Businesses have finally identified the need for strong security mechanisms to protect their technical infrastructure, proprietary data and confidential client information.
Most businesses have implemented a layered approach to security that can include many of the following security mechanisms: User authentication, intrusion detection and prevention devices, antimalware software, file rights management and backup and archiving mechanisms. Often there is a large capital investment in these security mechanisms and there is a misconception that the hardware and software will simply just “do their jobs” and keep the network and assorted digital assets protected.
It is important to recognize that these devices can and will malfunction periodically. Or they can be compromised by a technically sophisticated attacker. While I do not mean to imply that these mechanisms are faulty and worthless, they should not be relied on as “set it and forget it” solutions.
Fortunately all security devices provide the ability to log their activities, which theoretically makes monitoring their effectiveness a simple process of reviewing the logs. As with anything associated with computers, nothing is ever as easy as it sounds. For a non-technical business professional, it is difficult to understand the volume of activity that occurs on an individual computer, let alone a corporate network. A simple demonstration that highlights the activity on a computer is simply to take your hands off the keyboard and watch the hard drive light. Those lights flash constantly, indicating activity.
A Complex Task
To get a more technical perspective of what is happening on a computer, download and run Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx?PHPSESSID=d926). Within seconds of starting, Process Monitor will capture thousands of events occurring on your computer. To get a glimpse of what is happening on the network, one can run a network packet capturing program like tcpdump (http://sourceforge.net/projects/tcpdump/) or windump (http://www.winpcap.org/windump/).
Once again, the amount of activity is astounding. Now imagine the volume of activity and network traffic occurring on a large corporate network. The amount of activity is nearly incomprehensible. Unfortunately, the issues surrounding logging of activities does not stop with the vast amount of information that can be captured — interpreting the logs and the significance of their contents can provide challenges as well. One only has to look at the events captured on your desktop system to understand these challenges. By opening event viewer (Windows XP Pro: click on Start, Settings, Control Panel, Administrative Tools, Event Viewer) you can start to grasp the fact that interpreting log information requires specialized training and expertise.
On my system, the Application log provides the following informational message:
“Performance counters for the WmiApRpl (WmiApRpl) service were removed successfully. The Record Data contains the new values of the system Last Counter and Last Help registry entries.” This is meaningless, so I use the Help and Support Center link for additional information. I am presented with the following:
“Performance counters for the %1!s! (%2!s!) service were removed successfully.” While on the surface this appears amusing, when combined with the numerous devices on a network and the volume of activity generated, this becomes truly frightening.
Regardless of the complexity of capturing, monitoring, and archiving network and system activities, it is a reality faced by businesses today. In addition to being a smart business decision to review log files to determine the security and health of a network, it is now being suggested and even required by a variety of regulations, including the Federal Information Management Act (FISMA), Gramm Leach Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), Sarbanes Oxley Act (SOX) and the Payment Card Industry Data Security Standard (PCI DSS). For many, these regulations seem nothing more than a drain on resources. But if strictly followed, there is less risk of business interruptions, incidents can be mitigated much more efficiently with less exposure to lawsuits.