You know the old story about how the Chinese symbol ‘crisis’ is comprised of two separate pieces which mean ‘danger’ and ‘opportunity’? The idea is that we should look for the gold buried within a crisis. Well, it turns out that slogan doesn’t seem to be quite true. Chinese scholars don’t dispute the ‘danger’ part, but it looks like somebody pulled a fast one on ‘opportunity.’ It turns out that the ‘opportunity’ characters really mean something closer to ‘critical moment.’ That would mean we have to accept that a crisis is just plain mean and serious. Maybe that’s exactly as it should be. We cannot avoid all crises in our jobs, but our jobs are to avoid crises for the organization as much as possible.
What does this all have to do with security logs? Well, you’d better have all the quality data you possibly can to help make the decisions to avoid crises. That’s where security logs are a danger and an opportunity at the same time. Security logs are dangerous when they are not capturing data or when the data is not being analyzed regularly and properly. Scouring your security logs and devouring the details will make you and your organization stronger, and there lies the opportunity. But let’s not kid ourselves. This is an opportunity to survive, so it sounds like more of a critical moment to me.
I certainly hope you have a security log monitoring process in place already. If you don’t, this is a good time to stop and just make the decision to start a regular process. If you choose not to, you are asking for more crises. The money spent paying you to solve a single crisis can vastly outweigh the money spent building the processes and systems to have high quality, consistent, and timely log analysis in place.
Your job is to decrease your company’s attack surface. You must minimize the risk of attack to the lowest possible threshold without impacting your company’s ability to produce daily revenue. That means finding every possible point of entry and closing down as many as you can. When you close a port on a firewall, the attack surface shrinks.
Regardless of your best efforts to mitigate potential threats and reduce your overall attack surface, there will always be openings in your security structure. Remember, the company must produce revenue. Consider a door into your building. The door must open to let the employees in to accomplish their work. However, an open door, for whatever purpose, is still an open door and can be compromised.
This means that you must know what is happening in your environment 24×7. Often the bad guys leave a trail in the security log before or during their attack. Your security logs are your sensors, picking up data that can be used to block or reduce the damage of attacks. Leaving a log unmonitored is like the guards sleeping at the front gate of your castle. Attacks of this type in essence become self-inflicted wounds because there was a chance to staunch the attack in the first place. Countless organizations have had to spend cash and other resources to counter attacks that did damage to systems, information, and company reputation. Again, you should see a lot more danger here than opportunity. This is serious stuff.
Next week we’ll look at the ten critical points to the security log monitoring process.
Excerpted and available for download from Global Knowledge White Paper: Security Log Analysis: Saving the World, One Company at a Time