SlideShare una empresa de Scribd logo

ObserveIT whitepaper: "Log Blindspots" > generare i Log in automatico per un controllo completo

Clever Consulting
Clever Consulting

ObserveIT, avanzato software di audit che registra tutte le attività svolte su desktop e server da collaboratori e fornitori esterni, consente di generare automaticamente i log di accesso anche nel caso di applicazioni che non prevedano log. Questa funzionalità permette di monitorare tutte le azioni effettuate durante l'utilizzo di tali applicativi, garantendo al management una visibilità totale sulle attività aziendali, con la possibilità di ridurre drasticamente il tempo di investigazione nel caso di errori o problemi di sicurezza. ObserveIT è rivenduto in Italia da Clever Consulting, società di consulenza informatica specializzata in Business Continuity. http://bit.ly/ObserveIT

EmpresarialesTecnología
1 de 7
Descargar para leer sin conexión
1 Log Blindspots: A review of cases where System Logs are insufficient An ObserveIT Whitepaper | Brad Young Executive Summary If you spend a few minutes browsing the websites of Log Management and SIEM tool vendors, you might come away with the conclusion that all your system audit and compliance problems are solved. Unfortunately, this rosy picture seems to ignore the ever-present problem of blindspots in audit reports: If your apps don’t log it, your audit report won’t show it. Audit report tools may do a good job at interpreting and presenting log info, but we can no longer overlook two key facts: 1. Hundreds of critical security event types are not logged at all 2. Those events that are logged typically do not show what was done. Instead, the logs only show obscure technical details of the resulting system changes. In this whitepaper, I’ll highlight examples of where these blindspots occur, by showing a number of very common and basic system activities that one might think should generate auditable log entries, but in actuality they do not. These non-audited actions include: On a Windows server: On a Linux or Unix server:  Adding and Deleting IP Address  chmod * or chown *  Setting a Service to run as administrator  Assign user to an admin rights group  Change Web server config file  Add/Delete IP address in hosts file  Change port usage for an active service  Give sudo rights to non-admin user One possible way to eliminate blindspots is to implement custom log utilities or WMI-based tools. But to do this, the burden remains on you to know what you are looking for. For the examples listed above, adding an IP Address change monitor won’t help with web config file changes, and vice versa. And more importantly, adding 4 different monitors for each of those issues won’t help capture the hundreds of actions that you’ll never be able to predict. As the well-worn yet valuable expression states, “Expect the unexpected”. User Activity Monitoring follows through on this philosophy. In the context of IT audit logs, perhaps the best way to expect the unexpected is to drop the paradigm of listing the actions that should be logged, and instead simply monitor all user actions. Log Blindspots: A review of cases where system logs are insufficient © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
2 Scenario 1: Changing a Windows system’s IP address What the User Did: A privileged user logged onto a Win 2003 Server (via RDP in this case, but for the sake of discussion it could be any local or remote connection protocol). After logging in, this admin user opened the Advanced TCP/IP Settings (via Start > Settings > Network Connections > Local Area Connection > Properties > Internet Protocol > Properties > Advanced). Once there, he removed an IP address (10.1.200.178), and then added a different IP address (10.1.200.179). Advanced TCP/IP Settings Security and Audit Implications of this Action: Adding and IP address might allow bypassing of firewall settings and may also interfere with proper execution of critical services. What shows up in system event logs: With full auditing enabled, a total over 11,000 log events were triggered during the 30 seconds it took the user to delete and add an IP address. Almost all the log entries were of “Object Access” category. Searching within the logs for the terms “TCP”, “IP” or “179” (last 3 digits of the IP address added) brought back numerous search, but all were false hits. (ex: “IP” appears in the filename “wshtcpip.dll” within one log entry, another log entry having Operation ID “74312179”.) No log entry refers explicitly to the action taken. It may be possible for a highly-trained system security expert to piece together the log entries and determine what actions took place. But it would involve a time-intensive forensic analysis by a sparse and expensive resource. Do you have highly-trained security experts that are bored with nothing better to do than piece together log entries? Event Viewer: 11,000 log entries in 30 seconds, dozens of false hits, no clear picture What User Activity Monitoring shows you: A user-oriented textual audit log shows that “brad” logged on as “administrator”, and the list of actions tells the story of what he did: Network Connections > Properties > TCP/IP Properties > TCP/IP Address. This already is much more than information than what is accessible in the system logs. Adding video replay of the session then shows even more details. ObserveIT Audit Log: A Table of Contents of the user session ObserveIT video replay of user changing the IP Address Log Blindspots: A review of cases where system logs are insufficient © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
3 Scenario 2: Adding sudo rights for non-authorized users in Linux What the User Did: A non-privileged user tried running the snmpd service, but did not have permissions. He then tried running it using sudo, but did not have sudo rights either. So instead, he asked a root user to log on and grant him sudo rights, using visudo. Add sudo rights for a non-authorized user Security and Audit Implications of this Action: Giving sudo rights allows a user to run many sensitive commands or services. What shows up in system event logs: Using auditctl and ausearch, we can see that the visudo command was run. However, this logging is almost entirely of a technical nature. We can see the working directory from which it was launched, its process id, and the fact that it finished with a success return value. No indication shows what rights were granted, or what the user did once he got those rights. Technical details only in ausearch What User Activity Monitoring shows you: With ObserveIT in place, we are able to see exactly what took place. The textual metadata log shows the commands that were run. ObserveIT Audit Log, including underlying system calls ObserveIT video replay of CLI activities Log Blindspots: A review of cases where system logs are insufficient © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
