If you work in IT security, then you’re examining the details inside many different log files. In this video, you’ll learn about the logs used by anti-malware, firewalls, UTMs, and more.
<< Previous Video: Command Line Security Tools Next: Mobile Device Connection Methods >>
In most of our operating systems these days, we’re running software that can be called an intrusion detection system or intrusion prevention system. These IDS or IPS softwares used to be part of a separate application, but now we’ve integrated it into an existing anti-virus or anti-malware suite. You often see it referred to as an endpoint security agent.
It usually protects our system based on a series of known signatures. The software is looking for very specific kinds of traffic patterns, and if it sees those patterns, it’s able to allow or block traffic going through our operating system. Because this software is sitting on our operating system itself, it doesn’t have to deal with the encryption we’re doing across the network. It instead can see all data because it’s on our desktop.
The software can also look for things to happen within the operating system. So if a piece of software modifies or moves a file in our file system, it can inform us that something may have occurred that we did not want to have happen in our operating system. One common type of log you might see in your operating system is an anti-virus log. This is software that’s running in our operating system and looking for the viruses to be downloaded and executed in our system. As a point of reference, you can look at these statistics from Kaspersky Lab in the first quarter of 2017, where they said that over 479 malicious attacks were blocked and over 79 malicious URLs.
Usually when your anti-virus software identifies this kind of activity it will stop a download or prevent the execution of this software, or it will prevent your system from visiting a known bad URL. Inside of your anti-virus software, you’ll have a log that shows how many executables were blocked or how many URLs were stopped. And you can see in this log I have a Trojan that was identified, and it’s one that was removed from the system. It was quarantined automatically when it was identified by this Windows Defender anti-malware software.
Many operating systems can also perform an integrity check of the operating system itself. That way, if malware has modified any part of the core operating system, it can be identified and repaired using this file integrity check software. In Windows, this software is called SFC. It will scan your system and make sure that the core operating system files are correct. If it finds any problems, it will say that the Windows resource protection found corrupt files and successively repaired them. And then it provides a log of all of the things that were changed.
This is the log file created by the SFC command. This is the cbs.log file. That stands for component based servicing, and my file was about 100 megabytes in size. So this is a significant log file to go through, but it will tell you everything about what applications were checked, what files passed the integrity check, and which files failed the integrity check and were repaired by the SFC process.
Many operating systems also include a host-based firewall. This can prevent someone from accessing your computer from the outside or prevent an application that’s running on your computer from accessing the exterior network. This is almost a requirement for mobile devices and laptops, because you’re taking these to many different networks, and you’re usually connecting the networks that are unsecure or unfamiliar open networks. These host-based firewalls can restrict traffic based on a particular application, or you can set up rules that will allow or restrict traffic based on a TCP or UDP port number.
These firewalls include a centralized log so you’re able to see exactly what traffic was allowed and what traffic was blocked on this host based firewall. If you would really like to tighten down the security of an operating system, you can set up an application whitelist, which would only allow specifically named applications from being used on that operating system. These are often created and integrated into a centralized operating system management console so that you can manage all of the devices on your network at once.
There are many different ways to configure and set up these application whitelists. One way is with an application hash. It’s a very specific and unique identifier of an application, and only the application that matches this hash would be able to execute. Maybe you only want to allow applications that were developed by Microsoft from running on this operating system. You can do that by only allowing a particular signed certificate for that application.
Another way is to enable a certain path to allow applications to run. For example, only thing under program files Microsoft may be allowed to run on this particular operating system. And also a network zone can be set up for a whitelist. So you might only allow certain applications to run if they’re running from a particular zone or IP address scheme for a network. Since these application white lists are usually integrated into the operating system, the logs for these are usually consolidated into the centralized logging for that OS.
Removable media can also be a significant security concern. You see this with USB drives and portable hard drives that are able to connect to your system through a USB port. These USB devices can be a way to infect your systems with malware, especially if somebody brings a USB drive from home where the home systems were already infected. Sometimes the bad guys will simply put USB drives in the parking lot thinking that an employee will pick up the drive, bring it inside, and plug it into a computer, infecting that system.
