ColdPath provides remote log management configuration, deployment, and storage services to maintain the integrity of your logs, meet compliance requirements, and reduce exposure to security threats, damage, loss, and legal liabilities.
We leverage the open-source Host Intrusion Detection System (HIDS) OSSEC, in addition to other proprietary technologies.
Critical Element of a Defense in Depth Strategy
A good Defense in Depth strategy employs a series of protective and defensive security controls across its stack to ensure that there are redundant and complementary services available. It subscribes to the idea that the security threat landscape is continuously evolving, as such the best defense is a layered approach to avoid single points of failure.
These strategies often employ a combination of technologies that fit into three core security domains:
Log management fits squarely in the detection domain, and is critical to facilitating corrective measures. Regardless of the number of preventive controls deployed, lack of visibility into the state of said assets will lead to catastrophic events. We don’t have to look far to identify global events that have been plagued by poor visibility into the state of their assets.
On September 2017 Equifax disclosed a mega-breah of its systems, carried out through exploitation of a web application, which leaked the personal records (Names, Date of Birth, Credit Card #’s, Social Security #’s, Drivers License #’s, home addresses, etc..) of over 145 M US residents and 400k Brits.
Attackers were able to compromise Equifax by exploiting a publicly disclosed vulnerability in the Apache Struts framework. Although Equifax had been notified by the U.S. Department of Homeland Security, Computer Emergency Readiness Team (US CERT) their inventory of current assets failed to notify the teams that specific systems were leveraging the Struts framework. This failure in detection occurred both in their inventory of assets and real-time scans specifically looking for the vulnerability. Attackers were able to mask their activity on the network for 76 days due to expired digital certificates.
A critical digital certificate used by the Network Intrusion Detection System (NIDS) expired 10 months earlier. This made it where the attackers could extract and query internal databases systems undetected. The minute the certificate was reissued the attackers were detected and the company initiated their incident response protocols.
This scenario highlights the importance of detection measures and how they fit into the Defense in Depth paradigm. This synopsis is designed to highlight the importance of detection measures like log aggregation and retention, a more comprehensive report on the Equifax incident can be found in the report prepared by the US Government Accountability Office.
The Importance of Logging Activity on Assets
Most systems, whether they are IoT devices, servers, notebooks and desktop, provide some logging functionality. It’s usually at the core of your Operating System (OS), network devices, and software application. This logging functionality is designed to help organization track what is happening, debug potential issues, and create an inventory of activity (often in chronological order). In addition to the default log provided by your systems and application, as an organization you have the ability to create additional, more detailed, logs to capture richer information if you require it.
The challenge we face with logging isn’t that logs don’t exist, but rather the robust nature of today’s organizational environments and the scale of activity happening at any given time across an organizations environment. Having logs and actively using them to monitor the state of your environment are two fundamentally different concepts. “Without the active monitoring and analysis of security logs, the erosion of information security defenses by capable adversaries will likely go undetected and will eventually result in the compromise of the very assets that require protection.” (PCI Security Standards Council, 2016).
Logging and Regulated Industries
All commerce organizations, whether they are doing commerce online or in traditional brick-and-mortar, have a responsibility to comply with the guidelines set for by the Payment Card Industry Data Security Standard (PCI DSS).
If your organization requires regulatory compliance or collects sensitive data, you must deploy log management across your environment as part of your overall security strategy.
Digital Threats Are Increasing
We understand that in today’s increasingly complex online landscape, network breaches and digital threats are more prevalent than ever. We also know that if your logs are vulnerable to risk it can cause major problems.
ColdPath helps you achieve technical compliance with regulations like SOX, FISMA, HIPAA, PCI, NISPOM, and GLBA through the comprehensive collection and storage of logs, also called audit records and event logs.
How Log Management Works
Every computing device in your network creates computer generated messages or recordings called logs that document all activities on the device. Those logs are used by IT and operational teams to see what is happening in your environment, troubleshoot any information discrepancies, and discover what happened in a security incident.
At ColdPath, we take over the collection and management of logs and store and retain them in our secure data centers, removing risk from your organization and OSSEC is our solution of choice.
Why Choose ColdPath
The problem with log management is that most organizations produce hundreds of thousands of logs in a short period of time, which means that manually managing logs quickly becomes impossible and storing the logs in-house becomes a security risk and resource drain.
When you partner with ColdPath, you get to offload server overhead and take advantage of our secure third-party data centers. This means the logs can’t be manipulated or tampered with, the integrity of the logs remain intact, and your overall risk is reduced.