Introduction to Computer Security Log Management

The Basics of Computer Security Logs Security Software Operating System Applications Usefulness of Logs The Need for Log Management The Challenges in Log Management Log Generation & Storage Log Protection Log Analysis Meeting the Challenges

Log Management
A log is a record of events that occur Logs are composed of log entries Each entry contains information related to a specific event that has occurred Logs have been used primarily for troubleshooting problems Log management The process for generating, transmitting, storing, analyzing, and disposing of computer security log data

Security Software
Antimalware software Intrusion detection systems & Intrusion prevention systems Remote Access Software Web Proxies Vulnerability Management Software Authentication Servers Routers Firewalls Network Quarantine Servers

Cont..

Antivirus Logs

DNS Logs

Firewall Logs

Firewall Logs
Types of items that should be examined in a firewall log include: IP addresses that are being rejected and dropped Probes to ports that have no application services running on them Source-routed packets

Packets from outside with false internal source addresses

Suspicious outbound connections Unsuccessful logins

Operating Systems
Most common types of security related OS data
System Events

Significant actions performed by the operating system Shutting down the system Starting a service
Account activity, such as escalating privileges Operational information, such as application startup and shutdown

Audit Records

Operating System Logs

Windows 7 Event Logs

Applications
Applications vary significantly in the types of information that they log Most commonly logged types of information :
Client requests and server responses
Account information Usage information

Significant operational actions

Web Server Log Entry Example

Usefulness of Logs
Some logs would be helpful for different situations, such as detecting attacks, fraud, and inappropriate usage

Other logs typically contain less detailed information, and are often only helpful for correlating events recorded in the primary log types

The Need for Log Management

A routine review and analysis of logs helps identify
Security incidents Policy violations
Fraudulent activity Operational problems

Logs can also help resolve problems

Cont..
Logs help
Perform auditing analysis The organizations internal investigations Identify operational trends and long-term

problems Demonstrate compliance with laws and regulatory requirements

Challenges in Log Management

the most common types of challenges, divided into three groups:
Log Generation and Storage
Many Log Sources
Inconsistent Log Content

Inconsistent Timestamps
Inconsistent Log Formats

Cont..
Log Protection logs contain records of system and network security
need to be protected from breaches of their

confidentiality and integrity

Organizations also need to protect the availability of their logs organizations might need to keep copies of log files for a longer period of time than the original log sources can support

necessitates establishing log archival processes

Cont..
Log Analysis
studying log entries to identify events of interest

Tools that are effective at automating much of the analysis

process should be used, such as scripts and security software tools (e.g., host-based intrusion detection products, security information and event management software Log analysis should be treated as proactive rather than reactive

Meeting the Challenges

A few key practices an organization can follow to avoid and even solve many of these obstacles it confronts Prioritize log management appropriately throughout the organization Establish policies and procedures for log management Create and maintain a secure log management infrastructure Provide adequate support for all staff with log management responsibilities.

Summary
Many logs within an organization contain records related to computer security events occurring within systems and networks. The number, volume, and variety of computer security logs has increased greatly, which has created the need for computer security log management
The fundamental problem with log management is balancing a limited amount of log management resources with a continuous supply of log data Log management also involves protecting logs from breaches of their confidentiality and integrity, as well as supporting their availability