4 Scenario 3: Setting a Windows service to run as administrator What the User Did: An admin user changed the properties of a Service (via Start > Settings > Control Panel > Administrative Tools > Services). Once there, he selected the “Cryptographic Services” service and marked it to run as administrator. Run a service as Administrator Security and Audit Implications of this Action: Enabling a service that is not secure to run as administrator can enable remote hacking and can cause the service improperly affect sensitive system configuration and data. What shows up in system event logs: Over 24,000 log events were triggered during the 40 seconds it took the user to change the Run As credentials. Despite the sheer volume, no log entries included the word “Cryptographic” (the name of the service)! Again, a full-throttle investigation by system experts might unearth the true actions, but this task makes biblical archaeology look easy. Event Viewer: 24,000 log entries in 40 seconds, no indication of the Service that was modified What User Activity Monitoring shows you: As in the previous example, ObserveIT shows a clear chronological timeline of what the user actually did: open Control Panel and then go to Cryptographic Services Properties. And again, video replay shows even more. ObserveIT Audit Log Video replay of Service Run As credentials Log Blindspots: A review of cases where system logs are insufficient © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
5 Scenario 4: Change web.config (IIS webserver configuration file) What the User Did: Via Windows Explorer and Notepad, the user made a simple change to an XML attribute in the file “web.config”, changing a ‘0” (false) value to “1” (true). Editing web.config with Notepad Security and Audit Implications of this Action: Changes to this file will affect how the web server runs, in numerous different ways. This can expose security risks, and can also affect proper operations. What shows up in system event logs: 6,000 log entries cover the 20 seconds it took to make the change. One log entry indicates that “Notepad” was launched. Another log entry indicates that “web.config” was added to the “Recent Files” list in Windows. A third log entry seems to show (not convincingly) that it was Notepad that edited the filw web.config. But even with this info, we cannot tell what was actually changed within the file! (Was it a harmless addition of an application extension? Or did the user modify an important entry within the file?) To know what was changed, we would now have to access a file server backup, and perform a file compare on the old and new versions. Doable, but that’s a heavy burden to answer a pretty straightforward question: “What did the user change???” Event Viewer: But what was changed? What User Activity Monitoring shows you: ObserveIT’s log shows what the user did, in a concise and descriptive manner. And again, video replay shows what took place within the file. Log Blindspots: A review of cases where system logs are insufficient © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
6 Scenario 5: Changing the port used by IIS What the User Did: An admin user changed IIS to listen to port 8080 instead of the default 80. This was done via “Start > Settings > Control Panel > Administrative Tools > IIS Manager”, and once there editing the Properties for “Default web site”. Set IIS to listen to port 8080 Security and Audit Implications of this Action: Modifying the port of a service accessible from outside the DMZ can open a huge hole in the firewall security. What shows up in system event logs: Among the 5,500 log entries, there is one entry that adds IIS Manager to the Recent Items list in Windows. This is timestamped when the app was closed, which might mislead the investigator, and alsow wouldn’t even occur if the user left the window open. Earlier, there is an obscure log entry indicating a DLL that was loaded to memory. This is the true indication that IIS Manager was launched, but it is very difficult to find this in a reasonable level of effort! Event Viewer: Obscure log entry of DLL. It turns out that this is the culprit! What User Activity Monitoring shows you: Once again, ObserveIT gives us the whole picture. Log Blindspots: A review of cases where system logs are insufficient © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
7 Platform Considerations The Windows experiments were performed on a Windows 2003 server. Windows 2008R2 has added additional audit policy granularity. However, these updates do not mean that additional knowledge can be gleaned from the logs; Only that the logs can be filtered a bit better. The bottom line remains that many high-risk, security-impacting actions, including those highlighted in this paper, are not logged. The Linux experiments were performed on RedHat RHEL. Similar audit logging is found in other Linux flavors, as well as in Solaris Unix, with similar focus on technical aspects of each command (pid, cwd, success). Conclusion Security audits that rely on existing system logs have large holes in them due to the fact that system logs simply do not capture the relevant information necessary. For issues that are known a priori, the blindspot can be eliminated with a custom utility targeted at that specific issue. But this only solves this one specific issue. The easiest way to eliminate these blindspots in their entirety is by adding User Activity Monitoring such as ObserveIT, which augments the existing system and database logs by showing precisely what the user did (as opposed to the technical results of what he did.) About ObserveIT ObserveIT User Activity Monitoring software meets the complex compliance and security challenges related to user activity auditing, one of the key issues that IT, Security and Compliance officers are facing today. ObserveIT acts like a security camera on your servers, generating audit logs and video recording of every action the user performs. ObserveIT captures all activity, even for applications that do not produce their own internal logs. Every action performed by remote vendors, developers, sysadmins and business users is tied to a video recording, providing bulletproof forensic evidence. ObserveIT is the ideal solution for 3rd Party Vendor Monitoring, and PCI/HIPAA/SOX/ISO Compliance Accountability. Founded in 2006, ObserveIT has a worldwide customer base of Global 2000 companies that spans many industry segments including finance, healthcare, manufacturing, telecom, government and IT services. For more information, please contact ObserveIT at: www.observeit-sys.com sales@observeit-sys.com US Phone: 1-800-687-0137 Int’l Phone: +972-3-648-0614 Log Blindspots: A review of cases where system logs are insufficient © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com

