What are your Event logs telling you about Cyber?

By Jeffrey LushApr 24, 2018
Industry Knowledge

The event logs produced by hardware and software within our environment provide a wealth of information regarding the actual health of our environment. The industry has invested billions of dollars developing software on analyzing the information from multiple event logs within the infrastructure to ultimately find that needle in a haystack.

The use of log aggregators and SIEM products have greatly enhanced our ability to find that needle in the haystack, allowing us to author scripts and algorithms to discover the threat to our environment. Over the course of time industries recognized great value in these products, although the effort required often exceeds that of the conventional IT administrator.

Let's take an example of cybersecurity. Let's assume that we have 20 different components within our environment, remember a component defined hardware or software like network firewalls, operating systems, applications, and databases. Establishing a cyber strategy requires the implementation of cyber standards, often referred to as controls. The cyber standards include access to your system, encryption, insider threat, and a myriad of other cyber standards. For this example let's assume there are 100 cyber standards.

With 20 different components and 100 standards, what is the probable impact of an event to those controls? The firewall is breached which had a direct effect on the access control standard, using 10 as high risk, let's assign a 9 to this breach. Because of the breached firewall, my LDAP server which typically a risk of 1, now has an elevated risk of 4, due to the breach in the firewall. We understand there are 20 different components, although what are the total potential events per component? Your router may have 5,000 possible events. We have only discussed the impact of a single event code and the relationship of that single event to components within our environment.

The use of SIEM or log aggregators can undoubtedly reduce the number of events to be processed, although the mathematical algorithms needed to understand the risk level impact is very complicated, based on the staggering potential implications and varying levels of impact.

The BAP framework is a simple to use artificial general intelligence that enables the mapping of the real-time threat to natural language. When an event occurs, the bapAI searches for impact and within minutes delivers results of how that cyber breach impacted all of the components and standards within your environment. The BAP framework is simple to use: install the framework in minutes, import the desired controls, and you are already more secure. Go to bapsolution.com for additional information.