by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : February 2014
WHEN THE FEDERAL In- formation Security Manage- ment Act was passed in 2002, federal agencies received a wake-up call to tighten the reins on information security. Driven by FISMA s compli- ance framework that set forth unwavering standards for federal data security, agen- cies began to adopt new ways to check what was happen- ing on their networks. Log and event managers (LEMs) became a crucial part of that monitoring process. Now, like co ee in the commissary, LEMs are a staple in agencies, doing their jobs and keeping things up and running. Administra- tors use them to collect infor- mation on network activity, store the data and look for patterns. In fact, this last point -- the constant monitoring of patterns -- is key to the life of an administrator. That s because recognizing patterns is critical to being able to detect threats on the net- work. Anything that breaks a pattern can be a precursor to suspicious behavior. Consider an unauthorized user trying to access the net- work or unexpected changes being made to a system s configuration. Consider new devices -- once foreign to the system -- pinging the network or strange database transac- tions that have never been seen before. These are all breaks in the normal pattern and signposts for potential trouble ahead. Without network moni- toring technology -- and knowing where to focus it -- it s often tough to pick up these clues in the thicket of information that adminis- trators deal with on a daily basis. LEMs can help. They are very good at being able to automatically catch and alert administrators to potential network red flags. They are ideal for reporting on potential security, compli- ance and operations issues. With LEMs, all of it can be done in real time, allowing the administrator to immedi- ately take action on potential threats across the board. Still, administrators should know what to look out for as they comb through log and event data. They need to be aware of signs that signify a disruption in normal network patterns. Honing in on the following five types of events will go a long way toward helping administrators main- tain the security of these networks. 1. User access abnormali- ties. Administrators must not only look out for unauthor- ized users accessing the sys- tem, but attempts to access it at odd hours, which could be a sign of trouble. 2. Configuration changes. Hackers sometimes make configuration changes to try and make the network more adaptable to their plans. As a result, changes could signify that someone has tampered with the network -- or they could simply be the result of an authorized administrator making adjustments to help the network and its users operate more e ciently. Regardless, it s better to be cautious and take a close look at any configuration changes the event manager may warn about. 3. Patterns matching threat indicators. Administrators should go the extra mile and compare data in their logs to external sources, such as known blacklists. Simultane- ously, they should be aware of specific types of activity that could indicate threats. These can include exces- sive numbers of failed login attempts or remote logins from unusual locations. They should also be on the lookout for the heightened use of removable storage devices, such as USB flash drives. Hackers sometimes use these devices to store viruses. And workers, with no malicious intent, may use them to take sensitive information beyond the walls of the federal agency, potentially making sensitive information more available to unauthorized users. 4. New device and user combinations. It s not enough to keep tabs on new devices hitting the network. Even beyond that, admin- istrators will want to link devices directly to users, ensuring that no one who is not authorized to use a device -- someone else s iPad, for example -- is doing so. 5. Strange database activi- ties. Federal agencies live on data. As such, databases are components to closely moni- tor. Any activity that breaks everyday patterns, such as unusual database transac- tions or rapid, unexpected growth in a database s size, should be flagged and inves- tigated. LEMs can help agencies better manage and monitor each of these events. But it helps if administrators also know where to focus their e orts. Doing so can help identify breaks in the pattern and prevent security break- downs. • --- Chris LaPoint is vice presi- dent of product management at IT management software provider SolarWinds, based in Austin, Texas. 5 WAYS TO USE EVENT DATA TO SPOT NETWORK TROUBLE INDUSTRY INSIGHT BY CHRIS LaPOINT Like coffee in a commissary, LEMS are a staple in agencies, doing their jobs and keeping things running. GCN FEBRUARY 2014 • GCN.COM 15