The challenge for any security practitioner is the same: how to get adequate security visibility for your organization. Securing your environment requires an understanding of the current and evolving threat landscape as well as knowledge of network technology and system design.
The traditional approach to event log analysis says “collect logs from everything connected to the network and let some back end analysis process figure out what’s important.” So how far do we take this? Should we audit and correlate print jobs? I mean, I guess there could be a use case for identifying gross misuse of printing resources… But is that really a priority? Before you go get fancy on print jobs, let's focus on the essentials - who's gaining access to my network and what are they doing on my critical server and network infrastructure devices?
Use the questions below to keep you focused as you begin your next event log analysis project…
Firewall Logs
We’ll start with the most commonly collected logs: firewall logs. With the amount of logs a correctly configured firewall will generate, keeping a close eye on intrusion attempts and malicious activity can be a daunting task. Remember that firewall deny logs represent an action that has already been taken. To get visibility around what is coming in to the network, we recommend collecting firewall permit logs as well.
If your use case were “I need to know who is attempting (and failing) to gain access to my network”, collecting firewall deny events would help you get there. Start by asking yourself these questions:
- Why do you need Firewall logs?
- I need to see what is getting in to my network
- What logs will you need to get that result?
- Firewall permit logs
- What's your primary focus?
- Anyone who's connecting to my network, especially blacklisted IPs/domains
Operating System Logs
Another type of logs we can talk about is Operating System (OS) Logs. These events are often predetermined by the operating system itself. System log files may contain information about device changes, device drivers, system changes, event, operations and more.
We recommend collecting OS audit logs to get visibility around who is accessing your assets – paying special attention to privileged accounts is critical. Some questions to ask yourself:
- Why do you need OS logs?
- I need to detect unauthorized access attempts and account lockouts
- What logs will you need to get that result?
- OS authentication failure and account lockout logs
- What's your primary focus?
- I’m most significantly concerned with admin level accounts
Switch / Router Logs
Switches and routers generate lots of information. However, only a small percentage is actually security relevant. It’s important to make a conscious effort to identify the relevant information. Use these questions to guide you:
- Why do you need Switch/Router logs?
- I need to see when someone logs in to my network gear and makes config changes
- What logs will you need to get that result?
- Authentication and authorization logs from my TACACS server would do the job
- What's your primary focus?
- Anyone connecting to my network gear
AlienVault Unified Security Management (USM) combines event log analysis and monitoring with all the essential capabilities you need – into a single, easy-to-use solution. In addition to providing the essential security functions like IDS, netflow analysis, and vulnerability assessment, AlienVault USM delivers more than 1500 event correlation rules so that you know which raw events matter - on their own, and within a global context. What's more, AlienVault Labs is tracking millions of malicious URLs, attacker techniques, tools, and profiles and delivering that intelligence directly into your USM platform. Essentially, we're transforming a tedious task of log review into an automated process of actionable intelligence.
To learn more, check out our webcast: Whose Logs, What Logs, Why Logs - Your Quickest Path to Security Visibility. And in the meantime, stay focused on the essentials...
