The Sky is No Longer the Limit: Thoughts from the Cloud

Kevin Nikkhoo

Subscribe to Kevin Nikkhoo: eMailAlertsEmail Alerts
Get Kevin Nikkhoo: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Related Topics: Cloud Computing, Virtualization Magazine, SOA & WOA Magazine

Blog Post

If a Tree Falls in Your Network, Does Anybody Hear?

Listening through white noise: separating log data from actionable events

I recently came across an article regarding the difficulty of separating log data from actionable events. The issue at hand is a network is pinged potentially millions of times a day. Most of it innocuous-the legitimate log on and off of employees, genuine transactions of data, etc… But what gets lost amidst all this “white noise,” are the red flags that indicate breaches or worse malicious activities.

It can be overwhelming. In fact, the article Struggling to Make Sense of Log Data, points out a study by the SANS Institute that the biggest critical concern for security is the ability to discern usable and actionable data from log files.

How Important is Collecting Logs?

I asked a top notch engineer developing in the cloud and he wryly quipped if a tree falls in the forest, does it make a sound? He added, just because you set intrusion detections software system to find malware and the like, you still require the human intelligence to review/interpret the logs and create the baseline of normalcy. So I said, that is the problem…there’s just so much to review. To which he reminded me about the concept of situational awareness. He posits the idea that a singular event might be seen as generally low-level and harmless, but when it is put into context and correlated against various rules and diverse enterprise silos, a very different picture emerges. For instance, your network logs an access attempt from Bangladesh. Is this normal? Do you have customers, suppliers and employees who originate there? If so, is it happening during regular business hours? Is it following “normal” traffic patterns? If so, are they using dormant passwords or bypassing any protocols? If so, is the accessible data through this breach?

The study author Jerry Shenk said, "Even when we look at the 22 percent of respondents who are using SIEM (security information and event management systems) for collecting logs and processing them, nearly the same percentage say it is difficult to prevent incidents and detect advanced threats."

But the most disconcerting statistic is (according to the study): "With or without tools, many organizations don't spend much time analyzing logs. 35% of respondents said their organizations allot no time to less than one day a week on log analysis. The smaller the organization, the less likely they would spend on log data analysis. Many companies recognize that SIEM is part of the answer, however 58% of the companies in the survey noted they are "not anywhere close to that level of automation."

This alone is a perfect situation to incorporate security-as-a-service to help manage monitoring. Instead of once per week (if at all), monitoring occurs 7/24/365. Instead of catching just the most obvious threats, the automations combined with the sourced human analysis significantly shrink the vulnerability gap. Instead of looking at a singular network, it links, correlates, analyzes all the aspects of the enterprise. And cloud-based security does it at a fraction of the on-premise cost. The cloud allows organizations to expand their resources and therefore solidify its coverage.

Attacks, intrusions and abnormalities are issues aren’t solved by ostriches. Putting heads in the sand isn’t the answer. Neither is throwing your hands up saying so what can I do about it? And if you are one of those people who, at the top of this blog, consider the cloud too risky of a proposition, how much riskier is the status quo? To be effective, you need to have all the facts in order to formulate a stronger prevention plan. I can’t stress enough how important it is to understand regular traffic patterns in order to recognize when something requires greater attention or action. And to do that you need to review logs. However, with so many other priorities sometimes it is a considerable challenge to be proactive.

Trees will continue to fall in the forest. However, if you look down from the cloud, you are better attuned to hear it, and if necessary, act

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.