Showing results for 
Search instead for 
Did you mean: 
Create Post

Security Kung Fu: Playing With Fire(wall) Logs

Level 11

Firewalls are an important first line of defense against a range of security threats. But outside of brute force hacks, countless a firewall has fallen to more sophisticated modes of attack, if not circumvented altogether. The consequence of which means hackers gain access to the network and trouble ensues.

Part Two of the Security Kung Fu Webinar Series built upon our previous discussions (check out the Security Kung Fu: SIEM Solutions blog for a recap) to highlight the important role firewalls play in network security and how log messages generated from these devices can provide meaningful insights to either thwart a security incident altogether, or assist in stopping one in its tracks. That is, assuming you’re armed with the right tools.

As important as it is to collect logs from these (and other) network devices, just as important is what you do with the data you collect. That’s where SIEM solutions come in. Beyond this, we discussed how NCCM solutions contribute to deeper security and what for many companies is an end-all, be-all: helping them handle a variety of regulatory compliance objectives.

If this piques your interest, I encourage you to dive into the resources below or read along to find out all this event had to offer!

Watch the On-Demand Recording | Check out the SlideShare®

Meet the Security Kung Fu Masters

In addition to Ian Trump, a featured speaker in the first installment of the Security Kung Fu series, we welcomed Jamie Hynds, Senior Product Manager for SolarWinds® Security Portfolio. Jamie has years of experience in a variety of roles such as Sales Engineer for SolarWinds, IT Auditor and Security Consultant for Deloitte®, among others. In each capacity, he has assisted businesses in adopting technologies to enhance security, meet regulatory IT compliance, and pass audits for a broad array of compliance frameworks.

Be sure to check out Jamie’s often security-centric posts on THWACK® as well. He posts under the handle @jhynds.

Anatomy of an Attack

Once again referencing the Lockheed Martin Cyber Kill Chain®, we reviewed how firewalls protect against outside threats at the “Delivery” stage of this model by enabling certain defensible strategies. But despite the presence of physical/virtual barriers to a network, perimeter defenses are not enough. They can, however, further aid in the detection of threats. As we say in the series “the devil is in the details”… details found in your log data.

The Detection Deficit

Avid readers of security reports, like myself, may have grown fond of the Verizon® Data Breach Investigations Report (DBIR). Each year, analysts from Verizon publish the results of the miles of anonymous data they gather on actual security incidents (and breaches) from the prior year.

What was once a mainstay of this report tracked an important statistic dubbed the “detection deficit.” The detection deficit refers to the gap between an attacker’s “time to compromise” and the defender’s “time to discover.” Pretty important stuff, huh? Well, in an unfortunate turn of events, this measure was dropped from the 2017 Verizon DBIR that published shortly after the Security Kung Fu: Playing with Fire(wall) Logs webcast took place. Given that all the data collected for the DBIR is based on breaches that actually occurred, there wasn’t a logical need to track this measure moving forward, as it was “unlikely to ever show any improvement.”

Still, it’s an important subject. The more time it takes to discover threats on your network, the more damage can be done. Lowering your “mean time to detection” for security incidents is absolutely critical. As we contended in this session, with help from SIEM and NCCM solutions, your firewalls can play a big part in doing so.

The Role of SIEM and NCCM Solutions

A lot can be said about SIEM and NCCM solutions outright, but working in tandem with your firewalls, they have the potential for some really neat use cases. @Dez sums it up nicely in this post, which served as a reflection of this Security Kung Fu event. On one hand, a SIEM can help you spot malicious behavior on a firewall, including: malformed packets, unusual traffic patterns, unauthorized access, and unauthorized changes. On the back half (so to speak), using an NCCM solution, you can recover even if unauthorized changes disrupt operations or have some sort of greater impact. (Ringing any bells from Part One of the Security Kung Fu Series?)

When it’s all said and done, our Security Kung Fu Masters advised that when it comes to firewalls, you must be able to:

  • Monitor for abnormal activity, unexpected access attempts, and potential threats
  • Eliminate downtime due to misconfigurations—know what changed and when, and have the ability to back up to last known good configuration
  • Automate security audits and reports to not only verify security, but also compliance

Just a reminder: in no way is this an exhaustive list. Luckily for you, with a couple of products added to your arsenal, you can cover the bulk of these needs.

For more tips on how to improve your IT security posture, check out the entire Security Kung Fu webinar series, now available on-demand.

1 Comment

Very good information. So often we monitor but forget the alerting/responding.

"I'm a security MONITOR" - YouTube

About the Author
While serving as Product Marketing Manager at SolarWinds, I led the messaging and strategic marketing direction for over 13 products from the Security and Tools Portfolios. My introduction to the IT space came in the five years I spent working for an Austin-based colocation, managed hosting, and private cloud provider that assisted businesses in the healthcare, financial services, education and various other industries with high security needs and sensitive data. In that time, I learned a lot about the hosting industry, IT service management, physical and technical security, and of course... regulatory compliance.