what type of system should you be sending you security logs to

Best practices for audit, log review for IT security investigations

Device logs tin be one of the almost helpful tools infosec pros have, or they can be a huge waste of space.

At the heart of virtually devices that provide protection for IT networks is an ability to log events and take actions based on those events. This application and system monitoring provides details both on what has happened to the device and what is happening. Information technology provides security against lapses in perimeter and application defences by alerting yous to issues and so defensive measures can be taken earlier any existent damage is done. Without monitoring, you have lilliputian risk of discovering whether a live awarding is being attacked or has been compromised.

Disquisitional applications, processes handling valuable or sensitive data, previously compromised or abused systems, and systems connected to third parties or the Internet all require active monitoring. Any seriously suspicious behaviour or critical events must generate an warning that is assessed and acted on. Although you volition need to carry out a risk cess for each application or system to make up one's mind what level of audit, log review and monitoring is necessary, y'all will need to log at least the post-obit:

User IDs
Date and time of log on and log off, and other key events
Final identity
Successful and failed attempts to access systems, data or applications
Files and networks accessed
Changes to system configurations
Utilize of system utilities
Exceptions and other security-related events, such as alarms triggered
Activation of protection systems, such equally intrusion detection systems and antimalware

Collecting this data will assist in access control monitoring and can provide audit trails when investigating an incident. While most logs are covered by some form of regulation these days and should be kept as long equally the requirements call for, any that are not should be kept for a minimum flow of one year, in case they are needed for an investigation. However, monitoring must be carried out in line with relevant legislation, which in the United kingdom of great britain and northern ireland is the Regulation of Investigatory Powers and Human Rights Acts. Employees should be made aware of your monitoring activities in the network acceptable utilise policy.

No affair how extensive your logging, log files are worthless if you cannot trust their integrity.

Log files are a great source of information but if you review them. But purchasing and deploying a log direction product won't provide any additional security. You have to use the information nerveless and analyse it on a regular basis; for a high-chance application, this could mean automated reviews on an hourly basis. ISO/IEC 27001 control A.10.10.ii not but requires procedures for monitoring the use of information processing facilities, but demands the results are reviewed regularly to identify possible security threats and incidents.

However, even small networks can generate besides much information to be analysed manually. This is where log analysers come in, every bit they automate the auditing and assay of logs, telling y'all what has happened or is happening, and revealing unauthorised activity or abnormal behaviour. This feedback tin can be used to improve IDS signatures or firewall rule sets. Such improvements are an iterative process, as regularly tuning your devices to maximise their accuracy in recognising true threats volition help reduce the number of false positives. Completely eliminating false positives, while nonetheless maintaining strict controls, is side by side to impossible, particularly as new threats and changes in the network structure volition touch the effectiveness of existing rule sets. Log assay tin can also provide a basis for focused security sensation preparation, reduced network misuse and stronger policy enforcement.

ISO/IEC 27001 controls A.x.10.4 and A.10.ten.five cover ii specific areas of logging whose importance is oftentimes non fully appreciated: ambassador activeness and fault logging. Administrators have powerful rights, and their deportment need to be carefully recorded and checked. Every bit events, such every bit system restarts to right serious errors, may non get recorded electronically, administrators should maintain a written log of their activities, recording event kickoff and stop times, who was involved and what actions were taken. The proper noun of the person making the log entry should also exist recorded, along with the appointment and time. The internal audit team should keep these logs.

In that location are two types of faults to be logged: faults generated by the system and the applications running on it, and faults or errors reported by the system's users. Fault logging and assay is oft the just manner of finding out what is wrong with a arrangement or application. The assay of fault logs can be used to identify trends that may point more deep-rooted problems, such as faulty equipment or a lack of competence or training in either users or organization administrators.

All operating systems and many applications, such as database server software, provide bones logging and alerting faculties. This logging functionality should be configured to log all faults and send an warning if the fault is above an acceptable threshold, such equally a write failure or connection time-out. The logs should be reviewed on a regular basis, and any error-related entries should exist investigated and resolved. While analysing all logs daily is likely an unrealistic goal, high-book and high-risk applications, such as an eastward-commerce Web server, volition need well-nigh daily checking to forestall high-profile break-ins, while for nearly others a weekly bank check will suffice.

There should be a documented work teaching covering how faults are recorded or reported, who tin investigate them, and an expected resolution fourth dimension, similar to a service contract if you utilise an exterior contractor to back up your systems. Help desk-bound software can log details of all user reports, and rails actions taken to deal with them and close them out.

No affair how all-encompassing your logging, log files are worthless if yous cannot trust their integrity. The first affair near hackers will do is effort to change log files to hide their presence. To protect confronting this, you should record logs both locally and to a remote log server. This provides redundancy and an extra layer of security equally you can compare the two sets of logs against one another -- any differences will betoken suspicious activity.

If you tin can't stretch to a dedicated log server, logs should exist written to a write-once medium, such as a CD-R or DVD-R, or to rewritable media such equally magnetic tape data storage or hard deejay drives that automatically make the newly written portion read-simply to forestall an assailant from overwriting them. It's of import also to prevent administrators from having concrete and network access to logs of their own activities. Those tasked with reviewing logs should patently exist independent of the people, activities and logs being reviewed.

The protection of log information is critical. Compromised logs can hamper It security investigations into suspicious events, invalidate disciplinary action and undermine court actions.

Another signal to comport in mind is arrangement clocks demand to be synchronised so log entries have accurate timestamps. Check reckoner clocks and correct whatever significant fourth dimension variations on a weekly footing, or more than often, depending on the error margin for time accuracy.

Clocks tin drift on mobile devices and should exist updated whenever they attach to the network or desktop. Always tape the time of an event in a consequent format, such as Universal Coordinated Time (UTC) across all files. For additional security, add a checksum to each log entry so you tin detect if any entries take been tampered with. Controls likewise need to exist in identify to ensure there is aplenty log storage. If your logs can exist trusted, they can aid yous reconstruct the events of security incidents and provide legally open-door show.

Logging and auditing work together to ensure users are only performing the activities they are authorised to perform, and they play a cardinal part in preventing, as well as in spotting, tracking and stopping unwanted or inappropriate activities.

About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more xv years of feel in the Information technology manufacture. He is the founder and managing director of Fiber Applications, a consultancy that provides information security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading Information technology publications.Cobb serves every bit SearchSecurity.com'due south contributing skillful for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com's Security School lessons.