Malware

EXPERT ADVICE

Your Log Records Have an Important Message for You

I spend a good deal of my time meeting existing and potential customers, and from that, I believe two things are clear: First, the Internet is now fundamental to the operations of both public and private organizations; second, those organizations are increasingly concerned with threats and risks due to those Internet-based operations.

Since the term “cybersecurity” is quite broad, perhaps it’s more helpful to consider what that term covers. At one end of the spectrum, we have what I will call “cyberthreats”; at the other, “cyber-risks.” Both can cause serious problems.

Cyberthreats come from malicious intent. That is, a cyberthreat is some entity — be it a person, gang, competitor, or country — that intentionally wishes to harm an organization and takes specific action to do so.

That action may take the form of digital espionage, where confidential information about intellectual property is stolen — either by outside hackers or by insiders acting as agents. Two companies recently affected by this are Boeing and Du Pont, each of which experienced well-publicized incidents in which employees exposed confidential design documents to a foreign government.

Endless Possibilities

Cyberthreats may also take the form of network attacks, where external systems, controlled by malware or hackers, attack an organization’s networks to shut down operations or breach defenses.

The July 4th attacks on the U.S. military and NYSE networks, attributed to North Korea, are good examples of cyberattacks. More recently, the television show “60 Minutes” ran a story on the potential damage that could hit critical infrastructure such as power or fuel-transport grids. While the story may have been a bit sensational, these threats certainly exist today in some form.

Or, cyberthreats may take the form of confidential data theft by a disgruntled employee. Various surveys indicate anywhere from 50 percent to 70 percent of IT administrators say they would take confidential data with them if they lost their jobs.

Customer lists, engineering designs, and employee names — any of these would be very valuable to a competitor. Entire technology markets, including identity management and data loss prevention, have been created to address data theft, and billions are spent each year on these products.

Finally, this month marks the anniversary of the Conficker worm, a piece of malware that continues to reside on millions of computers despite aggressive action by researchers, security vendors, and IT departments. Bot-controlled PCs are responsible for spam, password-theft, and banking attacks that cause millions of dollars in harm each year.

If this list of cyberthreats seems overly sensational, consider a new study by CDW-G, the government-focused division of computer reseller CDW. It states that one third of federal IT professionals experience at least one cyberthreat of the types described above, each day.

Now, security vendors are often accused of overhyping the cybersecurity problem, so let me now move to the other end of the spectrum: cyber-risk. While many threats to operations come from intentional malicious activity, I’d wager that just as many, if not more, come from unintentional actions by employees, partners, customers, etc.

That is, problems with Internet-based business processes can cause significant risk and financial loss. For example, simple clerical errors in ERP systems cause millions of dollars in loss. Diligent employees who mail confidential documents to their Web mail accounts so that they can get some work done at home expose their employers to data loss. Glitches in deprovisioning of ex-employees can leave those people with live accounts and access to confidential information.

So, while intentional threats can harm the business, managers must also worry about risk from well-intentioned users performing normal business processes.

Log Data Can Restore Control

If loss of control comes from lack of visibility of threats and risks, then logs can restore both. Log data is already being generated every day, in every organization as it goes about its normal business.

For example, all of the following generate log information: financial, planning, and operational systems; databases and file directories; desktops and servers; phones, email, and smartphones; and so on, and so on. Each of these systems generates records that describe who is doing what and where.

The amount of data is enormous, and most organizations don’t have a good handle on it. Used correctly, log data can help managers find threats as they hit the corporate network, or find risks from process errors, or find gaps where data can be lost. Even better, by combining information in logs from different systems, managers can get the context to know not only who is doing what, but whether that’s okay or not.

Let me give you an example of context: One company had a situation where an employee was badging out late at night, was sending many files to the printer after hours, and was accessing engineering files that he’d never opened before. One night, this same employee logged into the customer management application — a valid action — and started to extract thousands of customer names, addresses and balances. Now, combining all these actions, each supported by system log records, allowed administrators to have the context to suspect this employee and take action before he put the company at risk.

The point of this article is not to scare you, but to point out how something that already exists in your organization today — log records — can be used to shore up your security, reduce your risk, and improve your business. You have invested in a great deal of technology to make your business run better; now that technology can generate information that you can use in new ways.

Log management is used successfully in every industry today, from HIPAA monitoring in healthcare, to credit card protection in retail, to network defense in the federal government. Taken together, your log records tell a story every day — are you listening?


Tom Reilly is CEO of ArcSight.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels