Join Lisa Bock for an in-depth discussion in this video Saving and securing audit files, part of IT Security Foundations: Operating System Security.
- Auditing and logging is done for a variety of reasons. An organization's requirements and due diligence will dictate the logging schedule. However, there may be compliance and regulatory requirements for maintaining log events. Such as, Sarbanes-Oxley, Gramm-Leach-Bliley, and HIPAA, which can place an increased burden or proof that they are protecting their information systems. Reviewing log files many times is reactive, not proactive.
That means someone might check a log file after an event, as log files are often the only record of suspicious behavior. Many automated tools are available, however log file analysis should be a part of a daily routine. Even if it is a spot check of essential events, or when suspicious or unusual activity has been identified. Logging can take up considerable space, so administrators should closely monitor the size of the log files so that the files do not fill up assigned space and possibly overwrite data.
If the log files are filling up too quickly or are too large, adjusting settings may be necessary, such as archiving the logs more often or decreasing the level of logging detail. Centralized logging is often performed using Syslog, a standard logging protocol. Or, Security information and event management software that uses centralized servers to perform log analysis and detect relevant data from a single point-of-view, which makes it easier to spot trends and see patterns that are out of the ordinary.
Automated log analysis tools can identify suspicious and unusual activity and should be set to notify the system administrator of any suspicious events as quickly as possible for followup investigation. Even with automated log analysis a trained eye is often required to recognize an attack. Have security personnel and/or system administrators run weekly log reports to spot inconsistencies. Backing up and archiving log files is important for several reasons, including support for possible legal actions.
An attack can involve multiple unique requests over time. Therefore, reviewing logs and identifying the trends over a great period of time such as over weeks or even months can possibly help recognize an attack signature. Logging helps reconstruct a security event and sometimes is the only evidence of an attack. How long log files are kept depends on a number of factors including the value of the data and an organization's individual policy.
Log files should be protected so that they cannot be altered to cover an attack. To protect log files, encrypt them, and store them on a centralized logging server. Deficiencies in security logging and improper analysis allow attackers to cover their tracks. And, an attack may go unnoticed for months or even years without anyone knowing, and the damage may be irreversible. Log to a central log management system to write-only devices.
Log events should include a date, a timestamp, source and destination address, and other details. Log systems should use a synchronized time approach such as Network Time Protocol, and run logs through a log analysis system. And mechanisms should be used to alert the administrator if a system fails to log properly.
Note: This training maps to a number of the exam topics on the Microsoft Technology Associate (MTA) Security Fundamentals exam (98-367). See https://www.microsoft.com/learning/en-us/exam-98-367.aspx for more information.
- Creating strong passwords
- Understanding biometric security
- Adjusting permission behavior
- Enabling auditing
- OS hardening
- Using the Microsoft Baseline Security Analyzer
- Protecting email