Sunday, July 26, 2015

Why You Might Want To Encrypt Your Syslogs Now

Why You Might Want To Encrypt Your Syslogs Now
Corrected: June 19, 2015
by Alex Woodie
Every day millions of IBM i server events are packaged up in the syslog standard and sent offsite for safekeeping and analysis. In many cases, the syslog files are sent in plain text across the wire because, hey, they're just boring old log files, and what could anybody ever do with those, right? Wrong, says IBM i security software company Raz-Lee Security.
Syslogs are a bread-and-butter data format for IT professionals around the world. Just about every device in the data center uses the syslog format to transmit data about what it's done. All sorts of IT activities are documented in syslog, from debugging applications and general systems management to real-time network alerts and security auditing.
In the security space, syslogs are the de-facto standard for sending system events to the all-important security information and event management (SIEM) products that do the hard work of analyzing and correlating activity occurring across different servers, networks, databases, switches, and various other systems. No platform is an island these days--not even the venerable IBM i server--and SIEM products like IBM's QRadar, Hewlett-Packard's ArcSight, LogRhythm's Security Intelligence, RSA Security's enVision, and Splunk's Enterprise Security are critical assets in the ongoing war against cyber criminals.
Security software companies plying the IBM i waters are no stranger to these SIEM products, and most of them are equipped to convert IBM i events--such as QAUDJRN system journal events, message queues, and user-related information--from the native IBM i format into syslog and send them across the wire to a central SIEM server.
Eli Spitz, Raz-Lee's vice president of business development, says the company decided to use TLS to encrypt syslog files at the request of customers.
"We've been asked by a number of customers, not a large number but some very large and important customers," to encrypt the syslogs, Spitz tells IT Jungle in an interview. "One of the customers is a pharmaceutical company based in Eastern Europe. They said 'We have to have encryption in syslog to be compliant with FDA regulations.' That was after we received a number of requests."
Helping customers comply with Food and Drug Administration regulations--in this case, rules that require tamper-proof lot tracking at pharmaceutical manufacturers--is certainly a good enough reason. But would companies in other industries have a reason to encrypt their syslogs?
Yes, says Raz-Lee CTO Schmuel Zailer. While you're not going to find personally identifiable information (PII) in the server logs, there are other pieces of data contained in the log files sent from production IBM i servers to SIEM and servers that could be of value to cybercriminals.
"The SIEM server collects information that's coming from the IBM i, which means your line is exposed and everybody can understand what is going on on the IBM i if you just listen to that line," Zailer says. "So you must encrypt it. And if you encrypt it, you hide it."
Raz-Lee's iSecurity suite not only sends data from QAUDJRN and other message queues; it can also upload data from the database journal, Zailer says. This is dubbed database activity monitoring (DAM), a relatively new discipline in the IBM i community, and one in which Raz-Lee has a partnership with McAfee.
For customers who choose to replicate contents of the database journal to a SIEM server via syslog--such as one large insurance company that sends thousands of database events per second--that poses an unacceptable security risk. "We send over the net information of the database updates [which] means that the database is exposed," Zailer says.
Encryption is a major theme for Raz-Lee this year. The Israeli company is gearing up to offer PGP encryption in iSecurity. It's also planning to beef up its field-level encryption offering with a major update later this year. "Encryption is emerging to be a major theme," Spitz says.