Doug Picotte | December 02, 2011
The amount of log volume produced by security devices, servers, network devices, applications, and databases can be staggering. In the past, our log volume monthly processing statistics were in the millions. Fast forward to today and beyond, and we are talking about processing billions of log messages in a given month for a single organization. Just imagine the size of log file that is created by a Fortune 500 organization just during the course of normal operations. Now multiply that in times of heavy load, like a retail or travel operations over the holidays. Or try to imagine what those logs look like in a crisis such as during an active cyber attack or a DoS attack.
The key, of course, is to find the proverbial “needle in a haystack” that we can translate into an actionable alert for our client base. Recently there has been much discussion about log volume, and what type of logs we should be looking at for clients. As you can imagine, many log messages produced by devices are not security specific messages. Fortunately we have created over 80,000 rules within our ActiveGuard platform to help discern between log messages of interest, and those without a direct security implication.
To log, or not to log -that is the question
I would like to mention a few security logging best practices that we have found to be the most effective when searching for that “needle” in the haystack. We welcome any additional comments you may have regarding this subject.
Server OS Logging:
In the case of Windows server OS event logging, we recommend enabling the Security, System, and Application event logs. (Solutionary provides comprehensive device logging configuration guides as part of the service delivery) If the server is subject to PCI compliance for example, then the following Audit Policy settings and the associated security setting would be recommended:
• Account Logon Events –Success, Failure
• Account Management –Success
• Directory Service Access –Success, Failure
• Logon Events –Success, Failure
• Object Access –Success, Failure
• Policy Change –Failure
• Privilege Use –Success, Failure
• Process Tracking –Failure
• System Events –Failure
Keep in mind that server logging requirements may be different for each client depending on their environment and compliance requirements. Solutionary works with each client to understand their specific logging requirements, and make the appropriate logging configuration recommendations.
In the world of firewall logging, we are looking at a number of security specific messages including attempts to secure privileged access to the firewall for example. We are also looking at outbound connects to known bad IPs as this may be an indication of a potential malware outbreak. There is, however, little to no value from a security perspective in logging the following messages:
• Successful connection creations and deletions
• UDP connection slot between two hosts created and deleted
• Address translation slots created and deleted
• ICMP Echo Reply
• ICMP Host Unreachable
• ICMP Echo Request
The bottom line is it is imperative that the correct logging be configured for each device being monitored. Solutionary has extensive experience in providing the correct logging configurations to effectively find “the needle in a haystack”, meeting organizational goals, while also meeting any compliance objectives the client may have. I will continue to expand upon this topic in future blogs. I also welcome any additional comments you may have on this subject.
Until Next Time
Thanks very much for reading my friends. Until next time, and as always, ride safe, crank up the holiday tunes, and stay secure!
POST A COMMENT