Recomendados

What's New in AlienVault v3.0?
What's New in AlienVault v3.0?What's New in AlienVault v3.0?
What's New in AlienVault v3.0?AlienVault
 
Event log analyzer by me
Event log analyzer by me Event log analyzer by me
Event log analyzer by me ER Swapnil Raut
 
Prévention et détection des mouvements latéraux
Prévention et détection des mouvements latérauxPrévention et détection des mouvements latéraux
Prévention et détection des mouvements latérauxColloqueRISQ
 
Trusted extensions-gdansk-v1 0
Trusted extensions-gdansk-v1 0Trusted extensions-gdansk-v1 0
Trusted extensions-gdansk-v1 0Kevin Mayo
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserAnton Chuvakin
 
Develop a portal to manage your IoT Hub solution
Develop a portal to manage your IoT Hub solution Develop a portal to manage your IoT Hub solution
Develop a portal to manage your IoT Hub solutionMarco Parenzan
 
What's New in Windows 7
What's New in Windows 7What's New in Windows 7
What's New in Windows 7Acend Corporate Learning
 

Recomendados

What's New in AlienVault v3.0?
What's New in AlienVault v3.0?What's New in AlienVault v3.0?
What's New in AlienVault v3.0?AlienVault
 
Event log analyzer by me
Event log analyzer by me Event log analyzer by me
Event log analyzer by me ER Swapnil Raut
 
Prévention et détection des mouvements latéraux
Prévention et détection des mouvements latérauxPrévention et détection des mouvements latéraux
Prévention et détection des mouvements latérauxColloqueRISQ
 
Trusted extensions-gdansk-v1 0
Trusted extensions-gdansk-v1 0Trusted extensions-gdansk-v1 0
Trusted extensions-gdansk-v1 0Kevin Mayo
 
Understanding the Event Log
Understanding the Event LogUnderstanding the Event Log
Understanding the Event Logchuckbt
 
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserSecurity Incident Log Review Checklist by Dr Anton Chuvakin and Lenny Zeltser
Security Incident Log Review Checklist by Dr Anton Chuvakin and Lenny ZeltserAnton Chuvakin
 
Develop a portal to manage your IoT Hub solution
Develop a portal to manage your IoT Hub solution Develop a portal to manage your IoT Hub solution
Develop a portal to manage your IoT Hub solutionMarco Parenzan
 
What's New in Windows 7
What's New in Windows 7What's New in Windows 7
What's New in Windows 7Acend Corporate Learning
 
ObserveIT Remote Access Monitoring Software - Corporate Presentation
ObserveIT Remote Access Monitoring Software - Corporate PresentationObserveIT Remote Access Monitoring Software - Corporate Presentation
ObserveIT Remote Access Monitoring Software - Corporate PresentationObserveIT
 
Observe It Presentation
Observe It PresentationObserve It Presentation
Observe It Presentationtsteh
 
2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep DiveShawn Wells
 
Windows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate LearningWindows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate LearningAcend Corporate Learning
 
Network Administration
Network AdministrationNetwork Administration
Network Administrationbutest
 
Srs
SrsSrs
Srsvipul0212
 
Merged document
Merged documentMerged document
Merged documentsreeja_16
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comMichael Gough
 
DSS ITSEC 2012 Balabit_Security_Shell_Control_Box & Logging
DSS ITSEC 2012 Balabit_Security_Shell_Control_Box & LoggingDSS ITSEC 2012 Balabit_Security_Shell_Control_Box & Logging
DSS ITSEC 2012 Balabit_Security_Shell_Control_Box & LoggingAndris Soroka
 
Windows 7 Application Compatibility
Windows 7 Application CompatibilityWindows 7 Application Compatibility
Windows 7 Application Compatibilitymicham
 
Security threat analysis points for enterprise with oss
Security threat analysis points for enterprise with ossSecurity threat analysis points for enterprise with oss
Security threat analysis points for enterprise with ossHibino Hisashi
 
Change auditing: Determine who changed what, when and where
Change auditing: Determine who changed what, when and whereChange auditing: Determine who changed what, when and where
Change auditing: Determine who changed what, when and whereGiovanni Zanasca
 
Software Requirement Specification For Smart Internet Cafe
Software Requirement Specification For Smart Internet CafeSoftware Requirement Specification For Smart Internet Cafe
Software Requirement Specification For Smart Internet CafeHari
 
Active Directory security and compliance: Comprehensive reporting for key sec...
Active Directory security and compliance: Comprehensive reporting for key sec...Active Directory security and compliance: Comprehensive reporting for key sec...
Active Directory security and compliance: Comprehensive reporting for key sec...Zoho Corporation
 
How to Monitor IIS
How to Monitor IISHow to Monitor IIS
How to Monitor IISPower Admin LLC
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA SecurityNarinrit Prem-apiwathanokul
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Anton Chuvakin
 
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyWindows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyMichael Gough
 
WATS 2014 WA Agents Overview - CA Workload Automation Technology Summit (WATS...
WATS 2014 WA Agents Overview - CA Workload Automation Technology Summit (WATS...WATS 2014 WA Agents Overview - CA Workload Automation Technology Summit (WATS...
WATS 2014 WA Agents Overview - CA Workload Automation Technology Summit (WATS...Extra Technology
 
TITUS all'evento ICT Sicurezza 2014
TITUS all'evento ICT Sicurezza 2014TITUS all'evento ICT Sicurezza 2014
TITUS all'evento ICT Sicurezza 2014Clever Consulting
 
Black berry è ora di migrare
Black berry è ora di migrareBlack berry è ora di migrare
Black berry è ora di migrareClever Consulting
 

Más contenido relacionado

Similar a ObserveIT whitepaper: "Log Blindspots" > generare i Log in automatico per un controllo completo

ObserveIT Remote Access Monitoring Software - Corporate Presentation
ObserveIT Remote Access Monitoring Software - Corporate PresentationObserveIT Remote Access Monitoring Software - Corporate Presentation
ObserveIT Remote Access Monitoring Software - Corporate PresentationObserveIT
 
Observe It Presentation
Observe It PresentationObserve It Presentation
Observe It Presentationtsteh
 
2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep DiveShawn Wells
 
Windows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate LearningWindows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate LearningAcend Corporate Learning
 
Network Administration
Network AdministrationNetwork Administration
Network Administrationbutest
 
Merged document
Merged documentMerged document
Merged documentsreeja_16
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheetMichael Gough
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comMichael Gough
 
DSS ITSEC 2012 Balabit_Security_Shell_Control_Box & Logging
DSS ITSEC 2012 Balabit_Security_Shell_Control_Box & LoggingDSS ITSEC 2012 Balabit_Security_Shell_Control_Box & Logging
DSS ITSEC 2012 Balabit_Security_Shell_Control_Box & LoggingAndris Soroka
 
