For the business analytics example, we knew something about the protections— both technical and process—that were applied to the host and operating system upon which the core of the business analytics system runs in that environment. Consequently, we discounted the ability of an attacker to listen in on the kernel-level communications, most particularly, the “localhost,” intra-kernel network route. Additionally, if an attacker has already gained sufficiently high privileges on the system to control processes and perhaps even to access process memory, “game over.”
In order to prevent an attacker from obscuring an attack or otherwise spoofing or fooling the security monitoring system, the business analytics activity and event log files should only be readable by the security monitoring systems. And the log files permissions should be set such that only event-producing modules of the business analytics system may write to its log file. Although it is true that a superuser on most operating systems can read and write any file, in this way, attackers would have to gain these high privileges before they could alter the log files that will feed into the security monitoring system.