cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Online logging

Level 9

There are a number of companies doing log analysis in 'the cloud' - What do people think of the security implications of this?

Your logs that are uploaded are generally inside some sort of private container, however there have been a number of high profile security concerns. This includes holes in regular open-source software as well as lax security by companies providing cloud services.

If you're uploading security logs to a remote system, and that system is compromised, you're essentially giving a blueprint for how to get into your network for those who now have your logs.

What's the best strategy for this? I have a few, each with advantages and disadvantages:

  • Never use one of these services - Keep it all in house, though you lose a ton of the analytics they provide unless you've got developers inhouse to do this.
  • Filter what you upload -  This gives a broken picture. Partial logs don't mean much and it will be difficult to figure out what you should be filtering.
  • Put your trust in them -  Famous last words? I err on the side of caution and trust no-one.

Each of these has advantages and disadvantages and I'm eager to see what others feel.

28 Comments
Level 13

Interesting conundrum. There are advantages to cloud-based security services, in that they can detect event correlation across multiple customers, where an in-house solution can't do that. They'll also have additional visibility into emerging threats.

Level 9

I think those are the same advantages and disadvantages with putting anything in the cloud. If it was possible to keep the logs encrypted en route to and at rest in the cloud I would have no issues with keeping my logs there.

Level 9

My issue is that as some point those logs would need to be unencrypted in order to be read into their system. Does the system then cache a view for you to see? That data in their system must be readable, and if a hole is found, someone could find that surface and attack it.

Level 17

I would think that breach of any could management/holding entity would mean death for their business model. I also am wondering how much their payouts have been to those entities that have breached their security. Does your agreement even include the scope what needs to happen if their systems are breached and your Data is at risk? Is there a disclosure clause? If you can't figure on these being part of your agreement then I would personally steer clear of the idea.

* Keeping it in house takes a lot of effort, but if you can find Mr. Wizard to set it up or at least interpret what has been setup your going to find yourself analyzing what you analyze. Having an understanding of the data is the first step after collecting it.

* Filtered Logging just sounds like a lost effort. Who wants to piece the puzzle together knowing you are missing 378 of the 1000 pieces. HECK, even worse is if the guy going over the logs doesn't know they are filtered.

* There is a very simple solution here, and one of my new tech's figured this out today...

      example : Nexus 5K's hav e 2K's that are attached. Monitoring is of the 5K's , and I use pollers(UnDP) to pull each 2K status (if there is 1 or 20 attached). So this new tech gets a fan alert from the 5K.

          After learning that the 2K's alerts through the 5K's.. and to login to the 5K and check fex status I asked the tech, "So have you learned anything?"

                His reply was simple, "Trust No One!"

                "Very Good!", I stated.

Level 11

We currently do not send any logs to the cloud for that very reason.......security. We keep all in-house on several servers.

Level 14

I can understand the advantage of correlating multiple sets of logs to get a high level view, say from a global CERT viewpoint.  However, for me, sending my logs to the cloud is roughly the equivalent to washing my dirty laundry in my front yard.  There may be nobody watching, but I can't be sure.  I'll keep my logs to myself.

Level 9

We keep everything in house for security reasons. We have two data centers in two different towns for redundancy.

Level 8

Deal with a lot of PII so everything stays in-house, no exceptions.

Level 15

Clouds are where storms happen... (just saying )

Maybe from a monetary, big-picture outlook on a spreadsheet it makes sense to move logs to the cloud. But it only takes one incident to make all of those 'savings" a moot point. I would always lean towards investing in the infrastructure and talent to keep security internal.

Level 12

I agree to err on the side of caution.  No matter how secure, one breech, one capture during transfer, one unauthorized access, and you are in deep kimchee.

We currently keep all logs internal and use our SIEM, SW LEM, for log analysis and alerting.

I have taken a look at cloud logging solutions and they are appealing, especially with the rapid growth of our logging demands, but still I am weary of the complications and potential negatives that are associated with such an endeavor.

Keeping it real....

Level 12

If you filter what you are sending, besides not giving the complete picture, part of the job is already done and you might as well go the extra mile and analyze it yourself. You obviously already have some sort of knowledge in-house or else you would be sending anything that's not really relevant. So I guess it rules out #2 and you are left with either trust them or don't. I believe the problem is not with the service itself, but where the service is. I think I would trust those online companies, but it's everything else that's online that I don't trust.

