The Achilles heel of IT Security Defensive Measures: Log File Manipulation by authorized personnel. “Trust is good but Verification is better”
In this 2nd and final part of our blog, We will write about how system administrator holds the key to the company’s most critical data and how HALOCHAIN technology can be used to mitigate the risks related to log file manipulations.
Authorized personnel wield significant power over data. For hackers and state- sponsored data theft, administrators are the key target. The administrator holds the keys to the kingdom. We all remember the date theft in the SWISS banking system to the tax authorities in Germany, the USA, and France, Italy, etc. They made a killing in selling the data and quite a few are still being sought by international warrants to bring them to justice.
We recall the famous theft by Edward Snowdon and Chelsea Manning, devastating to the US intelligence agencies. None was able to detect the theft despite all possible defensive walls and intelligent behavior threat detection.
Why: If authorized the defensive systems to recognize the activity as friendly. And, most importantly, after the theft, any suspicious log files got wiped out.
This is why the data theft was devastating as the forensic analysis was unable to see the extent of the theft. There was no trace. It was the unlawful publication bringing the extent of the damage to the light. It destroyed the entire intelligence network of the US in China and Russia and took down countless intelligence agents. It set the USA back at least 10 years. We probably will never know just how bad the damage to the intelligence gathering was.
Every company faces a similar threat. Potentially, every administrator is a potential problem. We are vetting and carefully select administrators. We trust them. However, remember Ronald Reagan’s famous statement to Gorbachev: “Trust is good, but verification is better”.
The question is: How do we protect our IT landscape from the mischief of administrators? Who and how are we checking the power of authorized personnel and verifying that our data are not manipulated?
This is the nightmare reality of every CIO and top management and represents a minefield of potential problems.
Solution: Ignore it because it is a built-in systems problem, everybody must accept.
Not so, anymore. It is possible to solve it.
SECUDE made an effort to solve the problem through Blockchain.
After several years of effort, we concluded that using Blockchain was like using a sledgehammer to kill a mouse. It became too complex and too costly to implement and operate. We needed to find a simpler and more efficient way of mitigating the risks related to logging file manipulation.
Our first conclusion was that while we might not prevent data theft by authorized personnel, we can establish it in almost real-time if log files are manipulated. That in itself is a threat to intentional log file manipulation. Wiping tracks, if we can prove we can prevent wiping or changing log files, is a very effective tool to dissuade an administrator to even try to manipulate log files.
The technology world is rapidly changing and with the proliferation of cloud and digital devices, communication and data exchange between organizations has increased.
Every action in the digital platform, social media, IoT devices, mobile, telecom, and IT systems generate data in one form or the other. This tremendous data explosion also poses a challenge as data can become the target for hackers. Suspicious activity has to be detected before or during the forensic investigation and can be achieved with the help of log files.
ALSO READ | Beyond Blockchain: An Introduction to HALOCHAIN
Log files and data security
Log files contain details of all events that occur within an organization’s systems and networks, including but not limited to servers, firewalls, and other IT devices. The event logs show deviations from expected activity, providing visibility into potential configuration, hardware, and security issues.
By using these log files, one can determine the causes for errors or security breaches. It also helps to determine if the error was intentional or accidental depending on the number of attempts to breach the security system.
The more the number of attempts to breach the system indicates more security is needed to protect the data. Unfortunately, even these log files can be tampered with by the system administrators themselves.
Log file manipulation
Recently, log file manipulation is a critical problem that many organizations face. Even though administrators are vetted and verified for their integrity, they can easily abuse their privileges and privilege abuse is turning to be a real threat.
Administrators usually have elevated privileges that allow them to access sensitive data partly or in full. They can misuse these privileges to launch data theft and wipe the tracks of their action to make it difficult if not impossible to figure out what was done by forensic means. It is easy for an administrator to change or delete logs to mask their activities. In such a case, it will be hard to determine the perpetrator or prove their guilt.
Is Blockchain technology the answer?
So far, no solution that is relatively simple and inexpensive has emerged to solve this problem. Those of us in the security business have already resigned to the fact that the threat scenario of manipulated log files lives with us.
Blockchain, the new buzzword in digital transactions should have provided the answer. Theoretically, it is possible to tackle this problem with Blockchain technology.
At SECUDE, we tried to deploy Blockchain for our own generated solution’s log files. However, it became massively too complex and immensely expensive to deploy and manage. The distributed ledger idea and the processing time factor eliminated Blockchain. We could not even overcome the needed major resources and keep the cost down to a reasonable level.
HALOCHAIN Technology to the rescue
In my earlier blog Beyond Blockchain: An Introduction to HALOCHAIN, I gave a brief introduction about the HALOCHAIN technology that our incredibly talented engineers came up with (Patent pending).
We used the HALOCHAIN technology to secure our own product’s log files. Now we can confidentially demonstrate the feasibility of this use case solution which has many use cases in IT.
Let me briefly take you through our solution.
HALOCORE and HALOCAD, our data security software records every file export from SAP and PLM systems, respectively. In addition, the HALOCORE admin interface records every setting change throughout its life. Both recordings are candidates for potential manipulation, even if they are protected with access control and other security measures.
Taking it a big step further, in HALOCORE server 6.1 the preview feature of HALOCHAIN is available for the first time. Every single log and settings change will be tightly secured by utilizing HALOCHAIN on the HALOCORE server. No change on any client is required! Turn the future on simply by setting it up on our Core Server.
During setup for HALOCHAIN secured logs, an encryption certificate will be created for you and securely stored. This certificate is only accessible to the HALOCORE Server and is tightly protected.
This certificate will be utilized by the HALOCHAIN algorithm to sign the calculated value. The HALOCHAIN algorithm provides a collision-resistant value based on a state-of-the-art hashing algorithm to detect even the smallest modification in the log.
The HALOCHAIN algorithm is utilizing a relationship establishing information called the seed. This seed allows groups of logs, individual logs, and complete log files to be checked for modifications, deletions, and or other manipulations. Thanks to the homomorphic nature of the seed all of this are possible, without needing a full chain.
The output of the HALOCHAIN algorithms can just simply be forwarded to any connected SIEM system for additional protection and business continuity when companies rely heavily on the feature set of the modern SIEM system. Exporting these values will still allow it to be validated and checked by HALOCHAIN.
HALOCHAIN should be viewed as a cost-effective alternative to Blockchain. There are applications which can be solved well by Blockchain. Digital currencies are one example. However, we must also keep in mind the high energy cost of Blockchain mining.
A general use of Blockchain would have a huge impact on energy consumption and would be a great threat to the goal of reducing the worlds carbon footprint.
The goals of carbon reduction, introduced by the EU today, would certainly be threatened by universal growth of Blockchain. China is currently the biggest mining industry in the world, powered by using coal to feed the server operations (what if someone pulls the plug).
The EU is planning to launch a digital currency, announced at the same time of proposing a drastic cut on carbon by 2030.
Have they calculated the impact on energy consumption of mass use of digital currency? Imagine: With each sale, a mining operation, somewhere in the world, runs to verify the transaction. HALOCHAIN eliminates mining intensity, allowing fast transactions while saving energy.
The simplicity of this solution and considering how easy it is to utilize, is a great promise for the future. We are working with several major organizations on use cases. We will be publicizing in the coming month and years great new features and applications.
SECUDE is seeking additional strong partners wanting to develop transaction-based trading platforms based on HALOCHAIN technology.
Comments are closed.