It's not uncommon to accumulate a gigabyte's worth of log data each day. In today's "do more with less" world, companies lack the manpower to sift through such massive logs on a daily basis.
I'm not saying that firewall logs and intruder detection reports are worthless. They do have their place. However, when you consider the massive volume of information that they produce and the fact that intruder detection systems are notorious for generating false positives, you can't help but to wonder if there isn't a better way.
For some, that better way might be a honeypot. There are two main varieties of honeypots, real and virtual, and both serve as a decoy. The concept for a honeypot came about a couple of years ago when network administrators needed a way to find out if anyone was sniffing their network. Conventional wisdom said that if someone is sniffing the network, they aren't sending out any packets and the sniff is therefore undetectable. Someone had the idea, however, to set up a bait system that would occasionally send out packets related to the Windows networking service. Anyone sniffing the network would have to do a DNS query to find out the identity of this unknown system. When the DNS query was performed, the IP address and computer name of the machine making the query would be logged, along with the date and time of the query.
Since this technique was first introduced, bait systems or honeypots have evolved quite a bit. There are now about a dozen companies offering various honeypot solutions. If you're concerned about security, there's little question that you could benefit from having a honeypot system in place. The main decision you need to make is whether your company would see the greatest benefit from a real or virtual honeypot.
When deciding whether to use a real or virtual honeypot, you need to think in terms of risk and reward. Virtual honeypots pose very little, if any, security risks, but they don't do nearly as good of a job catching hackers as a real honeypot. A real honeypot, on the other hand, has infinitely better detection capabilities than a virtual honeypot, but there's a chance that a top-notch hacker could use the honeypot to take over the rest of your network.
Virtual advantages
A virtual honeypot is basically an emulator. For example, virtual honeypots often emulate FTP servers, monitoring all TCP and UDP ports and logging all activity on all ports. A hacker who discovers the fake FTP server will most likely try to initiate an FTP session. If that happens, the virtual FTP server logs everything the hacker attempts to do. For example, the honeypot might log what ports were used, which authentication credentials were used, etc. The server would even respond to a hacker's requests in the same way that a real FTP server would. Best of all, because this is a virtual FTP server, there's no operating system and therefore no way that a hacker could use the honeypot to compromise the rest of your network.
In theory, this method sounds really good. After all, a virtual honeypot is very safe to use and captures lots of useful information. For example, if the honeypot captured the hacker's logon credentials, you might be able to find out which accounts have been compromised so that you can do something about it. The benefits end there, though.
2%
4%
