Your application's code has been reviewed and scanned for vulnerabilities and the live application has been put behind a firewall and pen tested. Defense-in-depth strategies mean your network also has a variety of security controls in place to bolster overall protection.
While SIMs aren't perfect and can be expensive to purchase, implement and manage, the alternative is the time-consuming manual analysis of individual sets of logs.
Over time, as the network has grown and required additional protections, you've added new security measures as technologies emerge or improve. But how do you monitor your application environment to ensure it remains compliant?
One problem that arises from running multiple countermeasures is that each security product typically generates its own unique set of logs and alerts. Unfortunately, this creates a tremendous amount of data, often resulting in data noise and false positives. From an application security compliance standpoint, it makes investigating incidents, collecting evidence and conducting analysis a time-consuming exercise, particularly as logs have to be cross-referenced to build up a complete picture. But collecting and analyzing this data is essential for providing audit trails and monitoring access control, and ultimately ensuring compliance with any number of mandates.
Security information and event management systems (SIMs or SIEMs) alleviate the problem of overwhelming amounts of log data. They centrally aggregate security events and logs, correlating and analyzing information from network and security devices deployed across an infrastructure. This allows alerts that are more effective and more comprehensive reports to be generated.
While SIMs aren't perfect and can be expensive to purchase, implement and manage, the alternative is the time-consuming manual analysis of individual sets of logs. Manual collation of these logs to recreate a timed event is difficult, and a false positive is preferable to a false negative. That said, with only one set of validated alerts and reports to respond to, it becomes easier to investigate and remediate problems. Reports are easier to generate and show a more unified view of system security than when trying to match up various reports from different devices. Having a more complete and thorough view of network traffic enables you to fine tune IDS signatures and firewall rule sets to improve their ability to enforce policy.This view can also show where employees may need further security awareness training, for example, if there are continued attempts to access or download blocked sites or content, or to send classified unencrypted information.
Another approach is to consolidate various network security point products into one device so all logs are in one place to begin with. A Web security gateway is a good example of where consolidating individual point products into one box means all communication channels, both inbound and outbound, pass through one device, making it easier to log, monitor and coordinate content policy across all ports and protocols. Each protection method also shares a common threat database and policy management framework, allowing more informed decisions as to whether traffic is potentially malicious, thereby reducing the number of false or missed alerts and making analysis and reporting far more comprehensive..
Whichever form of log collection and analysis approach you take, conducting frequent self-assessment audits will ensure any shortcomings in the state of security controls and non-compliance within application usage are picked up on a regular basis. If problems are identified during an audit, then a corrective action plan should be drawn. Ideally an audit should assess compliance with every mandatory measure in scope. If this isn’t realistic, then focus on higher risk areas or sample key security controls.
Future audits should cover areas that have not been sampled or have previously been identified as weak, or where hardware, software, policies or procedures have changed to ensure any changes haven’t adversely affected security. The real benefits from these self-assessment audits come from implementing corrective actions and recommendations on how security controls can be improved. By documenting audit findings in a formal report, including non-conformance and corrective actions taken, you produce documented evidence of the system’s security status.
If closely monitoring all applications isn’t feasible, then focus on those that are critical, those that process valuable or sensitive information, or those that have been previously compromised or misused, and of course any systems connected to third parties or the Internet. (And if you don’t have a list of applications, that’s a good place to start.) Application log management and system monitoring provide information about what has happened and what is happening on your network. Without it, you have little chance of discovering whether an application is being attacked or has been compromised.
About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.
This was first published in May 2011