Using Ward Solutions BAS Service
to Identify Missing or Misconfigured Security Logs
SIEM platforms rely on the accuracy, quality, and timeliness of logs to get threat detection notifications. It’s not easy to keep track of logs. Configuration problems, software flaws, expired licenses, outdated APIs, and other causes might cause log agents and collecting software to fail. The complexity, scale, and traffic of the networks can also stifle data flow.
The commonly adopted log validation technique nowadays is largely based on detecting abnormalities from pre-defined traffic data. This method could not map traffic with harmful content or pinpoint the source of log issues in multifunctional security measures. The ability to validate logs reduces the efficacy of Security Operations Centers (SOCs) and may make it more difficult to respond to warnings and events on time.
Technical Use Case:
Ward Solutions and our partner Picus Detection Analytics aids in the identification of security events that have been identified or prevented by security measures but whose logs are not visible in SIEM platforms. By proactively detecting such flaws and maintaining a healthy log system, you can guarantee that:
- There are no alerting gaps caused by undiscovered security events created by genuine attackers
- Regulatory log collecting obligations are not broken.
Suppose no event logs are found in the SIEM after an attack. In that case, it means that one of the following scenarios took place:
Option 1: On the attack vector, all applicable security controls failed to identify the attack’s TTPs. As a result, no-log is created (please refer to the “Enhance your logging to have better visibility use case).
Option 2: The defences identify attack TTPs, but the logging options aren’t enabled, or the delivery method isn’t working
Option 3: Logging and distribution methods may be operational. However, log delivery may be delayed due to a setting or a network-related issue.
Option 4: : Logs may be delivered to SIEMs but as it does not contain the right level of detail, it is not picked by Picus Detection Analytics as “log exists”.
This use case is to identify the situations described in Options 2, 3, and 4.
Picus Detection Analytics Overview
Ward Solutions and our partner Picus Detection Analytics queries SIEM platforms to look for the logs of the events generated by the IT infrastructure as a result of Picus threat emulations. Based on this query, on the Picus user interface, the journey of a threat is shown with an end to end view. This view (image 1), in addition to the attack history and description information, contains:
- Start and end time of the attack
- Log status
- Log delivery time if the log is
- Alert status
- Prevention status
Findings related to the full attack spectrum are also listed and users can narrow down the results applying advanced filtering options (image 2). These options are:
- Prevention results
- Log Source
- Integration Device
- Alert Status
You may already have sophisticated security logging and monitoring solutions. Their effectiveness is only as good as the logging sources that they capture, analyse, alert and report on. It’s necessary to proactively and regularly validate that you have all appropriate log sources provided in a timely fashion to detect suspicious or malevolent activity in your security infrastructure.
Use Ward Solution and our partner PICUS Security Detection Analytics platform to ensure:
- Initial Log validation e.g. post a SIEM deployment or post a significant network or infrastructure deployment, upgrade or change
- Ongoing log validation – continuous validation to enure ongoing logging and monitoring effectiveness
- Ad Hoc log validation – in response to an event – e.g. an incident that was not alerted appropriately