01:53 PM
The Staff of Dark Reading
The Staff of Dark Reading
Connect Directly

Top 10 Most Overlooked Aspects of IT Security

Before you hunker down, all comfy and cozy, in front of a crackling holiday fire, hold the fruitcake and eggnog: Feel like you're forgetting something?

Log files are not so much overlooked as unappreciated. After all, it would be hard to overlook the mountain of data created each day by system hardware, network devices, PC hard drives, and IT security applications. In fact, most IT and security pros have so much log data that they typically only skim it, or ignore it altogether.

But log files can be the key to recognizing an attack, experts say. External attackers typically use methodical approaches that can be identified as log trends, enabling the IT organization to block or quarantine them. Internal attackers usually leave an audit trail in their logs that can be backtracked and exposed, enabling IT to catch the perpetrators red-handed.

The trick is learning how to analyze log files in a way that is thorough, yet not too time-consuming. For most IT organizations, this means using a combination of automated log file analyzers, security information management tools, and good old-fashioned detective work.

The automated tools for this task are improving, but they still aren't perfect, notes Eric Ogren, an analyst at Enterprise Strategy Group. Some tools offer network behavior anomaly detection (NBAD), which continuously monitors application traffic (destination, source, protocol) but forces IT to manually associate user names with IP addresses. On the other hand, security information management (SIM) does a decent job of collecting log file information but is generally geared more toward historical analysis, rather than identifying potential attacks in real time.

There are a slew of tools that fall somewhere along the NBAD-SIM spectrum, including products from Arcsight, LogLogic, netForensics, and Securify. These tools identify trends and warning signs, but in the end, it's usually a human analysis that identifies an attacker's trail -- and what to do about it.

In his paper "Five Mistakes of Security Log Analysis," netForensics security strategist Anton Chuvakin says that many IT analysts do analyze their logs, but they fail to normalize the data or study it for a long enough period of time. Other IT analysts have good data, but they focus too closely on trying to find specific attack patterns, he says.

"To fully realize the value of log data, one has to take it to the next level of log mining: actually discovering things of interest in log files without having any preconceived notion of 'what we need to find,'" Chuvakin says. "It sounds obvious -- how can we be sure that we know of all the possible malicious behavior in advance -- but it is disregarded so often."

7 of 10
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.