Network security is one of those areas of IT that most network managers and admins know they need to focus on more. For the small to medium business market, security projects
are too often delayed or avoided altogether for various reasons. Probably the biggest reasons are the cost and the perceived complexity of security solutions. Admins in organizations that do not have a dedicated security staff can quickly get overwhelmed by the very idea of the management and upkeep of such systems, let alone the initial planning and deployment. But a security solution doesn’t have to be an expensive, complex, monolithic system. As a matter of fact, it shouldn’t be that alone.
The key to any security solution is timely collection of relevant information. But just as important is the timely review of that information. Discovering a security breach weeks after it happened either because the information wasn’t collected or because that information wasn’t reviewed has the same end result: It’s way too late and the damage, most likely, has already been done. So, spending a large amount of capital on a good solution and not monitoring it is almost as bad as not having a solution at all. Unfortunately, for most SMBs, either of those two scenarios describes the current security solution. Network admins working full time on the day to day management of the systems that users are always accessing usually have little time to manage a security system that can also consume a great deal of time. Most often, the security system gets attention when someone has some spare time and/or when someone remembers it is there.
But, there are other ways to collect and review information relevant to network security and health. I certainly wouldn’t suggest going without an actual security solution, but tools that have been in the network admin’s kit for some time, and are often overlooked, could come in to play both as a stopgap measure and as an augmentation to an existing deployment. Syslog is one of these often overlooked yet versatile and very handy tools.
I had a customer years ago who used a simple syslog server to augment his firewall’s IPS. Network security wasn’t his forte, so he found that getting alerts from his firewall’s IPS was somewhat confusing, especially since he wasn’t sure if they were false positives or not. And, consulting with the vendor every time an email was received could get expensive. So, he wasn’t as interested in getting an alert from the IPS telling him what, exactly, was going on as he was in getting a notification that something was going on. His approach was extremely basic: if my syslog server receives more than X amount of messages in Y amount of time, send me an email. His firewall was configured to send syslog messages whenever something happened… good or bad. I was contracted to perform a perimeter security scan from outside his network and, although he knew we would be performing the audit, he did not know when it would be initiated. Within a few minutes of beginning the scan, the customer called my cell phone and asked if I had started the audit. I was somewhat shocked because, not only was that the first time that happened, but it was within minutes of execution. I was even more shocked when the customer told me how he was able to so quickly discover what was going on. It was a simple approach to a complex problem that worked out well for him.
So, am I saying ditch the expensive, complex security solutions because a simple syslog server will suffice? Not at all. The solution my customer used was ingenious, but it would be easy to defeat if that is all there was. If I had been more stealthy, there is a good chance that I would not have been detected. However, if tools like syslog and other log analyzers are all that are available, then they are a good start to a security solution. Products such as Splunk, Graylog (open source option), and Elasticsearch/Logstash/Kibana (also known as ELK), to name a few, have taken log analysis to a higher level. These products allow admins to quickly search through large amounts of data and instantly visualize the results with timelines and graphs.
Not only are tools like these ideal for everyday network health monitoring and troubleshooting, they are well suited for security log analysis. Pulling events in from a network security solution as well as other sources such as servers, switches, and routers, allows for event correlation from many data points. Also, the ability to view, filter, and search events as well as create custom configurations allows for easier use for the network admins. The ability to collect and analyze data from disparate systems all in one place would be a very good addition to any network, big or small. But, for an SMB, it could be a very good first step towards implementing a full security solution.
If you are looking for a streamlined approach to complex problems RKL eSolutions can help you with all your Cyber Security and Network questions. Contact us at 717-735-9109 or email.