Saturday, June 25, 2022
CybersecFill
Advertisement
  • Home
  • Events
  • News
  • security tips
  • Article
  • Contact Us
No Result
View All Result
  • Home
  • Events
  • News
  • security tips
  • Article
  • Contact Us
No Result
View All Result
CybersecFill
No Result
View All Result
Home Blog

Managing Logs in your Organization

Simbiat Sadiq by Simbiat Sadiq
January 8, 2020
in Blog
0
Log management and Log monitoring
Share on FacebookShare on Twitter

What is Log Management?

Log management is the collective processes and policies used to administer and facilitate the generation, transmission, analysis, storage, archiving and ultimate disposal of the large volumes of log data created within an information system.

Why Log Management?

It is critical for every organization to define how and what will be logged and how these logs are maintained. Effective log management is essential for both monitoring and compliance.

Organizations primarily store logs for security purposes. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat. After all, network and system administrators could look like hackers, if looking solely at the actions they regularly perform.

Sources of Logs

Switches

Switches provides valuable information about network traffic – accepted and denied connections. You can also monitor switch traffic based on protocol which give details about TCP, UDP and ICMP traffic. Switch can aid an incident investigation by facilitating network traffic capture.

Application Servers

Organizations uses a wise range of applications ranging from email to web application. Your application log should include:

  • Request: Each request of any service within the application. These logs consist of information such as date and time, IP address, requester identity (User ID), endpoint URL and context header among others
  • Events:This are activities that takes place on your application. there is no fixed definition on what to record exactly. What event to log is entirely limited to the imagination and requirements of the business.
  • Audit Trail : This are records of the changes that are made to your data. Any change to data including creating new data, updating or deleting data, and in some cases exporting data, must be recorded.
  • Threats: Threat logs track suspicious activities or attempts at undermining the security of an application. Some common threat logs include unauthorized access to restricted processes or data, invalid parameters or input, failed authentication, failed security verification such as invalid API key and other warnings triggered by the application’s security mechanisms.
  • Availability: Availability logs consist of faults and exceptions that can impact the availability and stability of the system. These include exceeded capacity limit or resource usage, system errors or bugs, connectivity issues, and slow response times.

Routers

Router logs contain information on the traffic that has passed through your network. So, when something goes wrong, they and other network device logs play a crucial role in conducting a forensic investigation. Event Log Analyzer lets you backtrack security incidents with its powerful log search engine to find out exactly what happened.

Firewalls

Firewall monitors traffic into and out of an organization it is deployed. Some firewalls also offer visibility into the source and type of traffic coming into an organization. A firewall is configured using rules and the rule set of a firewall must be augmented with a successful logging feature. The success of any firewall, therefore, typically relies on the rules used to configure it. Firewall logs can help to see if new firewall rules work well or to debug them if they do not work properly, to discover if any malicious activity is occurring within your network among others.

Domain Controllers/ Authentication Servers

Serving the entire network domain, authentication servers are the primary location that incident res-ponders can leverage for details on successful or unsuccessful logins, credentials manipulation, or other credentials use.

Network Intrusion Detection/Prevention System(NIPS/NIDS.)

These systems were purposefully designed to provide security personnel and incident responders with information concerning potential malicious activity on the network infrastructure. These systems utilize a combination of network monitoring and rulesets to determine whether there is malicious activity. Intrusion Detection. Systems (IDSes) are often configured to alert to specific malicious activity while Intrusion Prevention Systems (IPSes) can detect, but also block potential malicious activity. In either case, both types of platform’s logs are an excellent place for incident responders to locate specific evidence on malicious activity.

DHCP Servers

The DHCP servers often contain logs on the assignment of IP addresses mapped to the MAC address of the host’s NIC. This becomes important if an incident responder has to track down a specific workstation or laptop that was connected to the network at aspecific data and time.

Web Proxy Servers

Proxy server logs contain the requests made by users and applications on your network. This does not only include the most obvious part: web site request by users but also application or service requests made to the internet.

