SlideShare a Scribd company logo

Log management & SIEM

B
BarakatAbweh

This document discusses log management and security incident and event management (SIEM). It defines what logs are, why they are important for tasks like intrusion detection, incident containment, and forensic analysis. It outlines the challenges of managing logs from different sources and formats. It provides best practices for developing logging policies, normalizing log data, centralizing, securing, and reviewing logs. It also discusses log retention, rotation, and tools like SIEM that provide real-time analysis and correlation of security events and alerts.

Technology
Related topics:
Information Security Cyber-Security
1 of 14
1
2
3
4
Most read
5
Most read
6
7
8
Most read
9
10
11
12
13
14
Log Management Security Incidents & Events Management (SEIM)
Agenda • What are logs • Why do we need logs • Problems & Challenges • Best Practices • SIEM
What are Logs • Historical Record of events that happened. • Records events and status of systems in a time sequential format. • Record of activity on the system/network. • Provide an Audit trail of who done what, where, when and why (5Ws)
Why are Logs Important? Logs can assist us in • Determining what happened - AuditTrail • Intrusion Detection • Incident Containment • Forensic Analysis • Proactive Protection • RealTime Alerts • Providing a Network Baseline • Determining the Health of the Network • Troubleshooting issues • Proactive maintenance
Where to find Logs • Logs are everywhere • Operating Systems • Applications • Devices • Routers • Firewalls • IDS • Switches
Log management & SIEM
The Challenges • Different vendors different log formats. • Regulatory Requirements. • Logs were written by developers • Format is not easy to read • Messages can be obscure • Logs contain enormous amount of information. • Identifying anomalies can be difficult • Logs can be overwhelming • Amount • format
Best Practices • Develop logging Policy • Determine what information is relevant to you. • What devices are important? • What events are important? • Don’t forget to turn on logging! • Timing of events, e.g. user logons in morning. • What reports you and the business want/need? • Group servers into zones based on their function or criticality and priorities events accordingly.
Best Practices • Baseline your systems & network. • Determine how your network normally behaves. • Repeat at regular intervals • Secure log files on all devices. • Encrypt logs if possible • Ensure all devices use same time source. • If using more than one time zone use UTC. • Use NTP protocol from a secure source to synchronize time
Best Practices • Centralize log collection • Dedicated server to collect all logs. • Be careful of network traffic volumes. • Be aware of limitations of server to process number of events. • Configure all devices send logs to central log server. • Make sure central server is secure. • Secure transmission of logs. • e.g. Syslog uses UDP by default. Consider using IPSec or next generation Syslog (Syslog-NG)
Best Practices • Normalize the data • All events such asWindows, Syslog, SNMP etc. should be normalized into same format. • Review the Logs • Ensure logs are regularly reviewed • Manually • Automatically • Scripts • CommercialTools • FreewareTools
Best Practices • Log Retention • Based on disk space. • May be regulatory requirements. • Archive ontoWORM type devices and store in secure area. • Log Rotation • Determine time schedule • Based on volume of data • Develop meaningful naming convention. • Move data to rotated file
SIEM • Set ofTools,Applications and Correlation searches. • Built on top of Log Management Solution. • real-time analysis of security alerts, events and logs • continuous monitoring of all ongoing events • Alerts once incident is found • Helps in showing security posture • Facilitates discovery of security problems and breaches • Investigations
• Inbound/outbound suspicious activities • Event correlation for advanced threats • DDOS attacks • Unauthorized remote access • Critical service monitoring • Malware monitoring • IP Reputations • Risk & Compliance • SecurityThreats analysis

More Related Content

PDF
The Microsoft Well Architected Framework For Data Analytics
Stephanie Locke
 
PPTX
Splunk Overview
Splunk
 
PPTX
Observability
Enes Altınok
 
PPTX
Observability
Maganathin Veeraragaloo
 
PDF
Observability
Martin Gross
 
PPTX
Observability vs APM vs Monitoring Comparison
jeetendra mandal
 
PDF
DevSecOps and the CI/CD Pipeline
James Wickett
 
PDF
Modern vs. Traditional SIEM
Alert Logic
 
The Microsoft Well Architected Framework For Data Analytics
Stephanie Locke
 
Splunk Overview
Splunk
 
Observability
Enes Altınok
 
Observability
Maganathin Veeraragaloo
 
Observability
Martin Gross
 
Observability vs APM vs Monitoring Comparison
jeetendra mandal
 
DevSecOps and the CI/CD Pipeline
James Wickett
 
Modern vs. Traditional SIEM
Alert Logic
 

What's hot (20)

PPTX
Monitoring & Observability
Lumban Sopian
 
PPTX
Microservices Part 3 Service Mesh and Kafka
Araf Karsh Hamid
 
PDF
Observability; a gentle introduction
Bram Vogelaar
 
PDF
MITRE ATT&CK Framework
n|u - The Open Security Community
 
PPTX
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
PDF
Cloud-Native Observability
Tyler Treat
 
PDF
CNIT 121: 9 Network Evidence
Sam Bowne
 
PPTX
Vulnerability Management: What You Need to Know to Prioritize Risk
AlienVault
 
PPTX
Hypercare Support Model.pptx
UrielUgalde2
 
PPTX
Monitoring and observability
Danylenko Max
 
PPTX
Kafka Retry and DLQ
George Teo
 
PDF
CQRS + Event Sourcing
Mike Bild
 
PDF
Observability at Scale
Knoldus Inc.
 