Windows 7 Application Compatibility
Windows 7 Application CompatibilityWindows 7 Application Compatibility
Windows 7 Application Compatibilitymicham
 
Security threat analysis points for enterprise with oss
Security threat analysis points for enterprise with ossSecurity threat analysis points for enterprise with oss
Security threat analysis points for enterprise with ossHibino Hisashi
 
Change auditing: Determine who changed what, when and where
Change auditing: Determine who changed what, when and whereChange auditing: Determine who changed what, when and where
Change auditing: Determine who changed what, when and whereGiovanni Zanasca
 
Software Requirement Specification For Smart Internet Cafe
Software Requirement Specification For Smart Internet CafeSoftware Requirement Specification For Smart Internet Cafe
Software Requirement Specification For Smart Internet CafeHari
 
Active Directory security and compliance: Comprehensive reporting for key sec...
Active Directory security and compliance: Comprehensive reporting for key sec...Active Directory security and compliance: Comprehensive reporting for key sec...
Active Directory security and compliance: Comprehensive reporting for key sec...Zoho Corporation
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Anton Chuvakin
 
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyWindows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyMichael Gough
 
WATS 2014 WA Agents Overview - CA Workload Automation Technology Summit (WATS...
WATS 2014 WA Agents Overview - CA Workload Automation Technology Summit (WATS...WATS 2014 WA Agents Overview - CA Workload Automation Technology Summit (WATS...
WATS 2014 WA Agents Overview - CA Workload Automation Technology Summit (WATS...Extra Technology
 

Similar a ObserveIT whitepaper: "Log Blindspots" > generare i Log in automatico per un controllo completo (20)

ObserveIT Remote Access Monitoring Software - Corporate Presentation
ObserveIT Remote Access Monitoring Software - Corporate PresentationObserveIT Remote Access Monitoring Software - Corporate Presentation
ObserveIT Remote Access Monitoring Software - Corporate Presentation
 
Observe It Presentation
Observe It PresentationObserve It Presentation
Observe It Presentation
 
2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive2009-08-24 The Linux Audit Subsystem Deep Dive
2009-08-24 The Linux Audit Subsystem Deep Dive
 
Windows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate LearningWindows 7 Seminar - Acend Corporate Learning
Windows 7 Seminar - Acend Corporate Learning
 
Network Administration
Network AdministrationNetwork Administration
Network Administration
 
Srs
SrsSrs
Srs
 
Merged document
Merged documentMerged document
Merged document
 
Windows logging cheat sheet
Windows logging cheat sheetWindows logging cheat sheet
Windows logging cheat sheet
 
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.comWindows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
Windows splunk logging cheat sheet Oct 2016 - MalwareArchaeology.com
 
DSS ITSEC 2012 Balabit_Security_Shell_Control_Box & Logging
DSS ITSEC 2012 Balabit_Security_Shell_Control_Box & LoggingDSS ITSEC 2012 Balabit_Security_Shell_Control_Box & Logging
DSS ITSEC 2012 Balabit_Security_Shell_Control_Box & Logging
 
Windows 7 Application Compatibility
Windows 7 Application CompatibilityWindows 7 Application Compatibility
Windows 7 Application Compatibility
 
Security threat analysis points for enterprise with oss
Security threat analysis points for enterprise with ossSecurity threat analysis points for enterprise with oss
Security threat analysis points for enterprise with oss
 
Change auditing: Determine who changed what, when and where
Change auditing: Determine who changed what, when and whereChange auditing: Determine who changed what, when and where
Change auditing: Determine who changed what, when and where
 
Software Requirement Specification For Smart Internet Cafe
Software Requirement Specification For Smart Internet CafeSoftware Requirement Specification For Smart Internet Cafe
Software Requirement Specification For Smart Internet Cafe
 
Active Directory security and compliance: Comprehensive reporting for key sec...
Active Directory security and compliance: Comprehensive reporting for key sec...Active Directory security and compliance: Comprehensive reporting for key sec...
Active Directory security and compliance: Comprehensive reporting for key sec...
 
How to Monitor IIS
How to Monitor IISHow to Monitor IIS
How to Monitor IIS
 
Improving SCADA Security
Improving SCADA SecurityImproving SCADA Security
Improving SCADA Security
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008
 
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeologyWindows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
Windows Logging Cheat Sheet ver Jan 2016 - MalwareArchaeology
 
WATS 2014 WA Agents Overview - CA Workload Automation Technology Summit (WATS...
WATS 2014 WA Agents Overview - CA Workload Automation Technology Summit (WATS...WATS 2014 WA Agents Overview - CA Workload Automation Technology Summit (WATS...
WATS 2014 WA Agents Overview - CA Workload Automation Technology Summit (WATS...
 

Más de Clever Consulting

TITUS all'evento ICT Sicurezza 2014
TITUS all'evento ICT Sicurezza 2014TITUS all'evento ICT Sicurezza 2014
TITUS all'evento ICT Sicurezza 2014Clever Consulting
 
Black berry è ora di migrare
Black berry è ora di migrareBlack berry è ora di migrare
Black berry è ora di migrareClever Consulting
 
Enterprise Mobility: MobileIron & Accellion insieme per il successo | Clever ...
Enterprise Mobility: MobileIron & Accellion insieme per il successo | Clever ...Enterprise Mobility: MobileIron & Accellion insieme per il successo | Clever ...
Enterprise Mobility: MobileIron & Accellion insieme per il successo | Clever ...Clever Consulting
 
La prima generazione di Enterprise App: che cosa ci ha insegnato | Clever New...
La prima generazione di Enterprise App: che cosa ci ha insegnato | Clever New...La prima generazione di Enterprise App: che cosa ci ha insegnato | Clever New...
La prima generazione di Enterprise App: che cosa ci ha insegnato | Clever New...Clever Consulting
 