We also have a security concern about the data going the other direction. Someone can bring in a USB drive, plug it into their system, and then exfiltrate any of that data out of the network by simply putting the USB drive in their pocket and walking out of the building. Fortunately, the Windows event log can tell you exactly who’s using these removable drives, and it will log the file names that were copied to these USB drives or portable hard drives.
If your systems do get infected with malware, your simple anti-virus systems may not be able to provide any type of quarantine or recovery of those systems. In those cases, you want to use advanced malware tools that have been specifically designed to identify malware and remove it from a system. One of the challenges you have with malware is, once it infects a system, it gets in very deep. It spreads to all parts of the operating system, and it becomes very, very difficult to remove. That’s why, in most cases, the best solution is to simply delete everything, restore the operating system, and restore your data files from a known good backup.
Ideally you want to research as much as possible so that you have the best anti-malware tools and the best recovery tools possible. If you can stop the infection before it gets on your system, you won’t need to use these advanced malware tools. Here’s the logs from an advanced malware tool. This is Malwarebytes anti-malware. This is the quarantine log, and you can see exactly what the malware is that was identified, whether it’s a folder, a registry value, or a file, and it will give you the exact location of where it identified that piece of malware.
Another important security log is the list of all of the operating system and security patches that have been installed onto your computer. This is the log from Windows under the control panel, all control panel items, programs and features, and installed updates. And it gives you all of the updates that have been installed for Adobe Reader, Microsoft Visual C++, Microsoft Windows, and any other operating system that has had security patches installed onto this computer.
In order to protect our networks, we need devices that are able to provide a lot of different security functionalities, and we have that in a UTM. This is a unified threat management device. You’ll sometimes see these referred to as web security gateways. These are called unified threat management because they combine a lot of different security technologies into one device.
For example, a UTM could be a firewall, a malware inspector, a URL filter, along with the infrastructure components needed to connect to the network, such as a CSU/DSU, the router, the switch, wireless connectivity, or even VPN endpoint management. This means that the logs of a UTM will contained many different categories of information. For example, there may be firewall settings telling you that certain types of packets were dropped, or there might be system information telling you that a particular server event has occurred. All of these will be mixed together in the same log, but usually these devices will have filtering capability so that you can break the different components into their individual levels to be able to view the logs a little bit easier.
A lot of organizations have started to implement DLP on their network, or data loss prevention. This is a way to watch the traffic going across the network and identify if certain types of data may be transferred, such as social security numbers, credit card numbers, or other types of private information. This is a way to stop this information from getting out of your network. So if somebody is inadvertently sending this information, or if the bad guys are intentionally trying to get this out of your network, it can be stopped at the DLP. There’s DLP solutions that sit on the network, others that sit on servers, and usually you have to consolidate all of these logs together to be able to see what may have occurred during a file transfer.
Many operating systems will integrate with a CPU to provide data execution prevention. You may see this referred to as the no execute bit in the CPU. Intel calls this the XD bit for execute disable, and AMD calls this enhanced virus protection. This is a way for your operating system and your CPU to work together to allocate a very particular section of memory to be used by executables. If malware tries to execute in an area that is not allocated for an executable, then it will be flagged by DEP, and it will be prevented from infecting this system. This can go by many names, but Windows calls it DEP. And you can find all of the logs associated with DEP in the Windows Event Viewer.
Although web application firewalls, or WAFs, have firewall in the name, they work very differently than a traditional network based firewall. This is a firewall that looks at the conversations that are taking place between the web client and the web server. It’s looking for different types of input, and it’s able to stop any type of unauthorized or unexpected input into a web based application.
For example, something like a SQL injection would be a type of input that’s trying to get around some of the security of a web front end to be able to access data that might be in a database. You often see web application firewalls used in payment card industry type environments, where the data security standard, or DSS, must be followed to protect that credit card information.
Here’s an example of the logs you might see for a web application firewall. You can see each instance that is going through the firewall is listed. You can see the URL, and you can see the attack. So you might see an error response that’s suppressed or where the web application firewall has blocked a SQL injection attempt that is going into a web based application.