22. Jan. 2013 by Markus
We are all familiar with the concept of outsourcing, right? You're not the best at dusting furniture and washing the dishes, so you outsource those activities to your significant other - simply put.
In general, companies also decide to outsource to save money, which usually works for them quite well. But this one guy decided to take this idea to another level (micro-outsourcing?) and outsource his very own developer's responsibilities to a whole development team in China for mere 20% of his salary. Brilliant deal for him, not so much for his employer, who basically paid the guy for sitting in the office, doing nothing. I got to give it to him that he must have had some nerve to pull that off...
Anyways, this arrangement lasted for quite a few months without anyone noticing anything suspicious going on. Now that you think of how the poor guy got busted, it’s so obvious that a nine year old would figure that out. Ok, maybe not literally a nine year old, as it requires some basic understanding of networking services and ability to access and analyze log files. The first one requires some studying while to do the latter, you can either use find to search and view desired log files, or you can make your life easier and use a proper log analyzing tool like retrospective.
As the telecommuting becomes more and more popular, companies use vpn connections to access their internal networks. You would rarely check vpn servers' logs as long as everything is running smoothly, but doing so, you may risk quite a lot. So it's only wise to monitor your log files and scan them for certain events such as connections established from suspicious IPs. Setting up retrospective to do that takes only a few minutes and that includes time to define search filters and run the search itself. While there are solutions which allow implementing logic which detects a certain patterns, they do take time to design and they are only effective until someone finds another security breach to exploit. Once this happens, its back to drawing boards, designing yet another one of those brilliant logics. Depending on a situation, it’s not very likely that the time invested in nursing those logics will be somehow capitalized. Thus it makes more sense to prepare and bookmark search definitions which would target certain activities. Along with some other features, retrospective enables to react on the spot, allowing to quickly detect and address new threats as well as identify potential risks.
People usually question sense of proactive log analysis, but this example should open their eyes at least a tiny little bit...