A watchtower is pointless if there’s no watchman inside.
This blog was updated on October 3, 2018
We’ve come quite a ways since then.
Businesses have an electronic sentry inside most their systems called log monitoring. Log monitoring systems oversee network activity, inspect system events, and store user actions (e.g., renaming a file, opening an application) that occur inside your operating system. They are your watchtower lookout and have the ability to provide the data that could alert you to a data breach. The raw log files are also known as audit records, audit trails, or event-logs.
Most systems and software generate logs including operating systems, Internet browsers, point of sale systems, workstations, anti-malware, firewalls, and intrusion detection systems (IDS). Some systems with logging capabilities do not automatically enable logging so it’s important to ensure all systems have logs turned on. Some system logging tools generate logs but don’t provide event log management solutions. You need to be aware of your systems capabilities and potentially install third-party log monitoring and management software.
It’s likely every corporation in the U.S. is fielding malicious attacks on a daily basis. Whether in the tens or in the thousands, it’s crucial businesses are acutely aware of what’s happening against their system through active security log review.
Log reviews show you suspicious system activity
Businesses must review their logs daily to search for errors, anomalies, or suspicious activity that deviates from the norm.
The biggest problem with logs is: nobody looks at them.
Not everyone’s network and system designs are exactly the same, and setting up the rules that will filter the usually vast amount of logs generated is very important and often takes some time to get just right. This part of log monitoring is the “art” phase where you modify the settings to get things just right for your environment.
Here are some event types you will want to consider when setting up your log management system:
- Password changes
- Unauthorized logins
- Login failures
- New login events
- Malware detection
- Malware attacks seen by IDS or other evidence
- Scans on your firewalls open and closed ports
- Denial of service attacks
- Errors on network devices
- File name changes
- File integrity changes
- Data exported
- New processes started or running processes stopped
- Shared access events
- Disconnected events
- New service installation
- File auditing
- New user accounts
- Modified registry values
Take advantage of log management in 7 stepsTo take advantage of log management and quickly nip attacks in the bud, take a look at your security strategy and make sure these steps are taken care of.
- Decide how and when to generate logs
- Secure your stored logs to make sure they aren’t maliciously altered by cybercriminals or accidentally altered by well-intentioned employees.
- Assign an employee you trust to review logs daily.
- Set up a team of people ready to review suspicious alerts.
- Set up your rules for alert generation (e.g., failed login attempts per minute, additions of new user accounts, modified registry values, etc.). Spend the time to get this right, don’t just rely on a template provided by a vendor.
- Store logs for at least 1 year, with 3 months available (this is a PCI DSS requirement).
- Frequently check log collection to identify adjustments that would make the process run smoother.
Gary Glover (CISSP, CISA, QSA, PA-QSA) is VP of Assessments at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Trek quoting skills. Live long and prosper as you visit his other blog posts.