by Joel Rosenblatt
Director for Network and Computer Security
Columbia University
(Beginning January 28, Joel Rosenblatt will be moderating a group
discussion on CISOs Connect. The discussion will run for two weeks and
is open to all CISOs Connect members. CISOs who want to sign up may
send an email to arhodes@cisosconnect.com)
There’s a familiar sight along a street called Broadway at Columbia
University where I used to study and where I now work. You have an
island in the middle, and on that island there are always lots of
people, in various postures and positions, using their laptops and
reaping the benefits of their hassle-free connection to the network.
At Columbia we offer Free Love – a pain-free method of using our
network. We get so many visitors every day and we don’t really want to
go through the trouble of registering all of them. Free Love allows
all computers to connect directly to the network and thereby the world
without further ado.
And that’s ok with us. We don’t even do sniffing or scanning of what
they may be up to. We have no border firewalls on our network. We
don’t look at content, we have no idea what’s going on, we don’t want
to know. It’s a form of public service.
Columbia is, after all, a large research university, with a
decentralized computer management structure and decentralized computer support.
But even in this loving, free-for-all environment, you would still
have questions about the people who are part of your system. Who is
using a certain IP address, who is using a certain MAC address, or
when was a certain IP address being used?
The questions could be network security issues (How many used the
machine at 3pm? Was machine with MAC address xxx connected to the
network yesterday?) or public safety issues (who used that iPad at
3pm? Did user John Doe log into the network yesterday?).
This is where GULP – Grand Unified Logging Program – comes in. It is a
way of figuring out, without asking in advance, who people are, and
tracking them.
Whether there are network issues or public safety issues, GULP is able
to answer such questions very fast. The system will show you where I
am, what devices I am using, which buildings or offices I went to,
whether I tapped into the network from home. All this information
comes to me in about three seconds, whereas it might take a programmer
a week to figure all this out if he had to go through the logs one by
one.
When logs are correlated, they paint an accurate picture of user
behavior. They say, for instance, where the user logged in, which door
he swiped, how long they stayed, what the user did before and after.
When somebody’s device or credentials are stolen, they can easily
track them. They also give signs when somebody veers off a pattern and
does something different, altogether.
Because there is a single sign-on for everything, behavior can easily
be drawn from the information – and the anomalies therein.
The GULP system could also answer such questions as: Where might a
student be? It could turn out that he just neglected to tell his
parents that he would be gone for 10 days visiting a girlfriend in
another part of the country. We would know that because he logged into
the system using his computer from this or that location. Tragically,
there was also an instance when the logs led us to clues that the
person had jumped off a bridge.
In another instance, GULP helped us track a part-time employee who was
using the identities of Columbia doctors in activating credit cards,
which she then used for the purchase of electronic equipment, with the
intention of reselling them. The logs told us that all the bank
activity was made from a single IP address, and so we tracked down the
person who was opening her email using that IP address.
That person is now in jail.
Indeed many don’t realize that logs are a treasure trove of
information. Users log into computer systems all the time, but what
most people do with logs is put them in a hard drive and never look at
them again. There is a lot of info in logs that people are missing,
just because they don’t process them. Logs should be regarded as
something that gives you information as opposed to something that you
have to keep because of compliance.
It’s not even very technical. In my experience, security is 90% a
political exercise and only 10% technology. The hardest part was
convincing people to give us their logs. Fortunately, I’m very
persistent.
Logs are great. They tell you a lot of things. I can’t imagine not
using logs. The only question in my mind now is: Why aren’t more
people doing this?