A review of web proxy logs in conjunction with a possible compromised host may identify a source of malicious traffic or a C2 server exerting control over the host.

Event Types to Consider when Setting Log Management System

Here are some event types you will want to consider when setting up your log management system:

  • Password changes
  • Unauthorized logins
  • Login failures
  • New login events
  • Malware detection
  • Malware attacks seen by IDS or other evidence
  • Scans on your firewalls open and closed ports
  • Here are some event types you will want to consider when setting up your log management system:
  • Password changes
  • Unauthorized logins
  • Login failures
  • New login events
  • Malware detection
  • Malware attacks seen by IDS or other evidence
  • Scans on your firewalls open and closed ports

Security Information and Event Management (SIEM).

A SIEM is a software solution that simply collect data(logs) from all the number of sources (security devices, network devices, endpoints such as workstation and servers) you can plug to it, do the correlation and logs arrives at the dashboard for the analysts to attend.

The number of alerts that on the SIEM  depends on how fast the logs arrives at the SIEM and how fast the SIEM is able to correlate them into events/incidence?

Without the right set of analysts, a good SIEM product with inbuilt capability for threat intelligence and proper definition of use cases, it becomes very difficult to get value out of your SIEM.

At the most basic level, a SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries. Advanced SIEMs have evolved to include user and entity behavior analytics (UEBA) and security orchestration and automated response (SOAR).

 

 

Tags: cybersecurityLog managementLog monitoring
Simbiat Sadiq

Simbiat Sadiq

A cybersecurity professional with passion for social impact. You can find me at intersection between community and the coperate world

Next Post
Data breach on Nigerian data - surebet247

Inside Surebet247 Data Breach

  • Trending
  • Comments
  • Latest
CEH_PRACTICAL

CEH PRACTICAL EXAM – TICKET TO CEH MASTER

February 6, 2021
Wireless Access Point

How To Secure Your Wireless Access Point (WAP)

August 3, 2019
Wifi 6 Security

Did Wi-Fi 6 come with an Improvement In Security?

May 13, 2019
credit card cloning

How Credit/Debit Cards are Cloned / Preventing Card Cloning

December 26, 2019
Nationa Cybersecurity Strategy

A Review of the Nigeria National Cybersecurity Strategy

9
Facebook

Facebook’s New Settings Allows Hackers To Easily Pentest Facebook,Instagram Mobile Applications

8
Cybersecurity Jobs

Cybersecurity Jobs – You can create your own Cybersecurity Role

4
open Source intelligence tools

Open Source Intelligence tools – OSINT

4
Suspected Head of Cybercrime Gang Arrested in Nigeria…

Suspected Head of Cybercrime Gang Arrested in Nigeria…

June 17, 2022
Types of Hackers and Hacking Protection Tips….

Types of Hackers and Hacking Protection Tips….

June 6, 2022
Types of Hackers and Hacking Protection Tips…

Types of Hackers and Hacking Protection Tips…

May 31, 2022
Sports Betting…Increase in Cybersecurity and Data Privacy Risks for Companies and Consumers.

Sports Betting…Increase in Cybersecurity and Data Privacy Risks for Companies and Consumers.

May 19, 2022

Recommended

Suspected Head of Cybercrime Gang Arrested in Nigeria…

Suspected Head of Cybercrime Gang Arrested in Nigeria…

June 17, 2022
Types of Hackers and Hacking Protection Tips….

Types of Hackers and Hacking Protection Tips….

June 6, 2022
Types of Hackers and Hacking Protection Tips…

Types of Hackers and Hacking Protection Tips…

May 31, 2022
Sports Betting…Increase in Cybersecurity and Data Privacy Risks for Companies and Consumers.

Sports Betting…Increase in Cybersecurity and Data Privacy Risks for Companies and Consumers.

May 19, 2022

© 2020 CybersecFill. All Rights Reserved.

No Result
View All Result
  • Home
  • Events
  • News
  • security tips
  • Article
  • Contact Us

© 2020 CybersecFill. All Rights Reserved.

Privacy Policy - Terms and Conditions