Embed Size (px)
DESCRIPTION
Log management
Citation preview
Introduction to Computer Security Log Management
The Basics of Computer Security Logs
Security Software
Operating System
Applications
Usefulness of Logs
The Need for Log Management
The Challenges in Log Management
Log Generation & Storage
Log Protection
Log Analysis
Meeting the Challenges
Log Management A log is a record of events that occur
Logs are composed of log entries
Each entry contains information related to a specific event that has occurred
Logs have been used primarily for troubleshooting problems
Log management
The process for generating, transmitting, storing, analyzing, and disposing of computer security log data
Security Software
Antimalware software
Intrusion detection systems & Intrusion prevention systems
Remote Access Software
Web Proxies
Vulnerability Management Software
Authentication Servers
Routers
Firewalls
Network Quarantine Servers
Cont..
Antivirus Logs
DNS Logs
Firewall Logs
Firewall Logs Types of items that should be examined in a firewall
log include:
IP addresses that are being rejected and dropped
Probes to ports that have no application services running on them
Source-routed packets
Packets from outside with false internal source addresses
Suspicious outbound connections
Unsuccessful logins
Operating Systems Most common types of security related OS data
System Events
Significant actions performed by the operating system
Shutting down the system
Starting a service
Audit Records
Account activity, such as escalating privileges
Operational information, such as application startup and shutdown
Operating System Logs
Windows 7 Event Logs
Applications
Applications vary significantly in the types of information that they log
Most commonly logged types of information :
Client requests and server responses
Account information
Usage information
Significant operational actions
Web Server Log Entry Example
Usefulness of Logs Some logs would be helpful for different situations,
such as detecting attacks, fraud, and inappropriate usage
Other logs typically contain less detailed information, and are often only helpful for correlating events recorded in the primary log types
The Need for Log Management
A routine review and analysis of logs helps identify
Security incidents
Policy violations
Fraudulent activity
Operational problems
Logs can also help resolve problems
Cont..
Logs help
Perform auditing analysis
The organization’s internal investigations
Identify operational trends and long-term problems
Demonstrate compliance with laws and regulatory requirements
Challenges in Log Management the most common types of challenges, divided into
three groups:
Log Generation and Storage Many Log Sources
Inconsistent Log Content
Inconsistent Timestamps
Inconsistent Log Formats
Cont.. Log Protection
logs contain records of system and network security
need to be protected from breaches of their confidentiality and integrity
Organizations also need to protect the availability of their logs
organizations might need to keep copies of log files for a longer period of time than the original log sources can support
necessitates establishing log archival processes
Cont.. Log Analysis
studying log entries to identify events of interest
Tools that are effective at automating much of the analysis process should be used, such as scripts and security software tools (e.g., host-based intrusion detection products, security information and event management software
Log analysis should be treated as proactive rather than reactive
Meeting the Challenges A few key practices an organization can follow to avoid
and even solve many of these obstacles it confronts
Prioritize log management appropriately throughout the organization
Establish policies and procedures for log management
Create and maintain a secure log management infrastructure
Provide adequate support for all staff with log management responsibilities.
Summary Many logs within an organization contain records
related to computer security events occurring within systems and networks.
The number, volume, and variety of computer security logs has increased greatly, which has created the need for computer security log management
The fundamental problem with log management is balancing a limited amount of log management resources with a continuous supply of log data
Log management also involves protecting logs from breaches of their confidentiality and integrity, as well as supporting their availability