"BYOD Toolkit": Bring Your Own Device chiavi in mano | CleverMobile Webinar
"BYOD Toolkit": Bring Your Own Device chiavi in mano | CleverMobile Webinar"BYOD Toolkit": Bring Your Own Device chiavi in mano | CleverMobile Webinar
"BYOD Toolkit": Bring Your Own Device chiavi in mano | CleverMobile WebinarClever Consulting
 
"BYOD Toolkit": Bring Your Own Device chiavi in mano | Clever News, 02/2013
"BYOD Toolkit": Bring Your Own Device chiavi in mano | Clever News, 02/2013"BYOD Toolkit": Bring Your Own Device chiavi in mano | Clever News, 02/2013
"BYOD Toolkit": Bring Your Own Device chiavi in mano | Clever News, 02/2013Clever Consulting
 
Passare da RIM a iOS: ci stai pensando? | CleverMobile Webinar
Passare da RIM a iOS: ci stai pensando? | CleverMobile Webinar Passare da RIM a iOS: ci stai pensando? | CleverMobile Webinar
Passare da RIM a iOS: ci stai pensando? | CleverMobile Webinar Clever Consulting
 
Come costruire una strategia vincente di BYOD, Bring Your Own Device | Clever...
Come costruire una strategia vincente di BYOD, Bring Your Own Device | Clever...Come costruire una strategia vincente di BYOD, Bring Your Own Device | Clever...
Come costruire una strategia vincente di BYOD, Bring Your Own Device | Clever...Clever Consulting
 
Come affrontare le sfide del BYOD, Bring Your Own Device - Clever News, 01/2013
Come affrontare le sfide del BYOD, Bring Your Own Device - Clever News, 01/2013Come affrontare le sfide del BYOD, Bring Your Own Device - Clever News, 01/2013
Come affrontare le sfide del BYOD, Bring Your Own Device - Clever News, 01/2013Clever Consulting
 
Newsletter Clever Consulting - Dicembre 2012
Newsletter Clever Consulting - Dicembre 2012Newsletter Clever Consulting - Dicembre 2012
Newsletter Clever Consulting - Dicembre 2012Clever Consulting
 
Newsletter Clever Consulting - Ottobre 2012
Newsletter Clever Consulting - Ottobre 2012Newsletter Clever Consulting - Ottobre 2012
Newsletter Clever Consulting - Ottobre 2012Clever Consulting
 
Clever Consulting Newsletter - Settembre 2012
Clever Consulting Newsletter - Settembre 2012Clever Consulting Newsletter - Settembre 2012
Clever Consulting Newsletter - Settembre 2012Clever Consulting
 
Clever Consulting Newsletter - Luglio 2012
Clever Consulting Newsletter - Luglio 2012Clever Consulting Newsletter - Luglio 2012
Clever Consulting Newsletter - Luglio 2012Clever Consulting
 
Clever Consulting Newsletter > Giugno 2012
Clever Consulting Newsletter > Giugno 2012Clever Consulting Newsletter > Giugno 2012
Clever Consulting Newsletter > Giugno 2012Clever Consulting
 
Clever Consulting Newsletter > Marzo 2012
Clever Consulting Newsletter > Marzo 2012Clever Consulting Newsletter > Marzo 2012
Clever Consulting Newsletter > Marzo 2012Clever Consulting
 
Clever Consulting Newsletter > Febbraio 2012
Clever Consulting Newsletter > Febbraio 2012Clever Consulting Newsletter > Febbraio 2012
Clever Consulting Newsletter > Febbraio 2012Clever Consulting
 
Clever Consulting Newsletter > Gennaio 2012
Clever Consulting Newsletter > Gennaio 2012Clever Consulting Newsletter > Gennaio 2012
Clever Consulting Newsletter > Gennaio 2012Clever Consulting
 
Clever Consulting Newsletter > Dicembre 2011
Clever Consulting Newsletter > Dicembre 2011Clever Consulting Newsletter > Dicembre 2011
Clever Consulting Newsletter > Dicembre 2011Clever Consulting
 
Clever Consulting Newsletter > Novembre 2011
Clever Consulting Newsletter > Novembre 2011Clever Consulting Newsletter > Novembre 2011
Clever Consulting Newsletter > Novembre 2011Clever Consulting
 
TITUS @ Security Summit Verona 2011 - Classificazione & User Driven Security
TITUS @ Security Summit Verona 2011 - Classificazione & User Driven SecurityTITUS @ Security Summit Verona 2011 - Classificazione & User Driven Security
TITUS @ Security Summit Verona 2011 - Classificazione & User Driven SecurityClever Consulting
 

Más de Clever Consulting (20)

TITUS all'evento ICT Sicurezza 2014
TITUS all'evento ICT Sicurezza 2014TITUS all'evento ICT Sicurezza 2014
TITUS all'evento ICT Sicurezza 2014
 
Black berry è ora di migrare
Black berry è ora di migrareBlack berry è ora di migrare
Black berry è ora di migrare
 
Enterprise Mobility: MobileIron & Accellion insieme per il successo | Clever ...
Enterprise Mobility: MobileIron & Accellion insieme per il successo | Clever ...Enterprise Mobility: MobileIron & Accellion insieme per il successo | Clever ...
Enterprise Mobility: MobileIron & Accellion insieme per il successo | Clever ...
 
La prima generazione di Enterprise App: che cosa ci ha insegnato | Clever New...
La prima generazione di Enterprise App: che cosa ci ha insegnato | Clever New...La prima generazione di Enterprise App: che cosa ci ha insegnato | Clever New...
La prima generazione di Enterprise App: che cosa ci ha insegnato | Clever New...
 
