Security, Log Management & Burying Stumps
Burying Stumps
Recently I've been planning and executing a plan to fix some of the landscaping around my house (as a side note, try not to plan this to happen in the middle of July when it’s 90 degrees). In talking with people who have experience with landscaping projects we seem to always hit the topic of digging up and burying stumps, and whether this is a good idea or a bad idea. For the short term, it seems like a good idea. The stumps take up space in the ground so you need less fill (which saves money), burying is cheaper than grinding them down or having them hauled away, and you don't have to look at an ugly stump. The downside is that 7-10 years down the road, the stumps begin to rot and you are left with sinkholes in your yard.
I can't help but think that many organizations are treating security problems like an old stump. You know they are there, plenty of options exist to get rid of them, and you choose the cheapest and quickest solution to deal with them. However, down the road this comes back to haunt you, and sinkholes start appearing in your IT infrastructure, people fall in them, water begins to pool, and eventually your entire security model collapses.
"Log Management"
I couldn't resist the obvious analogy and use this as an opportunity to relate to log management. Your security strategy should, preferably in some "prolific" way, revolve around the logs generated by all the devices connected to your network. The devices on your network are either passing around or storing the information vital to your organization, or providing services that keep your business going. Logs will give you regular tidbits of information about how these devices are doing. The information contained in your logs can not only tell you if someone is burying stumps, but who is burying them and where they are putting them.
Recent breaches have certainly shown that organizations have "buried some stumps". Using your logs, you can uncover useful information and avoid many pitfalls. Logs, along with SecurityCenter 4's dashboard feature, help you answer questions such as:
Who is trying to login to my systems and failing?
This dashboard displays login failure events and anomalies for each user.
Several recent breaches relied upon brute forcing usernames and passwords. This type of behavior can be spotted by viewing the logins in the above graph.
This dashboard displays inbound and outbound SQL traffic observed by the Passive Vulnerability Scanner.
SQL injection is still commonly exploited to harvest sensitive information, such as usernames and password hashes from organizations. The above dashboard will show when an anomaly such as this is detected.
Are people running programs on my systems?
Seeking Out The Stumps
I hear from a lot of organizations saying, "There are no big ugly problems on my network!" The question then becomes, how can you be so sure? Problems in your network are not always so apparent.
A good measure for "network ugliness" is to track the application of Microsoft patches across all of your systems:
This dashboard trends missing Microsoft patches in a variety of tables and trend lines.
The above graph depicts Microsoft patches applied across all systems being monitored by year, allowing you to gain some historical insight into how your organization is doing applying Microsoft patches.
Another good question to answer is, "Are the hosts on my network participating in a botnet?":
This dashboard displays assets on your network that are participating in a known botnet.
Hosts participating in a botnet have been infected by some kind of malware, which could just being lying dormant in your network or participating in launching a DDoS attack. In either case you need to seek out these hosts and perform incident response.
Conclusion
Organizations have similar problems keeping up with the security of the devices on the network. Problem areas can hide, and implementing solutions "just for now" only exacerbate the problem. Monitoring your logs and network traffic can provide insight into your network and help find the "buried stumps".
Related Articles
Tenable One Exposure Management Platform: Unlocking the Power of Data
November 3, 2022When our data engineering team was enlisted to work on Tenable One, we knew we needed a strong partner. Here’s how we selected Snowflake to help us deliver on the promise of exposure management.
New Data Reveals Company Size May Be Tied To Remote-Worker Cybersecurity Practices
November 15, 2021Employees at the largest firms are least likely to adhere to wifi and password security guidelines.
Managing OT and IT Risk: What Cybersecurity Leaders Need to Know
October 7, 2024Security leaders face the challenge of managing a vast, interconnected attack surface, where traditional approaches to managing cyber risk are no longer sufficient. Modern threats exploit vulnerabilities across domains, requiring a more holistic approach to avoid operational disruption, safety risks and financial losses.
Cybersecurity Snapshot: Many Employees Overshare Work Info with AI Tools, Report Finds, as ‘Cybersecurity Awareness Month’ Kicks Off
October 4, 2024Check out the best practices cyber agencies are promoting during Cybersecurity Awareness Month, as a report warns that staffers are feeding confidential info to AI tools. Meanwhile, a study highlights how business decisions can derail OT security. Plus, get the latest on Active Directory security, CISO salary trends and ransomware attacks!
How to Unlock Advanced IoT Visibility for Cyber-Physical Systems
October 1, 2024As the number of IoT devices deployed globally continues to rise, cyber-physical systems and business operations are exposed to greater risk. Improving asset visibility, monitoring and risk management are critical steps to preventing breaches.
- Data Visualization
- Event Monitoring
- Nessus