Under any framework, cybersecurity regulation, or security program an organization adheres to, there will be requirement for logging, alerting and/or monitoring. This is to be expected as the third logical link in the security cycle is detection, and how do we detect? For the most part, we detect using logs. (There are other methods, but in today’s world primarily we are using logs to detect as other methods are maturing).
This leads to important questions given the many log files your devices will produce, and the fact that you only have so many hours in a day. Which logs are being monitored, either via systems or humans? Which SHOULD be included?
Here is a quick rundown. First, you want to make sure any security devices or systems are at the top of the list. Firewalls, IDS/IPS, Proxies, FIM, and others are there to help secure our networks. One area that is often neglected but shouldn’t be is endpoint protection systems. Endpoint logs provide information on traffic and actions that they may not stop, but that could be indicators of compromise, or a precursor to compromise.
Next we need to log and monitor methods of identification and authentication. Windows Active Directory, Linux directory systems, local systems classified as sensitive or critical in asset classification. Methods of access control should also be logged and monitored. If you have regulated or sensitive data file shares, object level auditing is necessary. Databases or other systems that contain this type of data also generate logs that should be examined.
Logs can be audited by a system like a SIEM or a log management system (LMS). These types of tools usually allow for automated methods of correlating events across these systems, and can be tuned to alert on certain combinations of events that are higher likelihood of indicating compromise or attempted compromise. Some of these systems can learn normal behavior and detect anomalous behavior. Humans can (and should) perform reviews, because automation can miss things a human can reason on and question. The caveat to this is the human doing the review, or better yet threat hunting, needs to be trained to understand the meaning of these logs and the correlations. The process losses its effectiveness if it is treated as a chore done by an already overworked IT professional in order to fill a checkbox.
Foresite offers a solution (ProVision) that can gather and correlate these logs. It uses rules that have been tuned to look for indicators of compromise across systems automatically. In addition, ProVision includes trained security analysts to review and hunt for things our systems may miss. This combination of automated tool and human intelligence provides otherwise unrecognized value from your security investments.