It's like when you have kids... When you have a boy, you have one boy to keep an eye on. When you have a girl, you have all the other boys to keep an eye on.

Level 11

If your going to upload your logs use a secure protocol like secure tcp syslog.  Also make sure the logging server has been locked down as well as other security practices in place, like HIDS and NIDS as well as an enterprise firewall.

Level 13

I am way too paranoid to ever trust a cloud service for my logs.  There's too much recon data in there.  I'm sure I'm not the only person to ever mistakenly type my password when the prompt was expecting username.  Suddenly those failed login attempt logs have alot more value to a data miner or attacker. 

Level 14

I say Never use one of these services.  I just don't like the idea of a enclaves logs being out somewhere else that you don't fully control.  If there is the possibility of a "security hole", I'd rather it be in-house.  I don't want to rely on someone else being responsible for it.  With it being in-house, you get to decide how to secure it and can implement changes, security fixes, and updates when you dictate.

Level 9

All of our logs are kept in house. Although the cloud may be secure, the potential for disaster is too great of a risk for the reward.

Level 11

I am not a fan of cloud.  I know that makes me sound old and outdated but I just dont trust my bits in someone elses cloud. 

Level 9

I would keep the logs in house.  But if the cloud is a must, maybe have the logs zip up with a password or some other security.  That is not much but it does give it a little more security.  Of course that would take more time just to upload a log.

Level 10

Stop sticking stuff in the cloud. Logs should be locked down and only seen if needed.

MVP
MVP

echo most of the other comment - this stuff is that least likely to be moved to a cloud environment

MVP
MVP

the other thing is that if its not in the cloud we only have to defend on area rather than being reliant on the security of all of those different cloud vendors.

I still don't see the attraction - but upper management seem to love the bean counter mentality

Level 21

Since you are currently using LEM and you mention rapid growth of logging demands, could you share what kind of volume you are currently handling with LEM?

Level 21

We are a hybrid cloud service provider and when customers have log management and/or compliance requirements we implement a SW LEM appliance in their hybrid environment.  With this hybrid approach we have a dedicated appliance using storage that allows our customers to always know where there data is being stored.  In cases where the hybrid includes customer prem systems we have a site-to-site tunnel to secure the data.

Level 12

nothing here goes to the cloud for security reasons everything is kept in house.

MVP
MVP

I'd keep it in-house...but that is my perspective. 

Those decisions are made at a higher pay grade than mine.

Level 9

I believe one should look what kind of service and who to trust on this, some services are security hardened and deserve a chance to prove themselves worthy. I personally trust FortiCloud for UTM logs.

MVP
MVP

I agree that there's risk in putting any data in the cloud, but let's not forget that there is risk in having that data in your internal network, too. Corporate networks are always targets for intrusions, because they have more than just log data. We'd be wise to question the security of data regardless where it lives.

It can be stolen from your network or the cloud. If you can get actionable information from a aaS log analysis tool, and you accept that risk, go for it. Just don't think that because your data is in your very own data center that it's safe.

Level 9

We use the cloud in some scenarios but not for log data that should be secured! We follow measure to ensure it is secured internally. Putting it out in the cloud is just not an option.

Level 15

Agree with the buik of the comments here.  Logs should be kept in house and analyzed there.  Otherwise, if they have to exit the confines, they need to be scrubbed.  Specifically if there is a reason and they have to go outside, such as web reputation verifications. 

About the Author
I Started in my early days (1996), while I was still at college, in the Technical Support area of the Direccion de Sistemas e Informatica of the  UANL (Universidad Autonoma de Nuevo Leon) which is one of the biggest public universities of Mexico. There, I grew from a total novice in the IT world to a Jr Network Engineer and eventually as the Engineer in charge of the management and operation of RedUANL (Thats what we called the university's network) That's where I suffered the pains and enjoyed the pleasures for the first time, of being the network manager of a big, and complex network. Currently I'm with the best Latin American Solarwinds Channel Partner, Iscor Soluciones, as the Sr Pre- and Post-Sales Engineer in charge of the Solarwinds Brand, inside Iscor. At Iscor, we've been partners with solarwinds since 2001 and growing every day with new challenges and new projects that make our day-to-day work a fun and enriching.