"BYOD Toolkit": Bring Your Own Device chiavi in mano | CleverMobile Webinar
"BYOD Toolkit": Bring Your Own Device chiavi in mano | CleverMobile Webinar"BYOD Toolkit": Bring Your Own Device chiavi in mano | CleverMobile Webinar
"BYOD Toolkit": Bring Your Own Device chiavi in mano | CleverMobile Webinar
 
"BYOD Toolkit": Bring Your Own Device chiavi in mano | Clever News, 02/2013
"BYOD Toolkit": Bring Your Own Device chiavi in mano | Clever News, 02/2013"BYOD Toolkit": Bring Your Own Device chiavi in mano | Clever News, 02/2013
"BYOD Toolkit": Bring Your Own Device chiavi in mano | Clever News, 02/2013
 
Passare da RIM a iOS: ci stai pensando? | CleverMobile Webinar
Passare da RIM a iOS: ci stai pensando? | CleverMobile Webinar Passare da RIM a iOS: ci stai pensando? | CleverMobile Webinar
Passare da RIM a iOS: ci stai pensando? | CleverMobile Webinar
 
Come costruire una strategia vincente di BYOD, Bring Your Own Device | Clever...
Come costruire una strategia vincente di BYOD, Bring Your Own Device | Clever...Come costruire una strategia vincente di BYOD, Bring Your Own Device | Clever...
Come costruire una strategia vincente di BYOD, Bring Your Own Device | Clever...
 
Come affrontare le sfide del BYOD, Bring Your Own Device - Clever News, 01/2013
Come affrontare le sfide del BYOD, Bring Your Own Device - Clever News, 01/2013Come affrontare le sfide del BYOD, Bring Your Own Device - Clever News, 01/2013
Come affrontare le sfide del BYOD, Bring Your Own Device - Clever News, 01/2013
 
Newsletter Clever Consulting - Dicembre 2012
Newsletter Clever Consulting - Dicembre 2012Newsletter Clever Consulting - Dicembre 2012
Newsletter Clever Consulting - Dicembre 2012
 
Newsletter Clever Consulting - Ottobre 2012
Newsletter Clever Consulting - Ottobre 2012Newsletter Clever Consulting - Ottobre 2012
Newsletter Clever Consulting - Ottobre 2012
 
Clever Consulting Newsletter - Settembre 2012
Clever Consulting Newsletter - Settembre 2012Clever Consulting Newsletter - Settembre 2012
Clever Consulting Newsletter - Settembre 2012
 
Clever Consulting Newsletter - Luglio 2012
Clever Consulting Newsletter - Luglio 2012Clever Consulting Newsletter - Luglio 2012
Clever Consulting Newsletter - Luglio 2012
 
Clever Consulting Newsletter > Giugno 2012
Clever Consulting Newsletter > Giugno 2012Clever Consulting Newsletter > Giugno 2012
Clever Consulting Newsletter > Giugno 2012
 
Clever Consulting Newsletter > Marzo 2012
Clever Consulting Newsletter > Marzo 2012Clever Consulting Newsletter > Marzo 2012
Clever Consulting Newsletter > Marzo 2012
 
Clever Consulting Newsletter > Febbraio 2012
Clever Consulting Newsletter > Febbraio 2012Clever Consulting Newsletter > Febbraio 2012
Clever Consulting Newsletter > Febbraio 2012
 
Clever Consulting Newsletter > Gennaio 2012
Clever Consulting Newsletter > Gennaio 2012Clever Consulting Newsletter > Gennaio 2012
Clever Consulting Newsletter > Gennaio 2012
 
Clever Consulting Newsletter > Dicembre 2011
Clever Consulting Newsletter > Dicembre 2011Clever Consulting Newsletter > Dicembre 2011
Clever Consulting Newsletter > Dicembre 2011
 
Clever Consulting Newsletter > Novembre 2011
Clever Consulting Newsletter > Novembre 2011Clever Consulting Newsletter > Novembre 2011
Clever Consulting Newsletter > Novembre 2011
 
TITUS @ Security Summit Verona 2011 - Classificazione & User Driven Security
TITUS @ Security Summit Verona 2011 - Classificazione & User Driven SecurityTITUS @ Security Summit Verona 2011 - Classificazione & User Driven Security
TITUS @ Security Summit Verona 2011 - Classificazione & User Driven Security
 

Último

Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfrichard876048
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfJos Voskuil
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesKeppelCorporation
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfShashank Mehta
 
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Americas Got Grants
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Riya Pathan
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...ictsugar
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Kirill Klimov
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyotictsugar
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607dollysharma2066
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Servicecallgirls2057
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024Adnet Communications
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfRbc Rbcua
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africaictsugar
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckHajeJanKamps
 
Chapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditChapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditNhtLNguyn9
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Pereraictsugar
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...ssuserf63bd7
 

Último (20)

Innovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdfInnovation Conference 5th March 2024.pdf
Innovation Conference 5th March 2024.pdf
 
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCREnjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
Enjoy ➥8448380779▻ Call Girls In Sector 18 Noida Escorts Delhi NCR
 
Digital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdfDigital Transformation in the PLM domain - distrib.pdf
Digital Transformation in the PLM domain - distrib.pdf
 
Annual General Meeting Presentation Slides
Annual General Meeting Presentation SlidesAnnual General Meeting Presentation Slides
Annual General Meeting Presentation Slides
 
Darshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdfDarshan Hiranandani [News About Next CEO].pdf
Darshan Hiranandani [News About Next CEO].pdf
 
Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...Church Building Grants To Assist With New Construction, Additions, And Restor...
Church Building Grants To Assist With New Construction, Additions, And Restor...
 
Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737Independent Call Girls Andheri Nightlaila 9967584737
Independent Call Girls Andheri Nightlaila 9967584737
 
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
Global Scenario On Sustainable and Resilient Coconut Industry by Dr. Jelfina...
 
Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024Flow Your Strategy at Flight Levels Day 2024
Flow Your Strategy at Flight Levels Day 2024
 
Investment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy CheruiyotInvestment in The Coconut Industry by Nancy Cheruiyot
Investment in The Coconut Industry by Nancy Cheruiyot
 
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607FULL ENJOY Call girls in Paharganj Delhi | 8377087607
FULL ENJOY Call girls in Paharganj Delhi | 8377087607
 
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort ServiceCall US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
Call US-88OO1O2216 Call Girls In Mahipalpur Female Escort Service
 
TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024TriStar Gold Corporate Presentation - April 2024
TriStar Gold Corporate Presentation - April 2024
 
APRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdfAPRIL2024_UKRAINE_xml_0000000000000 .pdf
APRIL2024_UKRAINE_xml_0000000000000 .pdf
 
Kenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby AfricaKenya’s Coconut Value Chain by Gatsby Africa
Kenya’s Coconut Value Chain by Gatsby Africa
 
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deckPitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
Pitch Deck Teardown: Geodesic.Life's $500k Pre-seed deck
 
Chapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal auditChapter 9 PPT 4th edition.pdf internal audit
Chapter 9 PPT 4th edition.pdf internal audit
 
Kenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith PereraKenya Coconut Production Presentation by Dr. Lalith Perera
Kenya Coconut Production Presentation by Dr. Lalith Perera
 
International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...International Business Environments and Operations 16th Global Edition test b...
International Business Environments and Operations 16th Global Edition test b...
 
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
No-1 Call Girls In Goa 93193 VIP 73153 Escort service In North Goa Panaji, Ca...
 

ObserveIT whitepaper: "Log Blindspots" > generare i Log in automatico per un controllo completo

