Problem solve Get help with specific problems with your technologies, process and projects.

Drowning in a sea of logs

A minor security breech has you wading through enough paperwork to fill a Hummer and anything it could tow. What do you do now?

What you will learn from this tip: How to weed through the mounds of paperwork after a security breach to find out what went wrong.

Compliance regulation and corporate polices are certainly in the forefront of the news. We know, for instance, that companies are spending more on compliance than they ever imagined. We know that outside the US companies are considering delisting their trades from our stock exchanges due to the costs to comply with legislation that may be in contradiction of their own countries' legislation. We know that technology expenditures are increasing due to compliance. On top of all of this, security spending remains partially separate, but certainly should be integrated for an overall network assurance standpoint.

But we also know that companies now not only have NOC's but many also have SOC's (Security Operations Centers). When a breach, suspected breach, or questionable activity arises – everyone is supposed to spring into action. Herein lies the tricky part. Suppose the network group installs software, hardware and firmware to detect virus activity, denial of service activity, etc. The security group has software to track access to files, but strictly from an audit perspective. The network group is tasked with preventing traffic, security is tasked with logging traffic and reporting suspected network breaches, but that is very hard to do in a forecast environment. Add to this equation the fact that today we operate in what I call the "radar gun and radar detector environment." What I mean is that as soon as one technology comes out, there is another segment of the computing world that will work diligently to circumvent these efforts.

Okay, "STOP THE MADNESS!" Put yourself in the IT Director or CIO's shoes. Houston (why it is always Houston, I don't know, but one place is as good as another!), we have had a breach in security. I need to know anyone that has access to this file in the last 30 days. Who has copied the file, where were they when they did it; and what did they get? "No problem," says gendernonspecific CIO –"I'll get right on that!" Immediately the CIO calls IT, security and facilities. "I need a list of everyone that could have accessed this file in the last 30 days." All specialties replay, "We are on it!"

Now picture yourself as gendernonspecific CIO. The next morning you are rewarded with paperwork that could fill a Hummer and anything it could tow. The issue being that there are many disparate systems. Reporting capabilities over an enterprise can be enormous. In the old days, we relied on SNMP, but that tracking was not enough for everything. If all logging capabilities were printed for one small infraction within a 10 minute period on a large enterprise, you could literally overflow a big pond. Here's our sea of logs!

In previous articles, I have addressed actionable data. Data for data's sake does little good when you are working on problem resolution. You have to be able to assimilate disparate information into a useable (key word useable) format that will provide you with concise information not a sea of info that someone will spend two weeks deciphering. With the growing trend to make security a separate (sort of) entity than IT, turf wars and varied technologies can do more harm than good.

Welcome to Oz! OZ being Open Zystems – sorry Dorothy – new twist! The hurdle in this space is not gathering information. There are tons of systems out there that do this very well. There are many systems that are openly communicating with other systems to assure management on several levels. The problem is sorting through the pile of information to weed out the 95% you don't want, to get to the 5% you want to see, and finally to the .10% where your answers lie.

So here is the cool part. I found this company Consul ( I am sure there are others, and I am glad to hold a bake off of capabilities. But this is a cool, cool, tool. While I have always been a fan of crystal reports and have been known in the past as the "Query Queen", who in this day and time has the time to write them? With separate departments controlling different aspects of security and compliance, the meetings alone can consume a week. I've said this before, and I can't help saying this again – you can do nothing with data that is not actionable. I have personally been involved in many audits for specific reasons that encompass a broad range of problems, but in the end, you may spend more dollars in time trying to decipher the problem, than you would ever realize in the end.

The first cool tool that I ran across that performed outside of "vendor specific" tools was SNMPc by CastleRock Computing. This was the first tool that incorporated all of the vendor specific data and put it in an open platform. Prior to this, most companies that I dealt with led you to believe that SNMP, their MIBS, etc. were proprietary and could only be managed with their tools. Seasoned a bit, I learned that no company really makes any margin on hardware. Software is the key. I have to admit that at one naive time in my career, I believed that my vendor had all the answers. But I am older and wiser! This was the first non-vendor specific tool that was 1) affordable and 2) not tied to any electronic purchase, but really incorporated everyone's SNMP data. They were never tied to a particular vendor's electronics – which sold me! I have been and still remain a huge fan. With the target size on many vendor's due to the unscrupulous few, a "disinterested third party" makes sense. If we as an industry want to push our enterprises towards open computing, open management and open systems, why in the heck are we spending fortunes on proprietary solutions to manage our "open" systems. Duh!

Even the proprietary systems have to open up to include other solutions. Thank goodness for IEEE, IETF, ISO and TIA and other standards bodies throughout the globe. The real trick is handing interpretations! I have been personally involved with audits that took 40+ hours just to sift through logs. Human intervention, I believe will not and cannot be replaced by machines alone. There will always be a place for the human mind and its ability to apply logic. How can a machine tell the difference between an influx of orders and a denial of service attack, for instance? At some point, human intelligence has to be a factor. While companies segregate responsibilities based on function, there still looms this overall umbrella. Each department under the umbrella feels the pressure to press the button to cover everyone else, but in many cases if you asked "Who pushed the button?" I fear you would only hear a lot of silence.

My encouragement is to look outside your vendor box. CastleRock and Consul are two of the coolest tools I have seen in a while. If an organization can cut out 40 hours of ciphering into a few hours of parsing or take 4 management consoles and convert them to one the ROI has to make sense. Tie this in to the human drain from drowning in a sea of logs – why not have a tool that makes them easy to parse, care's not whose equipment or files it is working with, but rather that you as a manager can sift through the useless information to find actionable and appropriate data in an expeditious manner. At last – a real life jacket and maybe even the proverbial paddle!

Dig Deeper on Enterprise data storage strategies

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.