A Return to Logs to Unjam the Security Deficit
Some years ago, during the renaissance of security information and event management (SIEM), security became log crazy. The hope was that by gathering logs from networking and security devices and running them through the SIEM, security events could be astutely exposed and security teams could gain an upper hand over attackers. The enthusiasm was soon dashed when it was obvious that logs alone were not the answer. In the first place, not everything was covered by logs and security details that were being captured could be manipulated easily as an attacker attempted to cover their tracks. Second, it’s one thing to aggregate logs but another to integrate the findings to produce true intelligence, particularly that which could easily stand apart from false positives.
Of course, logs have not gone away and neither has the SIEM. Log management is still a core practice in security and specifically called out in standards by the Center for Internet Security (CIS) in CIS Control 6. Today, logs may have lost some of their luster and regarded as necessary but only marginally helpful. The issues of the past—limited coverage of what comes from logs and the difficulty of finding a true positive in the midst of staggering amounts of false positives—should not malign the future.
With the emergence of XDR, extended detection and response, there should be a renewed interest in bringing multiple data sources together for not just integration but also a deeper form of correlation. New XDR technologies, platforms and practices enable a new era of data synthesis and intelligence. Syslogs from traditional elements should be part of this effort, but given the hybrid data center environments of today, organizations should also be keen to ingest logs from SaaS applications and other cloud services.
SaaS applications should be considered part of the cyber kill chain, given the wide usage of these apps, the fact that many are in use without the involvement of IT and the knowledge that an attacker will use any means necessary or expedient to conduct a successful and cost-effective attack. Additionally, the reconnaissance stage may be one of the most decisive for an attacker. Once an attacker has gained a user account, machine or valid credentials, they are well on their way to unimpeded success. With valid credentials or accounts, an attacker quickly pivots from working as an outsider to being more of an insider. SaaS applications such as Office 365, Google Suite, finance and accounting apps and so much more all provide certain benefits to attackers as an entry point to a corporate network or way to usurp credentialed access.
Even the less obvious SaaS areas present a boon to attackers and a need for security teams to address. Last year researchers at North Carolina State University found that 13% of all GitHub public repositories contained leaked or unsecure API tokens and cryptographic keys. The researchers found that thousands of new repositories were leaking new secrets on a daily basis. SaaS apps may also play a role in weaponization, exploitation and delivery. Some accounts show that enterprises may have upwards of 1,000 SaaS applications or cloud services. Many of these are poorly administrated or policed and may even have a significant number of users or consultants who are no longer with the company but still have full access.
To be able to start closing the security gap and establish a more even playing field against attackers who now have such enormous advantages, we need comprehensive data, deep correlation and machine learning-based intelligence that can minimize false positives and lead directly to a smoking gun.
Logs are not everything. They are part of a mix of data points to be gathered and refined. But logs should not be disregarded due to deficiencies of the past. In fact, look for new sources of logs among SaaS and cloud resources to add to the mix. In the battle to even the odds in the security deficit that plagues nearly every organization, leave nothing unturned.
