A watchtower is pointless if there’s no watchman inside.

Gary Glover, CISSP, QSA
By: Gary Glover
In the 18th and 19th centuries, military forts posted sentries on the walls to keep an eye on the surrounding area. If strange activity occurred, they would ring bells, bang gongs, or shout to the fort residents to alert them of impending danger.

log managementWe’ve come quite a way since then.

Businesses have an electronic sentry inside most their systems called log monitoring. Log monitoring systems oversee network activity, inspect system events, and store user actions (e.g., renaming a file, opening an application) that occur inside your operating system. They are your watchtower lookout and have the ability to provide the data that could alert you to a data breach. The raw log files are also known as audit records, audit trails, or event-logs.

Most systems and software generate logs including operating systems, Internet browsers, point of sale systems, workstations, anti-malware, firewalls, and intrusion detection systems (IDS). Some systems with logging capabilities do not automatically enable logging so it’s important to ensure all systems have logs turned on. Some systems generate logs but don’t provide event log management solutions. You need to be aware of your systems capabilities and potentially install 3rd party log monitoring and management software.

It’s likely every corporation in the U.S. is fielding malicious attacks on a daily basis. Whether in the tens or in the thousands, it’s crucial businesses are acutely aware of what’s happening against their system through active security log review.

Log reviews can show you suspicious system activity

The biggest problem with logs is – nobody looks at them!
Tweet: The biggest problem with logs is – nobody looks at them! http://bit.ly/1Id73I9Tweet
Businesses must review their logs daily to search for errors, anomalies, or suspicious activity that deviates from the norm.

From a security point of view, the purpose of a log is to act as a red flag when something bad is happening. Reviewing logs regularly could help identify malicious attacks on your system. Given the large of amount of log data generated by systems, it is impractical to review all of these logs manually each day. Log monitoring software takes care of that task by using rules to automate the review of these logs and only point out events that might represent problems or threats.  Often this is done using real-time reporting systems that alert you via email or text when something suspicious is detected.

SEE ALSO: 7 Hearty Tips to Avoid Costly Data Breaches

Not everyone’s network and system designs are exactly the same, and setting up the rules that will filter the usually vast amount of logs generated is very important and often takes some time to get just right. This part of log monitoring is the “art” phase where you modify the settings to get things just right for your environment.

Often, log monitoring software will come with some alerting templates to get you started, based on experience with PCI or HIPAA security requirements. This is just a good starting point for you to begin optimizing the monitoring and alerting functions. It is critical to take the time necessary to get this part right at the beginning in order to save you many headaches later on.

Log monitoringHere are some event types you will want to consider when setting up your log management system:
  • Password changes
  • Unauthorized logins
  • Login failures
  • New login events
  • Malware detection
  • Malware attacks seen by IDS or other evidence
  • Scans on your firewalls open and closed ports
  • Denial of service attacks
  • Errors on network devices
  • File name changes
  • File integrity changes
  • Data exported
  • New processes started or running processes stopped
  • Shared access events
  • Disconnected events
  • New service installation
  • File auditing
  • New user accounts
  • Modified registry values
  • Etc.

Take advantage of log management in 7 steps

To take advantage of log management and quickly nip attacks in the bud, take a look at your security strategy and make sure these steps are taken care of.

  1. Decide how and when to generate logs
  2. Secure your stored logs to make sure they aren’t maliciously altered by cybercriminals or accidentally altered by well-intentioned employees.
  3. Assign an employee you trust to review logs daily.
  4. Set up a team of people ready to review suspicious alerts.
  5. Set up your rules for alert generation (e.g., failed login attempts per minute, additions of new user accounts, modified registry values, etc.). Spend the time to get this right, don’t just rely on a template provided by a vendor.
  6. Store logs for at least 1 year, with 3 months available (this is a PCI DSS requirement).
  7. Frequently check log collection to identify adjustments that would make the process run smoother.
Being on top of logs means a quicker response time to security events and better security program effectiveness. Not only will log analysis and daily monitoring demonstrate your willingness to comply with PCI DSS and HIPAA requirements, it will also help you defend against insider and outsider threats.

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.

Data Security Learning Center
Monday, August 3, 2015