Type of Log Files Reviewed in a Risk Assessment

Best practices for audit, log review for IT security investigations

Device logs tin can be 1 of the about helpful tools infosec pros have, or they can exist a huge waste product of space.

At the heart of almost devices that provide protection for It networks is an ability to log events and accept actions based on those events. This application and system monitoring provides details both on what has happened to the device and what is happening. It provides security against lapses in perimeter and awarding defences by alerting you to problems and then defensive measures can be taken before any real damage is done. Without monitoring, you have petty chance of discovering whether a live application is being attacked or has been compromised.

Critical applications, processes treatment valuable or sensitive information, previously compromised or abused systems, and systems connected to third parties or the Internet all require active monitoring. Whatever seriously suspicious behaviour or critical events must generate an alert that is assessed and acted on. Although you lot volition demand to bear out a risk cess for each awarding or system to make up one's mind what level of audit, log review and monitoring is necessary, you will need to log at least the following:

User IDs
Date and fourth dimension of log on and log off, and other cardinal events
Terminal identity
Successful and failed attempts to access systems, data or applications
Files and networks accessed
Changes to organisation configurations
Use of system utilities
Exceptions and other security-related events, such as alarms triggered
Activation of protection systems, such as intrusion detection systems and antimalware

Collecting this data will help in access control monitoring and can provide audit trails when investigating an incident. While most logs are covered by some form of regulation these days and should be kept equally long as the requirements call for, whatsoever that are not should be kept for a minimum period of one year, in case they are needed for an investigation. However, monitoring must be carried out in line with relevant legislation, which in the U.k. is the Regulation of Investigatory Powers and Human being Rights Acts. Employees should exist made aware of your monitoring activities in the network acceptable use policy.

No matter how all-encompassing your logging, log files are worthless if you cannot trust their integrity.

Log files are a bully source of information only if you review them. Only purchasing and deploying a log management production won't provide any additional security. You accept to use the information collected and analyse it on a regular basis; for a high-risk awarding, this could mean automated reviews on an hourly basis. ISO/IEC 27001 control A.10.x.2 not only requires procedures for monitoring the apply of information processing facilities, simply demands the results are reviewed regularly to identify possible security threats and incidents.

However, even small networks can generate too much information to be analysed manually. This is where log analysers come up in, every bit they automate the auditing and analysis of logs, telling you what has happened or is happening, and revealing unauthorised activeness or abnormal behaviour. This feedback can exist used to improve IDS signatures or firewall rule sets. Such improvements are an iterative process, as regularly tuning your devices to maximise their accuracy in recognising true threats volition aid reduce the number of false positives. Completely eliminating false positives, while still maintaining strict controls, is next to impossible, particularly equally new threats and changes in the network construction will bear upon the effectiveness of existing dominion sets. Log analysis can likewise provide a basis for focused security awareness training, reduced network misuse and stronger policy enforcement.

ISO/IEC 27001 controls A.10.ten.4 and A.10.10.5 cover 2 specific areas of logging whose importance is often not fully appreciated: administrator activity and fault logging. Administrators have powerful rights, and their actions demand to be advisedly recorded and checked. As events, such as organization restarts to correct serious errors, may non get recorded electronically, administrators should maintain a written log of their activities, recording event starting time and stop times, who was involved and what deportment were taken. The proper name of the person making the log entry should likewise be recorded, along with the date and time. The internal audit team should go along these logs.

At that place are two types of faults to exist logged: faults generated by the system and the applications running on it, and faults or errors reported past the system's users. Fault logging and analysis is oftentimes the just way of finding out what is incorrect with a system or application. The analysis of fault logs can be used to place trends that may betoken more than deep-rooted problems, such every bit faulty equipment or a lack of competence or training in either users or system administrators.

All operating systems and many applications, such every bit database server software, provide bones logging and alerting faculties. This logging functionality should be configured to log all faults and send an alert if the error is above an acceptable threshold, such as a write failure or connection time-out. The logs should be reviewed on a regular basis, and whatsoever fault-related entries should be investigated and resolved. While analysing all logs daily is likely an unrealistic goal, high-volume and loftier-risk applications, such as an east-commerce Web server, will demand almost daily checking to prevent loftier-profile interruption-ins, while for most others a weekly check will suffice.

There should exist a documented work instruction covering how faults are recorded or reported, who can investigate them, and an expected resolution fourth dimension, similar to a service contract if you use an outside contractor to support your systems. Assistance desk-bound software can log details of all user reports, and runway actions taken to bargain with them and shut them out.

No matter how extensive your logging, log files are worthless if you cannot trust their integrity. The first thing most hackers volition do is try to change log files to hide their presence. To protect confronting this, y'all should record logs both locally and to a remote log server. This provides redundancy and an extra layer of security as you can compare the two sets of logs confronting one some other -- any differences will indicate suspicious activity.

If you can't stretch to a dedicated log server, logs should be written to a write-one time medium, such as a CD-R or DVD-R, or to rewritable media such equally magnetic tape information storage or hard disk drives that automatically make the newly written portion read-merely to preclude an aggressor from overwriting them. Information technology's important also to prevent administrators from having physical and network access to logs of their ain activities. Those tasked with reviewing logs should obviously be independent of the people, activities and logs existence reviewed.

The protection of log information is disquisitional. Compromised logs can hamper IT security investigations into suspicious events, invalidate disciplinary action and undermine court actions.

Another bespeak to bear in mind is system clocks need to be synchronised so log entries have authentic timestamps. Check computer clocks and correct any significant fourth dimension variations on a weekly footing, or more often, depending on the error margin for time accuracy.

Clocks can drift on mobile devices and should be updated whenever they attach to the network or desktop. Always record the fourth dimension of an outcome in a consistent format, such every bit Universal Coordinated Time (UTC) beyond all files. For additional security, add a checksum to each log entry so you lot can detect if any entries have been tampered with. Controls also need to be in identify to ensure there is ample log storage. If your logs tin can be trusted, they can help you reconstruct the events of security incidents and provide legally admissible show.

Logging and auditing work together to ensure users are only performing the activities they are authorised to perform, and they play a key role in preventing, besides as in spotting, tracking and stopping unwanted or inappropriate activities.

Virtually the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the Information technology industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the volume IIS Security and has written numerous technical manufactures for leading Information technology publications.Cobb serves as SearchSecurity.com's contributing practiced for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com's Security Schoolhouse lessons.