The “secret ingredient” to improving enterprise security is right under your nose: Making better use of the logs that hardware and software spew out daily.
That’s the argument Shira Shamban, head of security research at vendor Dome9 Security, which makes cloud visibility solutions, made Tuesday at the annual SecTor conference in Toronto.
“This is the most important security tool for us.”
In fact, unusually for a vendor. Shamban said the makers of hardware and software products are driving infosec pros out of the industry because what the sell isn’t making organizations more secure.
“We’re losing the race” with attackers,” she complained. “The average enterprise in 2016 had more than 70 security solutions installed in their network. Now it’s 80,” but four out of five of security pros believe their organization will be breached.
“Why do we do keep installing more security solutions? “ she asked. “They not giving us the feeling of confidence and security that we’re looking for. We’re doing something wrong.”
The average SOC analyst is bombarded with alerts and dashboards, Shamban said. They doesn’t help IT do their job. “Stop buying products that are not helping us to do security better,” she asked managers. Small wonder analysts leave after a year or two, she said. The “feel very, very unsatisfied with what they do, and it’s partly our fault because we don’t equip them with the right tool … We’re not helping them .. We’re making their life more miserable. … they have no sense of accomplishment, they just hate it.”
While logs have a wealth of event information that needs to be exploited, Shamban said she hears many excuses from infosec pros why they’re ignored: ‘I have anti-virus.’ … ‘I keep all my logs, I think.’ … ‘I only use default configuration.’
Yet 80 per cent of security problems repeat themselves, she pointed out, which is why log analysis is so important. “We need to solve the 80 per cent once and for all, so the rest of the time the security engineers do really cool, interesting and complicated stuff.”
“Logs let us see blind spots we were not aware of …
What should you be doing with logs?
First, Shamban said, keep all logs, and keep them as long as you can – particularly because it can take months or longer to detect a breach. Cloud storage is cheap, she added. Different logs give a different perspective on an event, she also said.
Any security solution that prevents the security team from streaming a log into a database or a security information and event management system (SIEM) a log bad, she said.
Anomaly detection – even if it is automated with algorithms– isn’t enough, Shamban said, because analysts have to be trained in statistical analysis.
Finally, the user interface of the log collection solution (SIEM or otherwise) has to be suitable: What was detected, what was the problem, why is it a problem and how it should be solved. Forget about numbers the dashboard throws up. Is 95 per cent out of 100 good? It’s about what is safe, she said, and what is not safe.
Shamban also emphasized the importance of prevention (security awareness training, two- or multi-factor authentication, access control) and detection (monitoring login patterns, CPU usage, outbound traffic etc.) strategies for thorough cyber security.
Comb logs – if necessary hire an expert – and make a cluster of the most common 10 events, she said. Find an automated solution. Then work on the next 10. Use machine learning to decide if a problem in that second group is similar to one in the first 10. If so, there’s already an auto-remediation. If not, then it can be escalated for a support staffer to deal with.
“You need to love your logs,” Shamban concluded. “When you wake up in the morning you need to think of new ways to use your logs. When you go to sleep, after kissing your wife or husband, think about new stuff to do with our logs.”
In addition to better security, she added, this will make the infosec team feel like “effective people who make a difference in your company’s security.”