How OSSEC Logging Can Dramatically Reduce Your SIEM Costs
Mike Shinn is Atomicorp CEO. He took a few minutes to discuss logging, how it is used for cybersecurity and compliance and how OSSEC can be used reduce the volume of SIEM logs. At the upcoming OSSEC Conference Atomicorp CTO Scott Shinn will review how OSSEC can be used to filter log files to reduce both the load on your SIEM and your monthly usage costs.
What is logging and why is it important in the enterprise?
There are at least two reasons why logging tends to be important. There is the reason related to the needs of the engineers themselves. They need to know what’s going on in the system, so they can fix it or figure out if something bad is happening. For larger enterprises, there are also external factors that require log capture to meet regulatory requirements like PCI-DSS, HIPAA, NERC CIP, or Sarbanes-Oxley. For government contractors or agencies there is FISMA and JSIG and for European companies and maybe everyone else there is now GDPR. And for some companies, many or even all of these regulations may apply to them. That’s a lot of regulatory requirements that require logging.
So, there is a practical need for logging and a regulatory necessity in many instances. The practical applications range from identifying activity that could be negatively impacting operational performance to nefarious activity that could indicate a cyber attack is underway. It is this latter scenario that led to logging becoming an important regulatory requirement. At the very least, you need the data so you can audit what happened. The better scenario is that your logs help you identify and stop an attack proactively.
What is involved in logging?
It is not as simple as just saying, “we log everything that our web server does” and we are done. Cyber attacks may be happening up in an abstraction layer and maybe interacting with two or three databases behind it through the web application. This means it can be very challenging to figure out what’s going on because you need to view logs from multiple systems to identify the attack. If the applications are generating telemetry, what many people call logs, you can create rules or apply machine learning to review system data and alert you about anomalies.
But, there are a lot of systems. We needed tools to automate that process because there’s entirely too much data. Even in a small organization, it is overwhelming. It is not only more information than is reasonable for a human being to look through, but by the time that human being has discovered something bad has occurred, it is already too late. The situation really reinforces the fact that human beings will always lose the race against computer-based attacks. So, this is where a SIEM comes in to try to help. Decades ago, we had log-based intrusion detection systems. SIEM is just a derivative of that approach.
How has logging and SIEM changed?
In short, there are more systems, more data generated and more attacks than most SIEM architects ever contemplated. The solution up to this point has been to apply more rules to your SIEM to analyze your logs to hopefully detect potential problems that may reveal a cyber attack. However, SIEM will also identify a lot of other events that are not attacks. A lot. Most of the alerts reference an event that is benign. It may take a cyber analyst a whole lot of data sifting to find something that really does require attention.
This leads to the human factor analysts call alarm avalanche. It turns out that it is not very useful to just tell a human being a whole bunch of stuff is happening if that person then has to analyze all of that data to figure out what is going on. There is too much data to get to it all. The person just becomes overwhelmed and either gives up, or simply cannot keep up. Either way, you have alerts that are never analyzed and hacks that go unnoticed.
How is OSSEC used for logging and how does it address the false positive overload?
OSSEC is about 13 years old and one of the first things it did was log aggregation and analysis. It was designed for scale. This means it can handle tens of thousands of nodes and the data they generate. Some organizations are using OSSEC to replace an existing SIEM and others use it to complement SIEM. If you want to replace a SIEM there are open source visualization tools such as the ELK (Elastic, Logstash, Kibana) stack that can be used as replacement for a SIEM dashboard. However, the more important factor is creating rules that identify the problems, so analysts are only using the dashboard to investigate real attacks. This is simple with OSSEC. Atomicorp has taken this even further by developing pre-packaged rule modules that are designed to identify specific classes of attacks and others that are used to comply with common regulatory regimes.
How is OSSEC used alongside a SIEM in the enterprise?
OSSEC and the detection and compliance modules can also be used to complement an existing SIEM. In those instances, you use the rules modules to filter data before it goes to the SIEM by discarding alerts that are clearly not security related. During one recent OSSEC implementation, we were able to reduce the amount of data going into the SIEM by 80%. Think about what that does for an organization. It makes the cyber analysts more productive since they are sifting through less chaff and able to focus more on significant log events. This means they can identify real attacks sooner and initiate remediation and active response, which is another OSSEC feature beyond logging.
Plus, OSSEC will still keep a copy of all those log events, so you can still mine all that data anytime you want. You get the best of both worlds.
It also means organizations can dramatically reduce their SIEM costs as many software providers charge based on data volume. That is the OSSEC logging trifecta. More productive analysts, attacks that are identified and stopped faster and lower SIEM costs. It is benefits like these that are driving big global enterprises such as Salesforce, GE and Sony to bring OSSEC into their security stack.
To learn more about using OSSEC for logging and how you can cut your SIEM costs, you can attend Scott Shinn’s presentation at the OSSEC conference in early April 2018. Click the button below to find out more.