At-Risk Companies are Missing Web Log Data, Key Evidence in an Attack

Stroz Friedberg is a specialized risk management firm built to help clients solve the complex challenges prevalent in today’s digital, connected, and regulated business world

Here at Stroz Friedberg, we’ve spotted a troubling new trend. During many recent incident response investigations, we’ve noticed businesses—including e-commerce vendors, payroll processing organizations, and others in the crosshairs of cyberattacks—are missing critical log data. The common cause: improper implementation of load balancers on custom applications, for example those running .NET, Apache or IIS.

This situation could spell disaster in the event of a data breach because knowing who visited what pages, and when, is vital information. Without it, this correlation becomes an arduous, if not impossible task. And this kind of information is central to tracking anomalous activity. Missing data in the incidents we’ve responded to has included public IP, user agent and other fields.

Organizations must not only ensure that load balancers are serving their custom applications, but also that logging is in sync with the webserver that’s sitting behind it.

Hosted application managers should look into these questions:

  • Is your load balancer forwarding all of the necessary information to your webservers for logging purposes?
  • Are the IP addresses in your web application valid and not misattributed when your load balancer reuses IPs?
  • What VIPs and SNAT IPs do you have? How do underlying applications distinguish between a public IP and a VIP or SNAT IP?

Any misconfigurations should be urgently addressed.  In the event of an attack, no organization can afford to struggle to answer simple questions about activity on the network—especially when this is one part of the crisis that can be 100% avoided.


Our lawyers don’t want to miss out on the fun and would like you to know that all of the posts are the opinions of the individual authors and don’t necessarily reflect the opinions or positions of Stroz Friedberg. The ideas and strategies discussed herein may not be appropriate for any one reader’s situation and are not meant to be construed as advice.

Risk Areas: Cyber

I am: Super-technical, In the C-Suite or a Director

Tags: cyber attack, log data



Commentary, new discoveries, and innovative ideas right to your inbox.

Stroz Friedberg

Sorry! You are using an older browser which is not supported by this website.

Please download one of these free browsers to enjoy all our website has to offer:
Firefox, Chrome or Internet Explorer.