Windows Logging Service

In 2009, faced with the challenge of identifying the introduction of computer malware that had the potential to evade common detection mechanisms, such as antivirus software, Kansas City Plant (KCP) created the Windows Logging Service (WLS). On the surface it’s a replacement for other well-known logging tools, but was created with the intent to fill the needs of an incident responder.

WLS provides the chosen cryptographic hashes of each executed process, along with many other user-defined parameters, as well as contextual data to identify related activity. The data added to the log stream initially came about as a product of indicators of compromise (IOC) contained in reports of known threats. As adoption of WLS has spread, further data has been added at the request of other US Government sites, commercial entities, and open source research.

With WLS running on each host, an organization essentially has a network of indicator generators that provide near real-time and historic data. The goal of which is to detect an initial threat vector and quickly determine the breadth of a compromise, if any. KCP utilizes this data to greatly decrease the number of hosts being reimaged by comparing network data that indicates potential compromise, with host data that confirms or refutes the previous evidence. Tracking of cryptographic hashes also allows KCP to discover new threats that bypass traditional detection mechanisms quickly and remediate before any further compromises.

The data WLS provides in near real-time and the open format in which it is provided is unique to both the host logging and host-based intrusion detection system (HIDS) markets. Utilizing the broad knowledge base of IOC types and a standard logging format allows WLS data to be directly sent to almost any commercial off-the-shelf (COTS) log analysis tool for immediate usage. The provided types of IOCs and their metadata can also be highly customized to fit the needs of the organization to meet both compliance and incident response needs.

Through contacts of previous DOE/NNSA employees and word-of-mouth, commercial interest in WLS has been building. In 2013, working with the legal and licensing personnel, KCP was able to successfully begin commercialization of WLS. Presently, a number of commercial organizations from broad market segments have purchased licenses and many more have or are pursuing evaluation and end user licenses.

Licensees of WLS are also provided with a set of queries and a pre-built app for a popular log analysis tool. The app provides everything from basic health monitoring of a WLS deployment to detailed drilldowns about a specific host.

In addition, the app has a framework pre-built to allow new users to immediately begin tracking all new processes, with alerting, which can reduce detection of unknown threats to minutes.