Centralized Accounting

So, centralized accounting – very helpful. Logs reviewing. How often do we review our logs? Logs are only useful if they are reviewed. If we don’t review the logs, they become useless, in effect. Logs are technically a reactive form of control. If we’re looking at a log, something has already happened, therefore it’s reactive. That’s not to say that they are unhelpful, though. Logs can help us prevent further problems by having alerting attached to the logs.

So if we have, for example, a honeypot, a desirable alerting system in our demilitarized zone, if somebody triggers an alert by trying to access that honeypot system, that will give us an alert that we can use to provide some kind of warning to the security function. Something untoward is happening on our network. Technically, that’s reactive, but it’s reactive at a very, very early stage of an attack. And log aggregation can help protect log integrity. It can also help with the business intelligence aspect of logs. We can start to normalize the data and form analytics on them.

And we can start to correlate different types of data to map trends related to service consumption, system utilization, but also things like, perhaps, incorrect passwords on an Active Directory, service against a particular account, and correlating that to brute force attacks on individual applications or web services. So SIEM systems can consume logs, and they can help with log alerts, and are really big advocates of SIEM systems. There are many, many providers of SIEM systems and they’re all very capable and com– mostly very capable and competent systems. The benefit is that log reviews typically are a manual process, or traditionally were a manual process, and very time intensive, labor intensive. Pouring through log files is slow work.

And typically, that log review process happens on a weekly or monthly basis. A SIEM system, as soon as an event is triggered, can alert you to the fact that an exigent circumstance has occurred. You define something that you want alerting about, and when it happens, the SIEM system tells you about it. So we need to be careful. There’s lots of data. We need to understand what we want from our accounting, how we manage it, and what processes we can use around BI and SIEM systems to support us from a semi-automated or fully automated perspective.