Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Look up keyword
Like this
3Activity
0 of .
Results for:
No results containing your search query
P. 1
Top 6 Log Reports v3 Final Draft

Top 6 Log Reports v3 Final Draft

Ratings:

4.0

(1)
|Views: 386|Likes:
Published by Anton Chuvakin
DRAFT of a SANS Top Log Reports Candidate
DRAFT of a SANS Top Log Reports Candidate

More info:

Categories:Types, Research
Published by: Anton Chuvakin on Apr 10, 2013
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as DOCX, PDF, TXT or read online from Scribd
See more
See less

01/31/2014

pdf

text

original

 
Top 6 SANS Essential Log Reports 2013
 Version 3.0
Contents
Introduction ................................................................................................................................. 2 Authentication and Authorization Reports ................................................................................... 3Why They Are Important ............................................................................................................. 3Specifics Reports ....................................................................................................................... 3Who Can Use These Reports ..................................................................................................... 4Example ..................................................................................................................................... 4Change Reports .......................................................................................................................... 4Why They Are Important ............................................................................................................. 4Specifics Reports ....................................................................................................................... 5Who Can Use These Reports ..................................................................................................... 5Example ..................................................................................................................................... 5Network Activity Reports ............................................................................................................. 6Why They Are Important ............................................................................................................. 6Specifics Reports ....................................................................................................................... 6Who Can Use These Reports ..................................................................................................... 7Example ..................................................................................................................................... 7Resource Access Reports ........................................................................................................... 7Why They Are Important ............................................................................................................. 7Specifics Reports ....................................................................................................................... 8Who Can Use These Reports ..................................................................................................... 9Example ..................................................................................................................................... 9Malware Activity Reports ............................................................................................................. 9Why They Are Important ............................................................................................................. 9Specific Reports ......................................................................................................................... 9Who Can Use These Reports ................................................................................................... 10Example ................................................................................................................................... 10Critical Errors and Failures Reports .......................................................................................... 10Why They Are Important ........................................................................................................... 10Specifics Reports ..................................................................................................................... 10
 
Introduction
SANS Institute published the original “Top 5 Essential Log Reports” at SANS Log Management
Summit in 2006. Even now after more than 7 years, they deliver valuable insight for organizations dealing with logs
 –
which today, in the age of compliance, really meanseverybody. However, the times are changing and new requirements for log data are emergingfor security, compliance and operational reasons. Thus, an update is needed.In the introduction to version 1.0
, the authors stated: “In the spirit of this original consensus, the
SANS community has again banded together in order to create the "Top 5 Essential LogReports" consensus. This list is not intended to be a complete review of all the potentially usefullog reports. Rather, the focus is on identifying the five most critical log reports for a wide cross-section of the security community. These are the top reports that should be reviewed on aregular basis. The goal is to include reports that have the highest likelihood of identifyingsuspect activity, while generating the lowest number of false positive report entries. The logreports may not always clearly indicate the extent of an intrusion, but will at least give sufficientinformation to the appropriate administrator that suspect activity has been detected and requires
further investigation.”
 The original Essential Log Reports included:
 
Attempts to Gain Access
through Existing Accounts
 
 
Failed File or 
Resource Access Attempts
 
 
Unauthorized
Changes
to Users, Groups and Services
 
 
Suspicious or Unauthorized Network
Traffic Patterns
 This spirit and goals are even more alive today. Many organization struggle with multipleregulatory compliance frameworks (PCI DSS, HIPAA/HITECH, FISMA, and many others) aswell as with advanced threats (malware, criminal hackers, mobile threats, cloud securitychallenges, etc). Also, malicious insiders now get additional opportunities to harm or defraud abusiness. At the same time, the importance of information technology for businesses andgovernment organizations has grown tremendously and will grow even more.
This document presents an updated 2013 version of Top 5 Reports, expanded to “Top 6Essential Log Reports.”
 The new reports are organized into six broad categories or report types with specific examplesapplicable to most organizations. They are designed to be a technology agnostic and can be
 
produced with commercial, open source or homegrown log management and analysis tools.More advanced Security Information and Event Management (SIEM) tools can be used as well.While the focus of this document is log reports, the importance of log management also needsto be mentioned, as these reports are only as good as the data collected from network devicesand applications. To ensure the integrity of log messages, logs should be transferred via anencrypted channel and stored in an encrypted format.The new top report categories are:1.
Authentication and Authorization Reports
 2.
Systems and Data Change Reports
 3.
Network Activity Reports
 4.
Resource Access Reports
 5.
Malware Activity Reports
 6.
Failure and Critical Error Reports
 In the rest of the document, we will cover each category with specific examples.
Authentication and Authorization Reports
These reports identify successful and failed attempts to access various systems at varioususer privilege levels (authentication) as well as specific privileged user activities andattempts to use privileged capabilities (authorization).
Why They Are Important
 Authentication is the main barrier and means
of controlling access to today’s systems. From
simple passwords to tokens and cryptographic mechanisms, reviewing authenticationactivity across the organization is one of the key security activities.
Specifics Reports
Key reports in this category are:
 
All login failures and successes by user, system, business unit:
this may beone report or multiple reports showing login successes and login failures acrossvarious systems, access methods (local, remote) and user. Note, that to be valuable,this report requires that you log also login successes and not just failures
 
Login attempts (successes, failures) to disabled/service/non-existing/default/suspended accounts
: this report group covers attempted accessto accounts and services that should not be accessed, ever. Both failures andsuccesses are of interest to security professionals.
 
All logins after office hours / “off” hours
: similar to the above report, such activityis commonly of interest especially if access attempt is successful. However, suchevents have to be investigated especially in environments where systemadministrators work 24/7.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->