Tracking spies isn't the thrill it's cracked up to be.
Mark Reed should know. As the Information Security manager at American Airlines FCU (AAFCU), he's responsible for monitoring the log files that record visits to the credit union's systems and applications. "Log management is pretty boring," said Reed.
But with a few tricks he pulled from his sleeve, Reed said logs are now his "best friends."
Reed uses scripting tools to automatically extract only what he wants to see from the volumes of information spit out by the credit union's multiple logs every day.
"It's impossible to sit down and read all the lines of a log like regulators tell you to do," he explained. "I tried it one day. I sat down with this million-line log, and I got to line 15 before I closed it and started reading my e-mail."
Unfortunately, Reed can't ignore the logs. "They're the primary record keepers for the credit union-the basis for disaster recovery, evidence for prosecution, and tracking intruders. Besides, the NCUA likes it."
Perl makes monitoring the million-line logs easier, Reed continued. A programming language, Perl is one "extremely powerful tool for selectively extracting information from your logs."
For example, Reed uses Perl in NTLast, a log-in analysis tool for batch file environments. NTLast sifts through the million-line logs, identifying suspicious access to the Virtual Private Network and failed logons to the CU's servers. "I get just a few lines of code that give me valuable information every day," he said.
Reed then filters the NTLast results by time and date using freeware called Fdate.
Another script command from a tool called Blat automatically sends the log to Reed's inbox everyday for easy access.
Reed can also view the various logs in one place using KiwiSyslog Daemon, freeware that collects and displays events from routers, firewalls, and switches. "This is helpful if people get into your server and then try to erase their tracks on the server log," Reed continued. "What they don't know is that the server has already sent a message out to the centralized Kiwi Syslog."
Kiwi Syslog has provided evidence for internal investigations and helped the Human Resources department track employee Internet surfing at the CU, he added.
Reed also knows if two or more unusual events from different device logs are at all connected. An event management solution called enVision gives the $4-billion CU a dashboard view of network traffic and delivers five-factor correlations. "Based on canned or customized correlation rules, enVision might see a login on my external firewall and within a few minutes another login on my internal switch and will generate an alert," Reed said.
Reed has been reading logs for a number of years and admits that some of his scripting tools, while effective, are also somewhat archaic. "There are probably 100 tools that perform similar tasks, but I haven't been watching the market," he said.
What's important, even for smaller CUs, is to choose some tools and use a few simple commands to highlight the critical events in the logs, he said.
Reed hasn't confronted a slew of security incidents in his life of logging at AAFCU. "But almost weekly I find misconfigured routers and devices."
Reed listed more than 20 systems and applications that generate daily logs at the Ft. Worth, Texas-based CU, including the Intrusion Prevention system, antivirus software, Network Attached Storage device, and e-mail server.
Reed addressed the issue at the first annual Credit Union IT Risk Management Summit, sponsored by the CU Information Security Professionals Association (CUISPA).
For info on this story: American Airlines FCU at www.aacreditunion.org; Blat at www.blat.net; Envision at www.networkintelligence.com; Fdate at www.ferg.org; Kiwi Syslog Daemon at www.kiwisyslog.com; NTLast at www.foundstone.com; and Perl at www.perl.com
