Over the years, I’ve had the privilege of attending many trade shows and conventions; some better than others. However, one thing remains the same – meeting interesting people.
As a vendor, you attend expecting to be the one showing people how things are done. More often than not, though, this becomes a two-way conversation and I go home with plenty of new and exciting ideas to be thinking about.
This year’s Black Hat USA in Las Vegas was no exception.
Logs, logs files everywhere and not an audit to rely on
Unsurprisingly, given SIEM is on everyone’s tongue, one of the key topics of conversation was security logs. Logs of all kinds, Operating System, Application, and network devices.
One area that particularly caught my attention was the subject of log manipulation by bad actors to cover their tracks – manipulation through amending or the deletion of log files. A few high profile cases of this tactic have come to light recently, specifically around the deletion of native Active Directory log files. Let’s face it, if a bad actor has compromised a Domain or Enterprise Administrator account, they have the keys to the kingdom – both in terms of the directory and data, as well as the corresponding logs.
Many of the traditional players in Data Access Governance and AD auditing have (and still do) rely on the native log files, which given this trend of manipulation throws considerable shade on the validity of the event data being presented to the customer.
While discussing the STEALTHbits’ approach to this dilemma, it became clear to my fellow attendees that they were hearing an approach that directly addresses this challenge and risk.
It’s hard to intercept those bad actors
StealthINTERCEPT has zero reliance on log files of any sort and uses end point agents to gather activity and auditing data.
‘But an agent can be stopped, uninstalled or tampered with just like a log’, was the common response.
‘Not with our agent hardening option’ was my response. ‘We block the agent service from being stopped or uninstalled. We also lock down the install files and registry hive from manipulation’.
Followed by a few seconds of silence and reflection, they pondered the fact that this completely resigned the modus operandi of log manipulation to that of a legacy threat. Maybe they were wondering why they had spent so much time relying on logs despite knowing they were not reliable!
This made me reflect on the importance of auditing integrity – not log integrity.
Is the auditing data I’m getting directly from Active Directory and my file systems reliable? Is the data coming out of my SIEM valid if the integrity of the source data itself is questionable?
‘oh and by the way, StealthINTERCEPT also feeds the auditing data directly into your SIEM platform seamlessly’.
Did those jaws drop? They certainly did!!
Don’t miss a post! Subscribe to The Insider Threat Security Blog here:
Alon Zelico is a Sales Engineer at STEALTHbits Technologies and works out of southern California. He has well over 20 years of experience as a solution architect and engineer specializing in data security at some of the world’s leading security organizations. In his free time, Alon is passionate about educating middle and high school students, and regularly volunteers to speak at area schools on topics of cyber security, protecting their privacy and staying safe in this digitally connected world.