IoT security: logging

Last week SANS published a brand new white paper about the Internet of Things: “Stopping IoT-based Attacks on Enterprise Networks”. IoT devices have been around in the networks of enterprises for many years, just think about network-connected printers. But recently, both the number and variety of these devices skyrocketed and enterprises now have to embrace everything from BYOD phones to smart lamps. In this blog post, I would like to highlight a critical aspect of how you can protect your organization from potential IoT-based attacks: logging.

 

The SANS white paper first describes the security problems introduced by IoT devices on a network. They can become part of a botnet that is targeting websites, and this is still far the best scenario for an organization, as in this case, they are not the actual targets. In most cases, however, IoT devices are used to collect information about a target network including access credentials and also to help to steal sensitive data from the targeted organizations.

The main focus of the white paper is preventing and responding to IoT attacks. It lists the steps that you can take to make your network full of IoT devices more secure. First of all, you need to know what devices are present on your network – make an inventory. You can lessen the risks if you divert traffic from IoT devices to a separate network and check that traffic closely. Access control to devices – both account and physical – is important. IoT devices should be managed centrally as much as possible. Even if proper central management is not possible, configurations and security updates should be tracked centrally.

Last but not least, the white paper has recommendations related to monitoring and reporting. An important part of this is logging:

  • central log management
  • normalizing events
  • presenting events in a ready-to-use structured format

As one of the options for these tasks, the white paper mentions syslog-ng. Thanks to its portability and scalability, the syslog-ng application can be used both on the IoT devices and as a central log collector. It has all the features necessary to support the recommendations in the white paper:

  • designed for central log collection
  • parsers of syslog-ng can normalize a wide variety of log messages
  • templates support several output formats, including JSON

 

You can learn more about syslog-ng and how it is used in IoT and embedded environments from my opensoure.com article Reliable IoT event logging with syslog-ng.

 

If you have questions or comments related to syslog-ng, do not hesitate to contact us. You can reach us by email or you can even chat with us. For a list of possibilities, check our GitHub page under the “Community” section at https://github.com/balabit/syslog-ng. On Twitter, I am available as @PCzanik.

Anonymous