Log management and security breaches – What’s the best way to search through a zillion event logs?

“That security breach didn’t happen by magic,” your boss growls. “Someone had privileges they shouldn’t have had and they got unauthorized access to a file or folder. Check all the logs and find out what happened.”

“Whew,” you say after your boss leaves your office. “At least I don’t have magic to contend with.”

Your boss is right, though. Somewhere on the network, the security breach almost surely triggered an event on a server, a syslog device or some user’s computer. But that still leaves you with a few million events to examine in security logs spread all over your network. Ugh.

A few days ago, I posted about IT Security Search, an intelligent looking glass for IT forensics, security and compliance. It correlates data from several Quest® platform management products, and in this post I’ll describe how it uses the data from InTrust, our system event log management and analysis tool, to help you track down security breaches.

 

Using event log management in security breaches

Your boss has left it up to you to answer a few questions:

  • How was access used?
  • Has a user exercised access rights to read or modify contents?
  • How did that user obtain the access?

The clues you need are buried in a security log somewhere, and you could have hundreds or thousands of logs all over your network, on different platforms (Windows/Linux/Unix servers, databases, business applications) and in different formats. You’re probably not an expert in log analysis to begin with, and the native tools you get with operating systems and utilities leave most of the heavy lifting to you.

In other words, event log management tools don’t make it easy to research a security breach.

That’s why we adapted IT Security Search as a search-based front end to all the log data that InTrust collects. It looks like this:

You enter a search term as you would to any search engine, then click on results to drill your way down to answers. But IT Security Search is designed to collect and normalize log entries and make your research easier.

 

Example: Who has access to our credit card merchant data?

Suppose Finance determines that an unauthorized user has been poking around in your company’s merchant account. As your boss says, that didn’t happen by magic. You figure that the user may have gotten login details from a file somewhere on your network and used them to access the account.

Most breaches occur from a user workstation, whether accidental or through password theft. Pulling together logs from hundreds or thousands of workstations means a lot of data and a lot of network traffic, so we’ve designed InTrust to compress log data at up to a 20:1 ratio with indexing and 40:1 ratio without indexing, for transfer and storage.

You might start by entering a phrase like “*credit*” to IT Security Search and limiting results to the last 30 days. IT Security Search returns the security events from InTrust repositories, including user session events. It also returns results from other Quest platform management tools such as Change Auditor, Enterprise Reporter, Recovery Manager for Active Directory and Active Roles for a more complete picture of your investigation or breach.

Your search results might resemble this (although we hope your organization doesn’t store credit card-related information in text files as we’ve done for this mock example):

IT Security Search leads you to the properties of each file:

The Actions links allow you drill down further into permissions and recent access.

Other user session events collected by InTrust may contain clues to logon session time and duration, and whether the session was interactive or Terminal Services-based. They may also show whether anyone has attempted to clear security logs to cover their tracks.

 

Your turn

You pay nothing extra for IT Security Search, which makes it an even more appealing element in your investigation arsenal.

Download your 30-day trial of Quest platform management products, including InTrust, Enterprise Reporter, Change Auditor, Recovery Manager for Active Directory and Active Roles. IT Security Search works with all of those products to speed up your security and compliance audits with full insight into your privileged users and machine data in one searchable place.

Watch for my next post on the way IT Security Search works with Change Auditor to detect and alert you about changes. Beyond the event log management in InTrust, Change Auditor can alert you when someone accesses or changes critical data in your Microsoft environment. 

Start Investigating

About the Author
Austin Collins
Product Marketing Manager that supports Quest's Microsoft Platform Management solutions.   Within Microsoft Platform Management we focus on Migrations and consolidations for Active Directory, Exchange...