At one time there were great claims made for the future of applying sophisticated behavioral analysis to security logs and network traffic to detect malicious behavior. I even remember a suggestion at a summit on log management that we would be able convert audit event streams in to wave patterns and then use noise suppression algorithms to weed out the extraneous data. Talk about pie-in-the-sky.
Aside from the practical aspects of computing power and coding complexity, the problem with intelligent, automated log analysis is that malicious activity doesn’t necessarily equate with abnormal or anomalous activity. A lot of bad things look pretty normal when you view them in an audit log with all the other legitimate activity. Of course if you know that a bad thing has occurred, finding evidence of it in the log. But asking a log “Show me where this bad thing happened” is much easier than asking “have any bad things happened.”
There are some exceptions though. There are a number of bad things that do create noticeable spike or anomaly in your audit trail. In my upcoming real training for free (TM) webinar I will examine 5 real world ways to look for spikes in certain activity as an early warning that something bad – or at least unusual is happening on your network. I’ll share anecdotes of how these methods have successfully resulted in detection of actual security problems at real companies.
A key requirement to applying these methods is to tune your detection login to your unique environment. We’ll discuss that and more in 5 Real World Ways to Use Anomaly Detection with Security Logs. After my training presentation I think you will enjoy the brief demonstration by Isaac Thompson of EventTracker’s Behavior Analysis which uses automatic statistical analysis to monitor the event stream for new, different or unusual occurrences.
Please join me for this advanced look at getting the most from your log data.