This document discusses log management and security incident and event management (SIEM). It defines what logs are, why they are important for tasks like intrusion detection, incident containment, and forensic analysis. It outlines the challenges of managing logs from different sources and formats. It provides best practices for developing logging policies, normalizing log data, centralizing, securing, and reviewing logs. It also discusses log retention, rotation, and tools like SIEM that provide real-time analysis and correlation of security events and alerts.
2. Agenda
• What are logs
• Why do we need logs
• Problems & Challenges
• Best Practices
• SIEM
3. What are Logs
• Historical Record of events that happened.
• Records events and status of systems in a time sequential format.
• Record of activity on the system/network.
• Provide an Audit trail of who done what, where, when and why (5Ws)
4. Why are Logs Important?
Logs can assist us in
• Determining what happened - AuditTrail
• Intrusion Detection
• Incident Containment
• Forensic Analysis
• Proactive Protection
• RealTime Alerts
• Providing a Network Baseline
• Determining the Health of the
Network
• Troubleshooting issues
• Proactive maintenance
5. Where to find Logs
• Logs are everywhere
• Operating Systems
• Applications
• Devices
• Routers
• Firewalls
• IDS
• Switches
6.
7. The Challenges
• Different vendors different log formats.
• Regulatory Requirements.
• Logs were written by developers
• Format is not easy to read
• Messages can be obscure
• Logs contain enormous amount of information.
• Identifying anomalies can be difficult
• Logs can be overwhelming
• Amount
• format
8. Best Practices
• Develop logging Policy
• Determine what information is relevant to you.
• What devices are important?
• What events are important?
• Don’t forget to turn on logging!
• Timing of events, e.g. user logons in morning.
• What reports you and the business want/need?
• Group servers into zones based on their function or criticality and priorities events accordingly.
9. Best Practices
• Baseline your systems & network.
• Determine how your network normally behaves.
• Repeat at regular intervals
• Secure log files on all devices.
• Encrypt logs if possible
• Ensure all devices use same time source.
• If using more than one time zone use UTC.
• Use NTP protocol from a secure source to synchronize time
10. Best Practices
• Centralize log collection
• Dedicated server to collect all logs.
• Be careful of network traffic volumes.
• Be aware of limitations of server to process number of events.
• Configure all devices send logs to central log server.
• Make sure central server is secure.
• Secure transmission of logs.
• e.g. Syslog uses UDP by default. Consider using IPSec or next generation Syslog (Syslog-NG)
11. Best Practices
• Normalize the data
• All events such asWindows, Syslog, SNMP etc. should be normalized into same format.
• Review the Logs
• Ensure logs are regularly reviewed
• Manually
• Automatically
• Scripts
• CommercialTools
• FreewareTools
12. Best Practices
• Log Retention
• Based on disk space.
• May be regulatory requirements.
• Archive ontoWORM type devices and store in secure area.
• Log Rotation
• Determine time schedule
• Based on volume of data
• Develop meaningful naming convention.
• Move data to rotated file
13. SIEM
• Set ofTools,Applications and Correlation searches.
• Built on top of Log Management Solution.
• real-time analysis of security alerts, events and logs
• continuous monitoring of all ongoing events
• Alerts once incident is found
• Helps in showing security posture
• Facilitates discovery of security problems and breaches
• Investigations