Windows Logging Services

Used in conjunction with a central log repository and log analysis tool, Windows Logging Services creates a powerful combination that supports not only passive detection, but also active hunting for malicious activity and insider threats.

Syslog messages allows for integration with existing SIEM solutions and the key/value pair formatting is easily parsed without predefining schemas. Used in place of an existing Windows logging tool or as a first step into host-based logging, WLS provides a rich dataset in a highly compatible format to enhance environmental awareness and improve one’s enterprise security posture.

This software has several key cyber security applications for any business:

• Centralized log collection
• Endpoint monitoring
• Meet audit requirements
• Digital forensics and incident response
• Malware hunting
• Insider threat detection

CUSTOMER PROBLEM:
With the continued rise in cyber-attacks, the ability to search for and detect new threats as they occur has become a necessity. Searching an enterprise for indicators of compromise (IOCs) should take seconds not hours, and should not be restricted to vendor-specific tools. Monitoring for changes specific to one’s environment provides opportunities to detect insider threats and previously unknown malicious activity. A rapid response is critical to preventing the spread of threats and persistence in one’s environment.

The Windows Logging Service (WLS) provides enhanced operating system information via standard syslog messages to any syslog format compatible log server. Developed by the cyber security staff at Honeywell Federal Manufacturing & Technologies to aid in the detection of malicious activity, WLS augments traditional logging and forensic analysis with real-time reporting of contextual operating system (OS) information. This enhanced information stream coupled with data analytics provides the ability to quickly search for indicators of compromise (IOCs) and respond with increased accuracy to cyber threats.

POTENTIAL MARKET USES:
WLS reads and sends all Windows event logs and adds extra data relevant to cyber security, such as cryptographic hashes and file metadata. Other information gathered by WLS is typically only available by using interactive on-demand tools to view a snapshot of data at the time it is run. Providing this data in real-time and in context with process information allows for correlation of previously ambiguous data points and gives insight into OS and process interactions.

To date, WLS has been supported, marketed and licensed by Honeywell FM&T staff. Current customers and evaluators include federal and state government agencies and offices, large and small industry, and universities and individuals. Honeywell would like to license WLS to an intermediary, who would handle all downstream commercialization efforts.

COMPETITIVE ADVANTAGES:
Competitors include Splunk, Microsoft’s Sysmon, Snare (Intersect Alliance), and MonitorWare Agent. None of these individual systems protect against all cyber threats. Even the combination of all of these programs fails to offer the full range of cybersecurity protection, monitoring and logging services offered by WLS.