Lieberman Software
Monday December 22nd 2014
Innovation Leaders in Privileged Management

SIEM Tools Have Blindspots!

Guest Commentary by
Brad Young, VP Marketing, ObserveIT

The various Log Management and SIEM tools available today have matured to a point that they can provide effective reports and correlation analysis for just about any activity that appears in the system logs we get via Applications, Databases, OS and  Configuration Management.

But still, as was highlighted in the “2011 Data Breach Investigations Report” (prepared jointly by Verizon, the U.S. Secret Service and the Dutch High-Tech Crime Unit), less than 1% of all known data breaches are identified via log analysis. That’s an incredibly low number!

It’s important that we understand why this number remains so low. While privileged identity management platforms such as Lieberman Software’s Enterprise Random Password Manager, companies have solved the question of “Who logged on”. But the question of “What they did” remains too cloudy.

The problem does not come from any inherent problem within the Log Management or SIEM tools themselves. They do a great job on reporting whatever log input they consume. The real problem lies in what log data we are feeding them.  The fact remains that existing system-oriented logs have blindspots. There are hundreds of actions which users perform daily that have major security implications, but unfortunately do not show up on the debug-style logs that we have access to today. It boils down to one simple truth: If your apps don’t log it, your audit report won’t show it.

The best way to overcome these blindspots is by adding User Activity Monitoring, such as that provided by ObserveIT. User Activity Monitoring generates a different kind of log – a video log + texual video analysis – which details the exact actions that a user performs. This is fundamentally different than the technical results of what s/he did, which is what most system logs tell us. It’s like the difference between fingerprints and surveillance video:  they are both valid and accurate, but the video tells so much more than the fingerprints.

Examples of security blindspots are surprisingly common:

  • Adding an IP address on a Windows server: Consider a situation where a user adds a new IP address on a Windows server, allowing hackers to bypass firewall settings. With full security auditing enabled, a total over 11,000 log events are triggered during the 30 seconds it takes to do this action. But within all that ‘noise’ there is nothing that states what actually took place. Even searching for “IP” or the actual IP address doesn’t find it. In contrast to this, an audit log that focuses on actual user actions would show that “john” logged on as “administrator”, and then opened the TCP/IP Address dialog box for editing. What’s more, a video replay of the user session would show exactly what John did.
  • Editing a critical configuration file:  An admin user might modify a sensitive config file such as ‘hosts’.  This could be done using Notepad, vi or any other text editor. In this situation, the text editor would not produce any application logs, thus allowing the change to go undetected. User Activity logs would show precisely that the ‘hosts’ file was edited, and video replay would show the actual changes occurring within the file.
  • Running a script on a Linux server: If a user runs a script – let’s call it innocentScript –on a Linux server, existing system audits will come back with debug data such as process ID and return value. But they wouldn’t show what commands or system calls are spawned by this script. Using a User Activity log instead would show the actual screen I/O, and would also show all those underlying system calls, allowing an auditor to know any improper actions that this ‘innocent’ script actually performed.
  • Cloud apps and Desktop software: The issue is not just on network servers. Consider cloud-based applications such as Salesforce, desktop software such as Excel, or even bespoke legacy software. None of these applications provide logs that truly show what the user has done. Some might provide debug-related details, but nothing that would satisfy a security auditor.

As shown above, security audits that rely on existing system logs have blindspots in them due to the fact that system logs simply do not capture the relevant information needed. It might be possible for a highly-trained security expert to piece together the log entries and determine what actions took place. But it would involve a time-intensive forensic analysis by a scarce and expensive resource. (Do you have highly-trained security experts with nothing better to do than piece together log entries?) User Activity Monitoring augments existing system logs by showing precisely what the user did, thus eliminating security blindspots.
About the Author

Brad Young is the VP Marketing for ObserveIT (www.observeit.com), a security software vendor that provides User Activity Monitoring solutions. Brad has been a thought leader in the enterprise software field for over 20 years.  When he’s not busy keeping the world compliant and safe from data breaches, he can usually be found throwing frisbees with his dog or banging away at the piano.  Brad can be reached at brad@observeit.com.

Reader Feedback

3 Responses to “SIEM Tools Have Blindspots!”

  1. […] recently were asked to contribute to the Identity Week blog. This site is a great resource for security news in general, and identity management issues in […]

  2. […] recently were asked to contribute to the Identity Week blog. This site is a great resource for security news in general, and identity management issues in […]

  3. […] is that companies must understand that expensive next generation firewalls and threat analytics/SIEM systems are worthless against the current breed of advanced, state-sponsored attackers. The […]

Leave a Reply


− 1 = two