  • 1. 1 Log Blindspots: A review of cases where System Logs are insufficient An ObserveIT Whitepaper | Brad Young Executive Summary If you spend a few minutes browsing the websites of Log Management and SIEM tool vendors, you might come away with the conclusion that all your system audit and compliance problems are solved. Unfortunately, this rosy picture seems to ignore the ever-present problem of blindspots in audit reports: If your apps don’t log it, your audit report won’t show it. Audit report tools may do a good job at interpreting and presenting log info, but we can no longer overlook two key facts: 1. Hundreds of critical security event types are not logged at all 2. Those events that are logged typically do not show what was done. Instead, the logs only show obscure technical details of the resulting system changes. In this whitepaper, I’ll highlight examples of where these blindspots occur, by showing a number of very common and basic system activities that one might think should generate auditable log entries, but in actuality they do not. These non-audited actions include: On a Windows server: On a Linux or Unix server:  Adding and Deleting IP Address  chmod * or chown *  Setting a Service to run as administrator  Assign user to an admin rights group  Change Web server config file  Add/Delete IP address in hosts file  Change port usage for an active service  Give sudo rights to non-admin user One possible way to eliminate blindspots is to implement custom log utilities or WMI-based tools. But to do this, the burden remains on you to know what you are looking for. For the examples listed above, adding an IP Address change monitor won’t help with web config file changes, and vice versa. And more importantly, adding 4 different monitors for each of those issues won’t help capture the hundreds of actions that you’ll never be able to predict. As the well-worn yet valuable expression states, “Expect the unexpected”. User Activity Monitoring follows through on this philosophy. In the context of IT audit logs, perhaps the best way to expect the unexpected is to drop the paradigm of listing the actions that should be logged, and instead simply monitor all user actions. Log Blindspots: A review of cases where system logs are insufficient © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
  • 2. 2 Scenario 1: Changing a Windows system’s IP address What the User Did: A privileged user logged onto a Win 2003 Server (via RDP in this case, but for the sake of discussion it could be any local or remote connection protocol). After logging in, this admin user opened the Advanced TCP/IP Settings (via Start > Settings > Network Connections > Local Area Connection > Properties > Internet Protocol > Properties > Advanced). Once there, he removed an IP address (10.1.200.178), and then added a different IP address (10.1.200.179). Advanced TCP/IP Settings Security and Audit Implications of this Action: Adding and IP address might allow bypassing of firewall settings and may also interfere with proper execution of critical services. What shows up in system event logs: With full auditing enabled, a total over 11,000 log events were triggered during the 30 seconds it took the user to delete and add an IP address. Almost all the log entries were of “Object Access” category. Searching within the logs for the terms “TCP”, “IP” or “179” (last 3 digits of the IP address added) brought back numerous search, but all were false hits. (ex: “IP” appears in the filename “wshtcpip.dll” within one log entry, another log entry having Operation ID “74312179”.) No log entry refers explicitly to the action taken. It may be possible for a highly-trained system security expert to piece together the log entries and determine what actions took place. But it would involve a time-intensive forensic analysis by a sparse and expensive resource. Do you have highly-trained security experts that are bored with nothing better to do than piece together log entries? Event Viewer: 11,000 log entries in 30 seconds, dozens of false hits, no clear picture What User Activity Monitoring shows you: A user-oriented textual audit log shows that “brad” logged on as “administrator”, and the list of actions tells the story of what he did: Network Connections > Properties > TCP/IP Properties > TCP/IP Address. This already is much more than information than what is accessible in the system logs. Adding video replay of the session then shows even more details. ObserveIT Audit Log: A Table of Contents of the user session ObserveIT video replay of user changing the IP Address Log Blindspots: A review of cases where system logs are insufficient © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
  • 3. 3 Scenario 2: Adding sudo rights for non-authorized users in Linux What the User Did: A non-privileged user tried running the snmpd service, but did not have permissions. He then tried running it using sudo, but did not have sudo rights either. So instead, he asked a root user to log on and grant him sudo rights, using visudo. Add sudo rights for a non-authorized user Security and Audit Implications of this Action: Giving sudo rights allows a user to run many sensitive commands or services. What shows up in system event logs: Using auditctl and ausearch, we can see that the visudo command was run. However, this logging is almost entirely of a technical nature. We can see the working directory from which it was launched, its process id, and the fact that it finished with a success return value. No indication shows what rights were granted, or what the user did once he got those rights. Technical details only in ausearch What User Activity Monitoring shows you: With ObserveIT in place, we are able to see exactly what took place. The textual metadata log shows the commands that were run. ObserveIT Audit Log, including underlying system calls ObserveIT video replay of CLI activities Log Blindspots: A review of cases where system logs are insufficient © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
  • 4. 4 Scenario 3: Setting a Windows service to run as administrator What the User Did: An admin user changed the properties of a Service (via Start > Settings > Control Panel > Administrative Tools > Services). Once there, he selected the “Cryptographic Services” service and marked it to run as administrator. Run a service as Administrator Security and Audit Implications of this Action: Enabling a service that is not secure to run as administrator can enable remote hacking and can cause the service improperly affect sensitive system configuration and data. What shows up in system event logs: Over 24,000 log events were triggered during the 40 seconds it took the user to change the Run As credentials. Despite the sheer volume, no log entries included the word “Cryptographic” (the name of the service)! Again, a full-throttle investigation by system experts might unearth the true actions, but this task makes biblical archaeology look easy. Event Viewer: 24,000 log entries in 40 seconds, no indication of the Service that was modified What User Activity Monitoring shows you: As in the previous example, ObserveIT shows a clear chronological timeline of what the user actually did: open Control Panel and then go to Cryptographic Services Properties. And again, video replay shows even more. ObserveIT Audit Log Video replay of Service Run As credentials Log Blindspots: A review of cases where system logs are insufficient © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
  • 5. 5 Scenario 4: Change web.config (IIS webserver configuration file) What the User Did: Via Windows Explorer and Notepad, the user made a simple change to an XML attribute in the file “web.config”, changing a ‘0” (false) value to “1” (true). Editing web.config with Notepad Security and Audit Implications of this Action: Changes to this file will affect how the web server runs, in numerous different ways. This can expose security risks, and can also affect proper operations. What shows up in system event logs: 6,000 log entries cover the 20 seconds it took to make the change. One log entry indicates that “Notepad” was launched. Another log entry indicates that “web.config” was added to the “Recent Files” list in Windows. A third log entry seems to show (not convincingly) that it was Notepad that edited the filw web.config. But even with this info, we cannot tell what was actually changed within the file! (Was it a harmless addition of an application extension? Or did the user modify an important entry within the file?) To know what was changed, we would now have to access a file server backup, and perform a file compare on the old and new versions. Doable, but that’s a heavy burden to answer a pretty straightforward question: “What did the user change???” Event Viewer: But what was changed? What User Activity Monitoring shows you: ObserveIT’s log shows what the user did, in a concise and descriptive manner. And again, video replay shows what took place within the file. Log Blindspots: A review of cases where system logs are insufficient © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
  • 6. 6 Scenario 5: Changing the port used by IIS What the User Did: An admin user changed IIS to listen to port 8080 instead of the default 80. This was done via “Start > Settings > Control Panel > Administrative Tools > IIS Manager”, and once there editing the Properties for “Default web site”. Set IIS to listen to port 8080 Security and Audit Implications of this Action: Modifying the port of a service accessible from outside the DMZ can open a huge hole in the firewall security. What shows up in system event logs: Among the 5,500 log entries, there is one entry that adds IIS Manager to the Recent Items list in Windows. This is timestamped when the app was closed, which might mislead the investigator, and alsow wouldn’t even occur if the user left the window open. Earlier, there is an obscure log entry indicating a DLL that was loaded to memory. This is the true indication that IIS Manager was launched, but it is very difficult to find this in a reasonable level of effort! Event Viewer: Obscure log entry of DLL. It turns out that this is the culprit! What User Activity Monitoring shows you: Once again, ObserveIT gives us the whole picture. Log Blindspots: A review of cases where system logs are insufficient © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
  • 7. 7 Platform Considerations The Windows experiments were performed on a Windows 2003 server. Windows 2008R2 has added additional audit policy granularity. However, these updates do not mean that additional knowledge can be gleaned from the logs; Only that the logs can be filtered a bit better. The bottom line remains that many high-risk, security-impacting actions, including those highlighted in this paper, are not logged. The Linux experiments were performed on RedHat RHEL. Similar audit logging is found in other Linux flavors, as well as in Solaris Unix, with similar focus on technical aspects of each command (pid, cwd, success). Conclusion Security audits that rely on existing system logs have large holes in them due to the fact that system logs simply do not capture the relevant information necessary. For issues that are known a priori, the blindspot can be eliminated with a custom utility targeted at that specific issue. But this only solves this one specific issue. The easiest way to eliminate these blindspots in their entirety is by adding User Activity Monitoring such as ObserveIT, which augments the existing system and database logs by showing precisely what the user did (as opposed to the technical results of what he did.) About ObserveIT ObserveIT User Activity Monitoring software meets the complex compliance and security challenges related to user activity auditing, one of the key issues that IT, Security and Compliance officers are facing today. ObserveIT acts like a security camera on your servers, generating audit logs and video recording of every action the user performs. ObserveIT captures all activity, even for applications that do not produce their own internal logs. Every action performed by remote vendors, developers, sysadmins and business users is tied to a video recording, providing bulletproof forensic evidence. ObserveIT is the ideal solution for 3rd Party Vendor Monitoring, and PCI/HIPAA/SOX/ISO Compliance Accountability. Founded in 2006, ObserveIT has a worldwide customer base of Global 2000 companies that spans many industry segments including finance, healthcare, manufacturing, telecom, government and IT services. For more information, please contact ObserveIT at: www.observeit-sys.com sales@observeit-sys.com US Phone: 1-800-687-0137 Int’l Phone: +972-3-648-0614 Log Blindspots: A review of cases where system logs are insufficient © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com