Your Firewall Doesn’t Work the Way You Think It Does. An Introduction to Log Monitoring and Auditing
By Jeremy Louise | May 8th, 2019
As part of my role at TSI, I meet with a wide range of different businesses. More often than not, when I ask about their current log monitoring efforts, people aren’t even sure what this really does, and are surprised to find how unequipped they’re cyber security strategy is.
In this piece, I’d like to go into detail on what firewall log monitoring is, what it does and why it’s so important. By the end, you’ll have what you need to start taking advantage of this pivotal technique in your own organization and ensure you understand the full capabilities of your current solution.
What is Firewall Log Auditing?
Many people are unaware that firewalls and other critical IT network security devices keep log files on a regular basis. These files contain records of important events that have taken place, providing you with a much-needed context to better understand how your systems are functioning and, more importantly, why.
On a regular day, log data can be invaluable in terms of troubleshooting and solving everything from hardware issues to configuration problems. In a worst case scenario, logs can help you better understand aggressive or otherwise malicious activity affecting your network (think: an intrusion attempt).
Log information can include not only an overview of activity but also destination and source addresses, user login information and time stamps.
Why is Firewall Log Auditing Important?
Log auditing is important for a variety of reasons, and cyber security is only one of them. These reasons include:
- Regulatory Compliance. For most compliance regulations, this is not a recommendation – it is a requirement. HIPAA, for example, not only requires you to archive log data, specific reports and routine check-up information on a regular basis, but your log management system needs to maintain that data for up to six years.
- FISMA also requires that log files be created and kept as a mandatory part of a company’s security policy.
- Requests Driven By a Vendor or Client. If you aren’t compliant, some of your vendors and/or clients won’t be, either. As a result, log monitoring and auditing can help them take care of these issues on their end by guaranteeing that all of their associates are up-to-date with any and all governing bodies. These vendor or client requests may also happen during a merger with another business or an acquisition, when filing for an IPO and more.
- Enforcement of Company Policies. Log files (and their associated log managers) can also reveal details about what a business’ own employees are up to. Managers can see when company computers and other resources are used in unauthorized ways, and proactively correct user behaviors.
- In addition to this, and if users are acting nefariously, log information can help managers get to the bottom of this type malicious employee activity before a larger issue arises. Even if someone attempts to steal proprietary company information using removable storage, a log will act as a digital “paper trail” leading right back to the source. You can see when someone logged in, where, what they accessed, what they did with that data and more.
- One data breach report from Verizon showed that in 2009, 66% of enterprise data breach victims had evidence already available in their logs that could have helped identify an attack in a way that still allowed proactive measures to be taken.
- By 2012, that number had grown to 84%.
- That said, these features are not included with your run of the mill anti-virus solution and will require a certain degree of technical expertise to enjoy this functionality.
Of course, the cyber security-related benefits of firewall log monitoring and auditing are important, too. These logs can shed insight into which IP addresses are being rejected, how many unsuccessful logins are happening (and when), outbound activity from internal servers, and even source routed packets. Source routed packets in particular help identify when someone is trying to gain access to your internal network from the outside. They can be used to gain access to a machine – even if it has a private address – and therefore must be watched carefully.
Without this information, you typically know “what” is going on but you don’t know “why.” Failure to address this from a compliance perspective could get you financially penalized – or cause you to lose out on business if this is a requirement of a potential client. You might know that employees are bringing their own devices to work, but you’re not sure what they’re doing – and once one of those devices has been compromised, the same is true of your network as well. You might know that a data breach occurred, but you’re not sure of what the damage is – nor do you have what you need to help make sure it doesn’t happen again.
What Your Firewall Doesn’t Do
At its core, a firewall is a device that monitors both incoming and outgoing network traffic. Based on a pre-defined set of security roles, it is also used to either allow or block certain devices or traffic as needed. In other words, it’s a way to control the flow of traffic either into or out of your network.
Firewall monitoring encompasses all of the rules, filters, exceptions and other criteria that are programed into the firewall. It’s a technique used to make sure that they are all A) accurate, and B) up-to-date.
But just because your firewall is denying traffic the way you want it to be, and that all policies are updated, doesn’t mean that your network is secure or cyber incidents reported upon. If some of your computers are infected with malware, for example, that malicious outgoing traffic could easily be denied by your firewall – but that doesn’t take care of the fact that this malware exists on your computers. If you’re only looking at firewall monitoring, you may not even be aware that the malware exists at all. The traffic is being stopped, and thus no “damage” is being caused.
Firewall log monitoring and auditing may show you the root cause of that suspicious activity, alerting you to the presence of the malware and giving you the ability to do something about it.
To put it another way, firewall traffic monitoring helps you understand what is going through the firewall, while log monitoring and auditing also extend that visibility into what is potentially going through the firewall, as well.
Other Essential Considerations
It’s also important to understand that firewall log monitoring and auditing are components of a Security Information and Event Management solution, otherwise known as SIEM.
SIEM leverages your firewall’s capabilities to provide real-time monitoring, overarching console views, offer long-term storage and analysis for logs and security records, proactive activity and issues alerting when a suspicious sequence of events occur, and more. It’s particularly relevant to applications that verify user identities and manage access to information, among other key security insights.
Secure Your Future By Securing Your Present
By now, you should have a better understanding of what firewall log monitoring is and why it’s so essential within the context of your larger cyber security strategy. I also understand that it’s a naturally complicated topic, and this document was not designed to be the “final word” on the subject. Instead, what I tried to do is simply provide you with the resources you needed to get started, leveraging the full power of log monitoring to your advantage.
Simply put, the insight generated by this service is too important – and too far-reaching – to ignore.
It’s Your Move!
If you feel like you need more assistance, the good news is that this is the type of service we help our clients with on a daily basis here at TSI. To get answers to any other questions you might have, or to see if we might be able to overhaul your own log monitoring methods, please reach out to myself or a colleague today.