Section A.10.10.1 of the ISO 27001 framework covers “Audit Logging Control.” It reads, “Audit logs recording user activities, exceptions, and information security events shall be produced and kept for an agreed period to assist in future investigations and access control monitoring.”It’s great that the framework requires a control for audit logging. However, audit logs can be immense and extremely difficult to parse. The tersely worded phrasing that logs “should be produced and kept” is deceptively simple. It’s reminiscent of the notorious two-word scene in the script of the 1925 Hollywood classic, “Ben Hur,” which read “Chariot Race.” The race in question took eight weeks to film.
So it goes with security logs. A seemingly simple idea turns out to be fantastically complex. What does it take to have a truly effective implementation of that control? This is the challenge undertaken by Liz Maida and her company, Uplevel Security.
Maida, who has engineering degrees from Princeton and MIT, learned the art of log analysis at Akamai, which handles nearly a third of all US Internet traffic. Now, as Co-Founder and CEO of Uplevel, she is transposing this experience into a meaningful approach to understanding the output of SIEM systems, intrusion detection systems (IDSs), firewalls, routers and so forth.
“What you have at the heart of any serious SecOps center is a tension between human brain cycles and volumes of disaggregated data that would boggle any mind,” Maida said. “Machines are churning out huge amounts of security event data, alerts and on and on. It never stops,” she remarked. “And what’s in it? Log outputs at any moment could be a meaningless dump of non-events or they could be concealing an incipient attack. The answer may actually reside in data from six months ago, if you could think to look at it.”
Uplevel ingests security alert data and threat intelligence from many different sources. It then normalizes the data, analyzes in terms of past events and alights it with what the company refers to as a “proprietary ontology” (which means, for those of us who don’t have a dictionary or an Ivy league engineering degree nearby, “a set of concepts and categories in a subject area or domain that shows their properties and the relations between them.”)
Through normalization and application of the ontology, Uplevel is then able render security threat insights in a graphical form. It can show, using iconography and graphics, the relationships between threats and current activity—highlighting areas of urgency. “Our goal is to help with one of the trickiest challenges that arises in SecOps, namely when do you relegate an alert to an automated workflow and when do you assign it to an actual human being? There are never enough human synapses to go around. Uplevel makes this decision process easier and simpler. And, as our data shows, more effective.”