Question

The devices designed for the purpose of addressing security in the network generate a number of logs during the continuous monitoring of the network. Discuss in detail the different types of logs created and how the security professional can use this information for analyzing security in the network.

Answer 1

Every event  that takes place within a network generates some amount of data, and that information then makes its way into the logs. You can understand logs as some files that hold records of everything that ever happened on a network. These are the records produced by operating systems, applications, security  devices etc . . Logs are very important  to security visibility.  If an organization fail to collect, store, and analyze log  records, they could posssible open themselves up for many cyber attacks. Where as , analysing them can significantly reduce the risk of attacks.

There are numerous activities  that generates log in a network . Some of the major kinds of logs are :

1. System logs : - These are the logs related to system activity , loggin on/off as a user aur authentication falures/successes etc. everything. Everything that happens on the system either by the user or due to an application , is saved in System logs. It includes the following

a. System activity logs

b. Application logs

c. Endpoint logs

d. Authentication logs

e. Physical security log

2. Networking logs : - It stores everything related to the network that take place on a system . It includes activities like logging on/off , changing passwords etc. on your email id. Except these , almost all network devices write to networking logs. Routers, switches , unexpected behaiviours of packtes, etc. everything fall under this category. It includes the follwoing : -

a. Email logs

b. Firewall logs

c. VPN logs

3. Cyber security monitoring logs :- It records all logs related to threats , attacks , security warnings,vulnerabilities , intrusions , data losses etc. These are probably one of the most important logs to be analysed carefully to know the weaknesses of the network of an organisation , which could lead to a possible cyber attack. Here are its different types that it includes : -

a. Data loss protection (DLP) logs

b. Malware protection software logs

c. Network intrusion prevention system logs

d. Network intrusion detection system logs

4. Technical Logs : - It records the changes that occurred due to technicalities changed/accessed either by the user or by an application . Things like change in IP adresses or clonning of IP address or proxies or Database accesses like SQL server logs or network confiiguration logs like DNS/DHCP accesses etc. are stored as Technical logs. Here are some of the technical logs : -

a. HTTP proxy logs

b. DNS, DHCP and FTP logs

c. Web server logs

d. Database such as SQL server logs

All the above kind of logs can generate huge amount of data for organisation everyday. Hence , it must be properly analysed amd then clustered out. A good analysis of logs ensures safety and helps detects unidentified accesses to any part of the system or the network.

1. Helps comply the  internal security policies and outside regulations and audits

2. Most importantly , it helps the user organisation to understand and respond to data breaches and other security breaches as it keep a records of data/information accessed by anyone at anypoint of time.

3. It also helps the understand the network better. It helps identify the behaviour of network and the problems caused in the network and thus find out better trouble shooting solutions for the organisation.

4. At end , if a data breach or a cyber attack has occurred, it helps in the investigation to see into the users that logged into the system or changed anything specific on the network or any other detail.