Question

The devices designed for the purpose of addressing security in the network generate a number of logs during the continuous monitoring of the network. Discuss in detail the different types of logs created and how the security professional can use this information for analysing security in the network.

Answer 1

Discuss in detail the different types of logs created and how the security professional can use this information for analysing security in the network.

These are the four basic logs that IT teams should be monitoring and managing regularly. Jim goes on to say that if you have a system that has given you problems in the past, it will make sense to turn on logging capabilities for that particular system so that you can keep track of errors and learn from them. Edge cases can always pop up out of nowhere, so having the comfort of knowing you’re tracking that log data will go a long way in helping you and your IT team quickly evaluate and assess any given situation.

1. Failed Login Attempts

Jim says you should be watching and storing these logs for compliance reasons if nothing else. For instance, failed login attempts are red flags that something is wrong. Failed login attempts can be benign most of the time. However, if there are many login attempts that have failed in a short amount of time, this could be an indication that an attacker is trying to break into a system.

2. Firewalls and Intrusion Detection Devices

Logs from security tools, such as intrusion detection devices and firewalls can present a plethora of data on the security and the overall health of security systems within a business. You should always consider that your firewall is the first wall of security from outside threats, so logs here are a basic necessity. Of course, these days most advanced persistent threats can circumvent the firewall entirely, and even antivirus can’t pick up on all malicious activity.

3. Switched and Routers

Basic network devices all provide log data. As much as this types of log data may seem inconsequential, you still need to monitor it. “You need to be able to log a whole chain of data through your organization, from servers, through firewalls, through switches and routers.” There is also the importance of monitoring configuration changes on these types of network devices. Changes in configurations can show with certainty that sysadmins are doing their jobs, or if they aren’t.

4. Application Logs

Application logs can have their own robust log capabilities, while some use the application log section of Windows. Microsoft allows many applications to piggyback on the log infrastructure within Windows. A good example is if protected medical data is going through an application. Very often the app logs will show much of the same things that Windows logs would show. “Let’s just say the system has its own user database and that sort of thing. It’s going to show logins, and lof offs. It’s going to show where [the user] traversed, what screens and that sort of thing. What sort of searches they ran. It’s all very application dependent on how much logging is available.”

How does Log Analysis work ?

Logs are usually created by network devices, applications, operating systems, and programmable or smart devices. They comprise of several messages that are chronologically arranged and stored on a disk, in files, or in an application like a log collector. Analysts need to ensure that the logs consist of a complete range of messages and are interpreted according to context. Log elements should be normalized, using the same terms or terminology, to avoid confusion and provide cohesiveness. For example, one system might use “warning” while another uses “critical.” Making sure terms and data formats are in sync will help ease analysis and reduce error. Normalization also ensures that statistics and reports from different sources are meaningful and accurate.