted over your network they create network activity.
If you want to find anomalies or unauthorized/unexpected users, the information is all there in event logs.
What is even more baffling about the fact that these logs so frequently go unreviewed is that companies don’t have to check logs manually. They don’t have to sort through all the different log formats to figure this stuff out. There are a lot of programs that will do all of this. All you have to do is read the report.
“You want to make sure you’re not the lowest fruit on the tree; that you’re not the most vulnerable,” says Davidoff. “Fortunately or unfortunately, that’s not that hard to do.”
PS: I read a lot of computer-related books. In most cases I would rather try to read machine code. That is why I have to point out that Network Forensics is actually well-written. It is a text book that you can read and really learn things from. You probably went to college, so I don’t have to tell you how rare that is.