Packets and Logs Working Together

Pathlock - April 19, 2018

by Jasmine Chennikara-Varghese

For cyber awareness and threat discovery, a combination of identity, network, device and application level solutions provide the most complete coverage. In detecting, responding and remediating threats, packet analysis and log analysis are often the go-to tools for security and SIEM teams. Packet captures provide network level insight enabling security teams to do deep-dive forensics as part of their investigations into the anatomy of the breach. For enhanced awareness, application log analysis offers evidence of the actual data exposed as well as the user accounts and privileges which have been misused.

SIEM teams focused on network intrusion detections and incident response investigations typically rely on in-depth packet analysis. By installing a network tap, you can copy packets right off the wire and push these packet captures into an analysis tool. Packet decoders extract and correlate the information within the packets, mostly at the MAC, IP and TCP layers providing intelligence into protocol behaviors and application sessions. Packet data can tell you which IP addresses have communicated, the volume of data exchanged in a connection and the applications used in the exchange.

As a data breach investigation progresses, packet data is oftentimes not sufficient. Due to the complex and customizable nature of business systems, packet decoders for proprietary business applications are rare. Thus packet analysis offers limited awareness of application behavior, transactional data and user activities. For example, packet analysis typically cannot discern that a low privileged user account has accessed a critical transaction code.

The application level insights which are difficult to garner from packet data are more readily available via application logs. Logs such as security logs, audit logs, read access logs and transaction logs are usually enabled and monitored for auditing and compliance purposes. The same log data can be leveraged to discover the actual data breached, the user accounts which have been misused and the unusual transactions which were precursors to the breach events. By leveraging information from these logs, you can build intelligence to understand what has happened in the application.

A smart threat actor can erase or modify logs to hide evidence of a breach. Thus log integrity is crucial to perform accurate, untampered analysis of application behavior. Log data is generated and managed in multiple levels of the business system, i.e., system, application, audit, etc. Correlating and validating events at multiple levels of logging can help to identify the inconsistencies which could indicate potential log tampering. Generated application logs should also be continuously forwarded to a centralized, secured archive to maintain the log integrity and to support more long-term retrospective analysis of user and application behaviors.

Pathlock Application Security Monitoring securely aggregates logs from diverse business systems and extracts key intelligence from application logs to improve detection and remediation of breaches. For routine monitoring, Pathlock provides security teams with insights into the typical activities and behaviors of the business application. In a breach scenario, Pathlock helps prevent the hours, days or even weeks of arduous manual sifting through logs and raw data, for more rapid understanding of the extent and impact of the breach.

Table of contents