Log Reviews

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
15 hours 43 minutes
Difficulty
Advanced
CEU/CPE
16
Video Transcription
00:00
>> Now, in addition to
00:00
the vulnerability assessments and
00:00
pen tests that we'll do in a periodic basis,
00:00
hopefully it goes without saying that
00:00
we should be mindful of
00:00
our logs and we should have a process where
00:00
we review those logs on a regular basis.
00:00
Sometimes we review those logs
00:00
as a reactive measure meaning we have these logs,
00:00
we don't really go through them until something
00:00
happens then we go back and we
00:00
review those logs and we can see up
00:00
looks like there's where
00:00
the indication of the attack started.
00:00
Now, we want to make sure we have
00:00
an active policy to review logs.
00:00
We also want to make sure that
00:00
those logs are not to be tampered with and
00:00
if they were tampered with how we could
00:00
detect and make any corrections.
00:00
Then one of the best tools that we have if
00:00
we're reviewing logs from multiple sources,
00:00
is a SIEM system and it's
00:00
a security information and event management system
00:00
that you may hear slightly different
00:00
definitions for that acronym,
00:00
it really depends on what the latest book you've read.
00:00
But that SIEM system is going to
00:00
help us aggregate the information.
00:00
When we talk about the importance of log reviews,
00:00
if it's important enough to log,
00:00
it's important enough to review.
00:00
Now, I'm not going to say that's 100 percent because
00:00
a lot of things are just logged by default.
00:00
They create records and many times we
00:00
monitor or we log
00:00
much more information than is necessary.
00:00
But I have to have a way of sifting
00:00
through what's extraneous and being
00:00
able to focus on
00:00
the more meaningful indications
00:00
and organizations that can't do that
00:00
get buried in a mound of events while
00:00
not being able to detect
00:00
>> significant security incidence.
00:00
>> We need to make sure that we
00:00
have log reduction or audit reduction tools,
00:00
we need logs that we can filter through,
00:00
we need alerts configured so that we can be notified in
00:00
the event of some breach or compromise.
00:00
We have to review our logs
00:00
and we have to do it proactively.
00:00
It's much easier to deal with
00:00
an attack in the very early stages than it
00:00
is after the attack has already carried out
00:00
the payload and we've already seen losses.
00:00
Now, to prevent these logs from tampering,
00:00
there are several steps we need to take because
00:00
certainly an attacker would want to
00:00
go in after they've carried out whatever
00:00
their target is and they've compromised that target,
00:00
they want to go back and modify our logs so
00:00
that we don't see any history of what they've done.
00:00
They might go back and
00:00
erase events from a certain time period,
00:00
sometimes you review your audit logs
00:00
and you see all these entries and all of
00:00
sudden between the hours of 8:00 PM
00:00
>> and 10:00 PM there are no entries,
00:00
>> just the absence should
00:00
indicate something's going on there.
00:00
But at any rate,
00:00
we want to make sure these logs are
00:00
not able to be tampered with.
00:00
Remote logging, we can send our logs
00:00
to a separate location,
00:00
particularly one that has
00:00
>> one directional communication.
00:00
>> We can make multiple copies of
00:00
the log so that we can compare them
00:00
if we expect or suspect that
00:00
there's been some modification.
00:00
We can send our logs to write-once
00:00
media so that they can't be modified after written to.
00:00
Then also we can use hashing.
00:00
Back in the cryptography chapter,
00:00
>> back in Chapter 3,
00:00
>> we talked about how hashing guarantees
00:00
a file's integrity and gives us
00:00
a clear indication that the file has not been modified.
00:00
It's just really important that we review
00:00
those logs and we make
00:00
sure they haven't been tampered with.
00:00
Now of course the problem is,
00:00
we logged so many events across
00:00
so many systems and not even systems just in
00:00
our local environment but
00:00
we may be monitoring
00:00
systems throughout the globe, who knows?
00:00
That becomes incredibly cumbersome.
00:00
We use the tools that we have at our disposal.
00:00
There are systems called SIEM system,
00:00
security information and event managers and
00:00
these systems essentially pull log information
00:00
from across the various servers
00:00
that I set up and configure
00:00
and bring all that information in to a single location.
00:00
That's called aggregation, gathering up and
00:00
collecting this information so that
00:00
we can view it from single location.
00:00
But then the SIEM system also
00:00
helps us correlate these events and eventually
00:00
forecast or conduct trend analysis
00:00
so that we can determine based on what's happening now,
00:00
what do we expect to happen in the future.
00:00
Correlation and aggregation are
00:00
the primary goals of a SIEM system,
00:00
but they're just indispensable
00:00
in our large environments so that we
00:00
can look for activity not just on a single system,
00:00
but across many systems.
00:00
By the way, if you've used
00:00
Splunk or have heard of Splunk,
00:00
Splunk is a good SIEM system.
00:00
There are million of them out there,
00:00
but that's just one that's
00:00
probably one of the better known.
00:00
In this section,
00:00
we talked about the importance of
00:00
conducting log reviews,
00:00
talked about making sure our logs aren't modified,
00:00
and then using SIEM systems to
00:00
aggregate and correlate information across the network.
Up Next