• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
Logging 
: WTH?Dr. Anton Chuvakin
WRITTEN: 2008DISCLAIMER
:Security is a rapidly changing field of human endeavor. Threats we face literallychange every day; moreover, many security professionals consider the rate of change to be accelerating. On top of that, to be able to stay in touch with suchever-changing reality, one has to evolve with the space as well. Thus, eventhough I hope that this document will be useful for to my readers, please keep inmind that is was possibly written years ago. Also, keep in mind that some of theURL might have gone 404, please Google around.
The what?
System logs, audit trails, network logs, IDS and IPS alerts – and all other datathat information systems are spewing at us at an ever-increasing rate. Soonmore log sources will be added to today’s mix of servers, applications, firewallsand security appliances – all the way to mobile devices that log and then possiblyinternet-connected appliance. A typical large company already has gigabytes of logs produced each week.
Why is it important?
System logs are the source of three types of insight:1.Security – logs are used to detect attacks; they are also indispensable for incident investigations and forensics2.Regulatory compliance – many regulations in USA, UK and other countries mandate the collection and review of logs; auditors may askorganizations for a proof of log collection and review3.IT operational efficiency – sysadmins reach for logs when troubleshootingthe system problems; logs are also used to measure network andapplication performance.
How does it work?
Many piece of IT infrastructure product heaps of logs by default (e.g. Unixservers create syslog records and Windows systems log to Even Log); othersneed to be configured to produce larger volumes of logs to make them useful for security, compliance and operations. However, some technologies, such asdatabases, come with almost no logging configured by default and those who
 
deploy them need to change configurations and enable logging settings so thatlogs are created and can be used for the above purposes.
Who needs it?
IT administrators, IT managers, security analysts, incident responders, ITdirectors and even CIOs and compliance officers will either look at logs or atreports based on them. Given the diverse range of uses, it is not surprising thatboth system admins and CIO will use logs to accomplish their goals.Here are the recent poll results on log use that shows it:
How do they get it?
The best way to take control of the logs is to deploy a log management system.More advanced organization use a log data warehouse approach. Such systemcentralizes the collection, storage and access of log data across the enterprise,freeing organizations from a device-by-device approach to log management,which is inefficient and heavily relies on manual tasks.Providing a central repository for all log data, log data warehous enables you toeasily query and report on this data with unparalleled speed and efficientlymanage the massive amounts of log data generated through network devices,security gear, operating systems, network servers, databases, and more. It alsogoes beyond simple storage, allowing users to discover and act on relationshipsbetween data from these heterogeneous data sources.
Additional: What’s wrong with what they have now?
Today many organizations employ an ad hoc approach to logs: a situation whenyou have a security team "owning" network IDS logs, network team havingfirewall and router logs (as well as all SNMP traps) and a system adminspossessing the logs from servers and desktop is not only sad,counterproductive, inefficient and wasteful, but also dangerous.Where does such approach to logs (when they are divided by both technical andpolitical chasms!) breaks down most painfully? In case of an incident response,
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...