|
|
|
|
 |
Spoofing the Traditional "inside out" Log Managers
"Inside out" log management systems should protect the enterprise from malicious tampering with key systems. But, in fact they do not.
There are several fundamental flaws with "inside out" log management:
- They cannot see the critical system when it is "off the network."
- They do not capture all the data.
- They rely on the very network, operating systems and hardware they are responsible for monitoring.
Off the network intrusion:
People clever enough to maliciously tamper with critical log files are certainly clever enough to do it well.
A Sr. Systems Admin person takes the payroll system, running on Oracle, and during a certain maintenance window, takes it off of the network for just a few minutes to restart the machine in single user mode. Since he has access to the systems at a very primitive level, nothing seems out of sort.
While the system, database and application are off the network or in single user mode, he accesses the Oracle database, downloads millions of personnel records, and then makes some very slight changes to a record or two.
He then moves the application back on the network and it fires up next time payroll is due.
This company unfortunately bought an "inside out" traditional log management system. It has no record of this intrusion because "inside out" log management is blind when the network or OS is down.
Unfortunately, in a situation like this, the company may not hear about the problem until it appears in a nationwide news story on identity theft.
The network may be down, the OS may be down, but because there is a secure, persistent connection to the server at all times, all changes are logged, time stamped and auditable.
If the clever intruder takes TDI off the system, for even a minute, events are triggered which notify the proper personnel immediately. All accesses, keystrokes and responses are kept for review, audited in real-time as they occur and are available for forensics at a later date with a chain of custody that will hold up in court.
No agents to install, no reliance on the network connection, no caring about message formats, what they mean or how to distinguish one from another. Real intelligence around determining what is important, why it's important and what to do about it based on individual vendors definitions as well as a secure remotely accessible remediation path to correct the problem – also logged, and audited!
|
| |
|
|
|
|
|
