A red plaid flannel shirt or an axe are not required to be a lumberjack in our digital age. However, a passion for logs is essential. These are not logs from Larch, Pine, Giant Redwood, or Sequoia trees. Instead they are event logs from switches, routers, firewalls, servers, intrusion detection devices, etc. Logs data contains the "who, what, when, where, why and how" about information technology infrastructure and business applications. The ability to gather, process, report on, alert on and retain these logs is a foundational piece of information technology.
Why be a logger
Logs serve the same purpose as security cameras. Cameras record everything to use as proof that something happened or didn't happen. Logs provide key evidence, whether in cases of internal fraud or external breaches. Additionally, logs provide useful data for troubleshooting technical issues. Finally, further business benefit may be gained when logs are used for insight into business and staffing trends.
What to log
Don't be limited to one "species" of logs. Start with network routers, switches and firewalls. Next, add intrusion detection and prevention systems. Then, gather logs from web filtering devices or web proxies. The next items to log are workstation and server operating systems, file transfer servers and webservers. And finally be sure to gather logs from applications. Applications such as the bank "core", document imaging, teller software, ATM machines and item capture systems. Keep in mind that log data containing private information or commercially sensitive information should be masked, sanitized, or encrypted.
Storing logs
Now that these logs have been collected, it is time to decide where and how to keep all this data. The goal is to aggregate all logs into one system in order to correlate the data. This correlation of data enables one to step back and see the whole forest rather than focusing on one tree. Looking at the whole forest, activity patterns take shape and norms are established making it possible to quickly identify abnormalities in the log data.
Systems collecting log data are called by many names and buzzwords. Some of them are: syslog server, log server, centralized log management, security information and event management (SIEM), operational intelligence, business intelligence and "big data". Basics of a log management system consists of receiving log data forwarded from other systems, storing the data and analyzing the data. Reports can be generated manually or automatically and alerts are triggered based on events detected in log contents. Archiving data is an important piece of a log management system. It is good to retain log data for at least twelve months or longer if possible. Fortunately, storage is inexpensive and additional storage can be added.
Getting Down to the Nitty-Gritty
Here are some specific log events to include in an effective log management system. (A more inclusive list is available at: https://conetrix.com/logging.) Be sure to record Account Management and Logon events from all devices. This includes account logon success and failure, and activity such as account creation, deletion and password changes. This applies to local system and domain level accounts.
In addition to account management, also consider logging the following events:
- Switches and Routers
- Configuration changes
- Environmental and hardware data (temperature, fan failure, etc.)
- Interface utilization and NetFlow data
- Firewalls
- All traffic allowed and denied
- Configuration changes
- Intrusion Detection and Prevention devices
- Configuration changes
- Events detected and/or blocked
- Web Traffic Filters or Web Proxies
- All traffic allowed including source IP address and destination URL.
- All traffic denied including source IP address and destination URL.
- Configuration changes
- Workstations
- Creation of a service
- Installation of software
- Domain Member Servers
- Service management (creation, starting, stopping, restarting)
- Installation of software
- Active Directory Domain Controllers
- Directory Service Access and Changes (success and failure)
- Group, Audit and Authentication Policy Changes (success and failure)
- Security Group creation, deletion and modification
Preventing a Log Jam
Comprehensive event logging will constantly generate significant volumes of log data. It may seem overwhelming and will require hands-on management. Regular data review and fine-tuning reports and alerts is essential. Log management systems are critical in today's business whether that business is large or small. Be a lumberjack. It's okay.
Ty Purcell is a Security and Compliance Consultant for CoNetrix. CoNetrix is a provider of information security consulting, IT/GLBA audits and security testing, and Tandem – a security and compliance software suite designed to help financial institutions create and maintain their Information Security Program. Visit our website at www.conetrix.com to learn how CoNetrix can improve your Cybersecurity maturity.