Recording the events that occur in an IT environment is at the heart of any security strategy. The best way to ensure that these events are tracked and stored is to implement a comprehensive security log management framework.
Read on to learn more about managing security logs and learn about security logging best practices to ensure an effective and efficient program.
What are log files?
Log files are detailed textual records of events within an organization’s computer systems. They are generated by a wide variety of devices and applications, including anti-malware software, system utilities, firewalls, intrusion detection and prevention systems (IDS / IPS), servers , workstations and network equipment.
Log files provide a vitally important audit trail and can be used to monitor activity within the IT infrastructure, identify policy violations, identify fraudulent or unusual activity, and highlight security incidents. security.
Since the logs contain details about what happened and what is happening, security teams can use them to detect and respond to indicators of compromise, investigate and analyze where an attack is coming from or coming from, and establish how an attack affected computer resources.
What is journal management and why is it important?
Security log management includes the generation, transmission, storage, analysis, and disposal of security log data, ensuring its confidentiality, integrity and availability.
This process is so important that the Center for Internet Security lists log management as one of its critical security controls. This is critical because organizations that fail to collect, store, and analyze system events are vulnerable to attack. This is also why log management is required for compliance and reporting by various laws and standards, such as Federal Information Security Modernization Act, ISO 27001, HIPAA, Sarbanes-Oxley Act, Gramm-Leach-Bliley Act. , National Industrial Security Program Operating Manual and PCI DSS. Logs are also needed to perform general audits, establish baselines, and identify operational trends and longer-term issues.
Security Log Management Issues
Managing security logs is not easy. Even if it only logs events that cover the most important metrics, a small organization still generates a large amount of data that can be logged. Large companies can produce hundreds of gigabytes of newspapers. Managing this continuous and voluminous supply of data presents its own challenges.
Because logs come from multiple endpoints and from different sources and formats, they require standardization. Transforming information into a uniform format for ease of search, comparison and readability is essential. The systems and media used to share and store logs must be highly secure with tightly controlled access. In addition, they must be able to process large amounts of data without affecting the overall performance of the system.
What events should be recorded?
The security events that an organization captures depend to some extent on specific industry needs and relevant legal requirements. That said, there are several events that still need to be captured and logged to ensure user accountability and help businesses detect, understand, and recover from an attack. These events include the following:
- authentication successes and failures;
- successes and failures of access control;
- session activity, such as files and applications used, especially system utilities;
- changes to user privileges;
- start or stop process;
- changes to configuration parameters;
- software installed or removed;
- attached or detached devices;
- system or application errors and alerts; and
- alerts from security controls, such as firewalls, IDSs, and antimalware.
Recording faults, i.e. faults generated by the system and the applications running on it, is also important because the data can be used to find out what is wrong with a system or application. and identify trends that may indicate faulty equipment.
What is a journal entry?
The information that should be recorded in a log entry is as follows:
- date and time
- User and / or device ID
- network address and protocol
- location if possible
- event or activity
Compromised or inaccurate logs can hamper investigations of suspicious events, undermine their credibility and invalidate disciplinary and legal actions.
One way to ensure reliable logs are to use synchronized system clocks, giving each log entry an accurate time stamp. This involves obtaining a reference time from an external source, associated with a network time protocol, to synchronize the internal clocks. Always record the time of an event in a consistent format, such as Coordinated Universal Time. For added security, add a checksum.
Security log rules and log data integrity
Strict rules must govern how and when logs are deleted, with controls designed to ensure the availability of large log storage media. Otherwise, events may not be recorded or past events will be overwritten.
While capturing as much data as possible and storing it for as long as possible seems like a pragmatic approach, in reality it is not feasible. The recording levels should correspond to the risk level. The table below is an example of conservative logging configuration settings, according to the NIST “Computer Security Log Management Guide”. Note that some laws and standards may require different settings than those in this table.
The integrity of the log data is paramount. The controls should protect against unauthorized modifications to the log files. The first step for most hackers is to modify the log files to hide their presence and avoid detection. To protect against this, save the logs both locally and on a remote server outside the control of regular system managers. This framework provides redundancy and provides an additional layer of security because the two sets of logs can be compared to each other, with differences indicating suspicious activity.
A cheaper alternative to a dedicated log server is to write the logs to write-once media to prevent an attacker from overwriting them. Remember that sensitive and personally identifiable information can be captured in event logs. Accordingly, appropriate privacy controls should also be implemented, using tactics such as anonymization or pseudonymization.
Other security logging best practices
Beyond capturing the appropriate events, including necessary information in a log entry, enforcing log rules, and ensuring log integrity, here are three other best practices to follow.
1. Remember that logging is only the first step
Even if appropriate volumes of correct data are collected, it is of no value unless that data is monitored, analyzed and the results taken into account. Logging and auditing ensure that users only perform activities for which they are authorized. These processes also play a key role in preventing inappropriate activity, as well as ensuring that hostile activity is detected, located and stopped.
2. Give administrators and system administrators additional control
One area of log management that requires further consideration is that of administrator and system operator (sysop) activities. These users have powerful privileges and their actions should be carefully recorded and verified. To this end, such users should not be allowed to physically or network access logs of their own activities. In addition, those responsible for reviewing logs should be independent of the people, activities and logs being reviewed.
3. Use logging tools
Due to the volume of inbound data that organizations face every day, most require a dedicated log management system to facilitate event management, correlation, and analysis. A specialized system also improves the quality of the dashboard data and reports.
SIEM is a common approach used to aggregate log data from multiple sources. SIEM systems can analyze and analyze data in real time to identify deviations from established baselines. If an anomaly is detected, SIEM systems can generate alerts, possibly activating additional security mechanisms. They can be rule-based, often using a statistical correlation engine to establish relationships between event log entries. Advanced systems also rely on analysis of user and entity behavior, as well as security orchestration, automation and response tools.