There is no security without visibility
   

There’s a lot of data hiding in your operating system and application logs. This is where Deep Security’s Log Inspection control can help. Log Inspection is used to help you find and learn from important security events buried in your log files. Gaining visibility either through a Trend Micro Deep Security Manager or seeking to provide a more holistic view of an organization’s information technology security via the use of a SIEM (Security Information and Event Management).

Today we are going to discuss our log inspection control and answer three simple but common questions.

  1. What is Log Inspection?
  2. When should I use Log Inspection?
  3. How do I use the Log Inspection control?

What is Log Inspection?

The Deep Security Log Inspection module provides the ability to collect and analyze operating systems and application logs for security events. Log Inspection rules optimize the identification of important security events buried in multiple log entries. These events can be forwarded to a SIEM system or centralized logging server for correlation, reporting, and archiving. The Deep Security Agent will also forward the event information to the Deep Security Manager.

When should I use Log Inspection?

In the new world of cloud instances (AMI or Virtual Machines) where machines are brought online for a short period of time and then terminated after their use (Elastic Compute) security and visibility are more important than ever.

There are a number of use cases where organizations utilize the Log Inspection capability within Deep Security platform, for instance:

  • Auditable reporting for compliance: A complete audit trail of security events can be generated to assist with meeting compliance requirements such as PCI 10.6 and/or Addressing four of the SANS Top 20 Critical Security Controls. E.g. Control 6: Maintenance, Monitoring, & Analysis of Audit Logs, Control 16: Account Monitoring & Control
  • Suspicious-behaviour detection: The module provides visibility into suspicious behaviour that might occur on your servers.
  • Collecting events across your environment: The Deep Security Log Inspection module is able to collect and correlate: events across Microsoft Windows, Linux, and Solaris platforms; application events from Web servers, mail servers, SSHD, Samba, Microsoft FTP, and more; as well as custom application log events.
  • Correlate different events: Collect and correlate diverse warnings, errors, and informational events, including system messages—such as disk full, communication errors, services events, shutdown, and system updates—application events—such as account login/logout/failures/lockout, application errors, and communication errors—and administrative actions—such as administrative login/logout/failure/lockout, policy changes, and account changes.

How do I use the Log Inspection Control?

Log Inspection content is delivered in the form of Rules included in a Security Update. These Rules provide a high level means of selecting the applications and logs to be analyzed.

Step 1: Make sure the Log Inspection module is turned on within your security policy. Click Save.

Screen Shot 2016-06-08 at 9.05.25 AM

Step 2: Start with the recommendation scan. There are multiple ways to kick off a recommendation scan. One is illustrated below.

Screen Shot 2016-06-08 at 9.06.27 AM

Note: The recommendation engine is a framework that exists within Deep Security Manager, which allows the system to suggest and automatically assign security configuration (in our case Log Inspection Rules). The goal is to make configuration of computers easier and only assign the relevant security required to protect that computer at that point in time. As the Instances or virtual machines change the security policy changes with it. The recommendation scans process can be automated. For more information check out this post, “The What, Why and How of Recommendation Scans”.

Step 3: Once the recommendation scan is complete and assigned, examine the suggested rules. i.e. double click on the rule.

Screen Shot 2016-06-08 at 9.07.18 AM

Select the Configuration Tab and make any desired changes if needed. Click OK, Save and apply the policy to the relevant instances/computers.

Screen Shot 2016-06-08 at 9.08.06 AM

Note: Custom log inspection rules can also be created if required. For more information on this please refer to the Deep Security User Guide

Step 4: If required we can forward these events to a central SIEM solution either from the policy level (as shown below):

Screen Shot 2016-06-08 at 9.08.56 AM

Or at the system level (as show below):

Screen Shot 2016-06-08 at 9.09.48 AM

Conclusion:

Logs are security gold but finding actionable insights in mountains of data can be challenging. Log inspection makes data mining easier by providing continuous monitoring of OS and app logs. We filter out the noise and reduce false positives so that you can focus on real issues.

Written by technical security expert Dilan Nathoo