Professional Documents
Culture Documents
The Basics of Computer Security Logs Security Software Operating System Applications Usefulness of Logs The Need for Log Management The Challenges in Log Management Log Generation & Storage Log Protection Log Analysis Meeting the Challenges
Log Management
A log is a record of events that occur Logs are composed of log entries Each entry contains information related to a specific event that has occurred Logs have been used primarily for troubleshooting problems Log management The process for generating, transmitting, storing, analyzing, and disposing of computer security log data
Security Software
Antimalware software Intrusion detection systems & Intrusion prevention systems Remote Access Software Web Proxies Vulnerability Management Software Authentication Servers Routers Firewalls Network Quarantine Servers
Cont..
Antivirus Logs
DNS Logs
Firewall Logs
Firewall Logs
Types of items that should be examined in a firewall log include: IP addresses that are being rejected and dropped Probes to ports that have no application services running on them Source-routed packets
Operating Systems
Most common types of security related OS data
System Events
Significant actions performed by the operating system Shutting down the system Starting a service
Account activity, such as escalating privileges Operational information, such as application startup and shutdown
Audit Records
Applications
Applications vary significantly in the types of information that they log Most commonly logged types of information :
Client requests and server responses
Account information Usage information
Usefulness of Logs
Some logs would be helpful for different situations, such as detecting attacks, fraud, and inappropriate usage
Other logs typically contain less detailed information, and are often only helpful for correlating events recorded in the primary log types
Cont..
Logs help
Perform auditing analysis The organizations internal investigations Identify operational trends and long-term
Inconsistent Timestamps
Inconsistent Log Formats
Cont..
Log Protection logs contain records of system and network security
need to be protected from breaches of their
Organizations also need to protect the availability of their logs organizations might need to keep copies of log files for a longer period of time than the original log sources can support
Cont..
Log Analysis
studying log entries to identify events of interest
process should be used, such as scripts and security software tools (e.g., host-based intrusion detection products, security information and event management software Log analysis should be treated as proactive rather than reactive
Summary
Many logs within an organization contain records related to computer security events occurring within systems and networks. The number, volume, and variety of computer security logs has increased greatly, which has created the need for computer security log management
The fundamental problem with log management is balancing a limited amount of log management resources with a continuous supply of log data Log management also involves protecting logs from breaches of their confidentiality and integrity, as well as supporting their availability