Insufficient Logging and Monitoring

00:00

Hey, everyone is Canada Hill Master Instructor a cyber. In this video, we're gonna talk about Web defense.

00:06

So just a quick free assessment question here.

00:08

Ways to prevent against the exploitation of insufficient logging and monitoring include all the following except which one.

00:16

All right, if you guessed Answer. See, you are correct. So ensuring logs are only stored locally. That's not what we want to do. We actually want to store them more than just on the local machine itself.

00:27

So insufficient logging monitoring. This is where if we get someone doing like if we get failed, log in attempts or, you know Attackers doing like failed Logan's or there's some other type of suspicious activity.

00:39

This is where we want to get those alerts. You know, we want a low grade information. We also want to get an alert saying, Hey, somebody's trying to log into the server multiple times. It doesn't seem right. Can you go take a look, right? And, of course, anyone working in the industry right now that's watching this. You probably already know that there's a lot of these logs and we get in. We have to make sense of all of those.

00:57

But we do want to make sure we're logging stuff in monitoring it as well.

01:02

So prevalent, you know, alas, did a survey. It's very common thing that people are not logging as much as they should. Some of that is related to the aspect of ah, log er now the Now the terminology escapes me, but basically, I just call it death by logs.

01:19

Um, but, you know, we're basically burnt out on looking at all these love, so a lot of times

01:23

people will ignore the alert and stuff coming through.

01:26

So how do we check for this? You know, way mentioned loves being stored locally. If we see that, we know that that's a new indicator that we're not efficiently doing logging or sufficiently Excuse me not doing our logging because we need to be able to log and store those logs in kind of a centralized database and not

01:45

just on a local machine.

01:48

Also, if we notice we're not monitoring any applications or certain applications or AP eyes where if we're also not ah, getting alerts on auditable events and we're also not looking or looking at logs in real time, right? We're just kind of like collecting data, but where nobody's actually going and looking through it.

02:06

So the impact here, if we're not monitoring stuff and saying, Hey, that doesn't look right then that gives you an attacker out Potential of successfully exploiting our network and taking stuff like our data or corrupting our data or taking our I P, which is part of our data and intellectual property, could also lead to identity theft

02:24

also allows the attacker to get access to like my computer, for example,

02:28

and then from there, pivot to other machines on the network and as part of that, maintaining their persistence across our network.

02:37

So how do we prevent against this? Will monitor any type of log and failure. So we want to make sure that that's, you know, just a regular Indians were being, you know, fat *** stuff and not an attacker doing stuff. The logs themselves need to be digestible, so we need to pull them into our seem and be able to actually digest those logs and all that data and sift through it all

02:54

and be able to say, OK, this is an attack

02:57

or Nah, that's not really something I need to worry about right now

03:01

that kind of ties into effective monitoring as well as alerts. And then all this kind of loops into the incident response aspect, right where we're able to identify that. Yes, something did occur here in Attacker did try to get in or they were successful in getting in. And now we move into our incident response process.

03:21

So just a quick post assessment question here. Tunisia is working as a network engineer. She's tasked with maintaining security for the network. She's already implemented a patching process, which is a good thing, right to keep the software firm where up to date on the systems. Now she wants to prevent exploitation of insufficient logging and monitoring. So what should she not do from this list that's here?