Transcript Document

Security Guidelines and
Management
Security Management




Log Management
Malware incident handling
Forensic Techniques
Vulnerability Management Program
Log Management


A Log is a record of events that happen
in computer systems and networks of
an organization
Three types of logs are of interest in
security



Security software logs
Operating system logs
Application logs
Log Management










Configuring log sources
Log analysis
Initiating responses
Long term storage
Monitoring logging status
Monitoring log archival
Upgrades of logging software
Clock synchronization
Reconfiguration
Documenting log process anomalies
Security Software Logs

Anti-malware software logs






IDS/IPS log



detected malware
file and system disinfection attempts
quarantines
previous scans
updates of virus databases
suspicious behavior and detected attacks
IPS actions to prevent ongoing malicious activities
Remote Access software




successful and failed login attempts
dates and times user connected and disconnected
amount of data user sent and received per session
use of resources may be logged with more refined software
Security Software Logs

Web proxies


Vulnerability management software



log most recently blocked traffic
Firewalls


log all login attempts
Routers


log patch installation history
vulnerability status of each host
Authentication servers


log all urls requested
store results of analysis of suspicious activities
Network quarantine servers


status of quarantined hosts
reason for quarantines
Operating System Logs

System events




Shutting down
Restarting services
Failed events
Audit records





Failed/successful authentication events
File accesses
Security policy changes
Account changes
Use of privileges
Application Logs

Applications provide their own custom logging
mechanisms. Granularity can be very high.
Typical logs:




Client requests and server responses (email
servers, web servers, financial records)
Account information (authentication, change of
accounts, password cracking, use of privileges)
Usage information (number of transactions in a
given time period, unusual activity like bulk mails)
Significant operational actions (application startup,
shutdown, failures, configuration changes
Need for Log Management





Logs are usually in proprietary format and difficult to manage
Routine log reviews and analysis are beneficial for identifying
security incidents, policy violations, fraudulent activity, and
operational problems
Logs can also be useful for performing auditing and forensic
analysis, supporting the organization’s internal investigations,
establishing baselines, and identifying operational trends
Legal compliance. For critical applications like, health, public
financial records, bank accounts, Government requires the
organizations to maintain logs
Protecting the trustworthiness of the log sources and also, the
logs themselves need to be protected from malicious activities
Challenges in Log
Management




Multiple Log Sources
Inconsistent log content (like recording
only pieces of information)
Inconsistent timestamps (especially
when logging across multiple hosts)
Inconsistent formats ( XML, plain text,
binary)
Log Management
Infrastructure

A three-tier Architecture



Log generation : Synchronized hosts generate
Logs analysis and storage : One or more log
servers that receive the logged data. This transfer
is either real-time or periodic. Such servers are
called collectors or aggregators
Log monitoring : analyze and monitor the logged
data using application consoles
Features of the Infrastructure

General



Log parsing is extracting data from a log so that
the parsed values can be used as input for
another logging process
Event filtering is the suppression of log entries
from analysis, reporting, or long-term storage
because their characteristics indicate that they are
unlikely to contain information of interest
Event aggregation, similar entries are consolidated
into a single entry containing a count of the
number of occurrences of the event
Features of the Infrastructure

Storage


Log rotation is closing a log file and opening a new log file
when the first file is considered to be complete. Benefits are:
compression of logs and analysis
Log archival is retaining logs for an extended period of time,
typically on removable media, a storage area network (SAN)
or a server. Two forms of archival



Retention : is archiving logs on a regular basis as part of
standard operational activities
Preservation : is keeping logs that normally would be
discarded, because they contain records of activity of particular
interest
Log compression is storing a log file in a way that reduces
the amount of storage space needed for the file without
altering the meaning of its contents
Features of the Infrastructure




Log reduction is removing unneeded entries from a
log to create a new log that is smaller
Log conversion is parsing a log in one format and
storing its entries in a second format. Text to XML etc
Log normalization, each log data field is converted to
a particular data representation and categorized
consistently. Example converting all date/times into a
common format
Log file integrity checking involves calculating a
message digest for each file and storing the message
digest securely to ensure that changes to archived
logs are detected
Features of the Infrastructure

Analysis

Event correlation is finding relationships between two or
more log entries



Log viewing is displaying log entries in a human-readable

Log reporting is displaying the results of log analysis
format
Disposal


E.g., rule-based correlation, which matches multiple log entries
from a single source or multiple sources based on logged
values, such as timestamps, IP addresses, and event types
Log clearing is removing all entries from a log that precede a
certain date and time
Some popular implementations are syslog, SIEM
software, Host-based intrusion detection systems,
Roles/Responsibilities in Log
Management







System and network administrators, responsible for configuring logging on
individual systems and network devices, analyzing logs periodically, reporting
results of log management activities, and performing regular maintenance of
logs and logging software
Security administrators, responsible for managing and monitoring the log
management infrastructures, configuring logging on security devices (e.g.,
firewalls, network-based intrusion detection systems, antivirus servers),
reporting on the results of log management activities, and assisting others with
configuring logging and performing log analysis
Computer security incident response teams, use log data when handling
incidents
Application developers, need to design or customize applications so that they
perform logging in accordance with the logging requirements
Information security officers, who oversee the log management
infrastructures
Auditors, who may use log data when performing audits
Individuals involved in the procurement of software to generate
computer security log data.