Regarding on Graylog Security

I am writing this to have a better understand on Graylog Security.

  1. How does Graylog security gather information? Is it sourced directly from Graylog operation logs, where user actions are logged, or does Graylog security utilize other internal sources?

  2. The Graylog Security tab appears similar to the Graylog Operations dashboard. Can you clarify the distinction between these two sections? What unique functionalities and purposes does each serve?

Hi @wilsonshow, in a nutshell:

Graylog Open: This allows to collect and analyze logs with basic functionality.

Graylog Operations: The same product as Graylog Open, extending it by valuable functionality like dynamic tables to identify failed logins right after a password change.

Graylog Security: The same product as Graylog Operations, extending it by valuable functionality like Anomaly Detection and TI Feed Integration.

All Graylog Versions allow to collect log data and contextual data (lists, tables, 3rd party information) to compare observations to a desired or undesired state. The capabilities increase with the version (Graylog Security can do far more things than Graylog Open).

Hope that helps, Fred

Hi @Friedrich

Thank you for your response.

I’m clarification regarding Graylog security and Graylog API security synonymous? Upon reviewing the website, it appears they serve similar functions. Could you provide insight into their differences?

Hi @wilsonshow,

happy to help. As stated above, Graylog Security allows you to process all types of logs and contextual data at scale as well as detecting all types of events with a high level of flexibility.

The challenge with API calls is that by design they are many :slight_smile: Graylog API Security comes with filters just fishing the interesting ones and bringing them to your attention. A potential overview looks like this:

You obtain the capability to mitigate a significant risk coming with exposing your data via API. However, while Graylog Security addresses all types of risk, API Security does specifically tackle the challenges around APIs. If you have a public facing API, you should definitly look into it.

Best, Fred

Hey @Friedrich

Once again thanks for your reply.
So can I say that the API security involves checking all APIs provided to Graylog for vulnerabilities and ensuring their proper functionality?

I have some more question regarding this API security:

  1. How does Graylog ensure authentication and authorization for API access, and what measures are in place to prevent unauthorized access to sensitive data?
  2. What encryption protocols does Graylog use to secure data transmission via APIs, and how are these protocols implemented to protect against interception and tampering?
  3. Can you describe Graylog’s approach to detecting and mitigating common API security threats, such as injection attacks or DoS attacks, and how does it ensure compliance with relevant security standards and regulations?

Sorry for having so many question as I unable to find more information regarding this

Best regards,

Hi @wilsonshow ,

the way you characterize it is not exactly what it does. It catches API calls and then analyzes each one of them for indicators of compromise. It’s not specifically focusing on potential vulnerabilities of the API (there might be vulnerability scanners to do that) but Graylog API Security focuses on the content of the ongoing API communication. From a NIST-Cycle (please review the graphics if required) perspective Graylog API Security must be seen as a “DETECT” tool (as well as Graylog Security) enabling organizations to react to ongoing threats (“RESPOND”).

  1. You are asking for “PROTECT” measures (ensuring authorization, authentication…), while Graylog API Security is focusing on detecting (“DETECT”) rogue API calls (potentially indicating unauthorized access).
    Many organizations don’t protect their APIs appropriately, because they are simply not aware of the gaps in their Security Strategy. Believing they have a secure API infrastructure, their setup comes with a relevant attack surface. Graylog API Security will provide you with required evidence to take appropriate action to protect your APIs.
  2. As stated above, Graylog API Security is designed to detect (“DETECT”) insecure API communications, but doesn’t represent a solution to prevent (“PROTECT”) these. Again, it will help you to create awareness of what’s going on and taking action to improve your security posture.
  3. After collecting API communication data (Resurface Docs) we analyze it and apply our detection patterns to detect Response Leaks, Request Threats, Processed Attacks and many more. I am not aware that we map our findings to regulation frameworks as of now.

You are welcome to ask.

Best, Fred

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.