PPSX
Microservices Architecture - Cloud Native Apps
Araf Karsh Hamid
 
PDF
2019 DevSecOps Reference Architectures
Sonatype
 
PPTX
Practical service level objectives with error budgeting
Fred Moyer
 
PPTX
Introduction to Distributed Tracing
petabridge
 
PPTX
Continuous Delivery
Mike McGarr
 
PDF
I Love APIs 2015 : Zero to Thousands TPS Private Cloud Operations Workshop
Apigee | Google Cloud
 
PPTX
Azure fundamental -Introduction
ManishK55
 
Monitoring & Observability
Lumban Sopian
 
Microservices Part 3 Service Mesh and Kafka
Araf Karsh Hamid
 
Observability; a gentle introduction
Bram Vogelaar
 
MITRE ATT&CK Framework
n|u - The Open Security Community
 
DevSecops: Defined, tools, characteristics, tools, frameworks, benefits and c...
Mohamed Nizzad
 
Cloud-Native Observability
Tyler Treat
 
CNIT 121: 9 Network Evidence
Sam Bowne
 
Vulnerability Management: What You Need to Know to Prioritize Risk
AlienVault
 
Hypercare Support Model.pptx
UrielUgalde2
 
Monitoring and observability
Danylenko Max
 
Kafka Retry and DLQ
George Teo
 
CQRS + Event Sourcing
Mike Bild
 
Observability at Scale
Knoldus Inc.
 
Microservices Architecture - Cloud Native Apps
Araf Karsh Hamid
 
2019 DevSecOps Reference Architectures
Sonatype
 
Practical service level objectives with error budgeting
Fred Moyer
 
Introduction to Distributed Tracing
petabridge
 
Continuous Delivery
Mike McGarr
 
I Love APIs 2015 : Zero to Thousands TPS Private Cloud Operations Workshop
Apigee | Google Cloud
 
Azure fundamental -Introduction
ManishK55
 
Ad

Similar to Log management & SIEM (20)

PPTX
Security Information and Event Management (SIEM)
k33a
 
PDF
UNIT -III SIEM aur baato kaise hai aap log.pdf
hefagi6193
 
PPTX
Security Information Event Management Security Information Event Management
karthikvcyber
 
PPTX
Introduction to SIEM.pptx
neoalt
 
PDF
Siem & log management
Rafel Ivgi
 
PDF
Wc4
Said Wali
 
PPTX
SIEM Primer:
Anton Chuvakin
 
PPTX
Beginner's Guide to SIEM
AlienVault
 
PPT
Best practises for log management
Brian Honan
 
PPTX
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
Anton Chuvakin
 
PDF
InfoSecurity.be 2011
Xavier Mertens
 
PDF
.The Complete Guide to Log and Event Management
Enterprise Technology Management (ETM)
 
PPT
FIRST 2006 Full-day Tutorial on Logs for Incident Response
Anton Chuvakin
 
PPTX
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 
PPTX
SIEM (Security Information and Event Management)
Osama Ellahi
 
PPTX
Making Log Data Useful: SIEM and Log Management Together
Anton Chuvakin
 
PPTX
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Anton Chuvakin
 
PPTX
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
PPTX
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
PDF
Maceo Wattley Contributor Infosec
Dr. Maceo D. Wattley
 
Security Information and Event Management (SIEM)
k33a
 
UNIT -III SIEM aur baato kaise hai aap log.pdf
hefagi6193
 
Security Information Event Management Security Information Event Management
karthikvcyber
 
Introduction to SIEM.pptx
neoalt
 
Siem & log management
Rafel Ivgi
 
Wc4
Said Wali
 
SIEM Primer:
Anton Chuvakin
 
Beginner's Guide to SIEM
AlienVault
 
Best practises for log management
Brian Honan
 
So You Got That SIEM. NOW What Do You Do?  by Dr. Anton Chuvakin
Anton Chuvakin
 
InfoSecurity.be 2011
Xavier Mertens
 
.The Complete Guide to Log and Event Management
Enterprise Technology Management (ETM)
 
FIRST 2006 Full-day Tutorial on Logs for Incident Response
Anton Chuvakin
 
SIEM - Your Complete IT Security Arsenal
ManageEngine EventLog Analyzer
 
SIEM (Security Information and Event Management)
Osama Ellahi
 
Making Log Data Useful: SIEM and Log Management Together
Anton Chuvakin
 
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
Maceo Wattley Contributor Infosec
Dr. Maceo D. Wattley
 
Ad

Recently uploaded (20)

PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PPTX
A Presentation on Touch Screen Technology
memembruh336
 
PPTX
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
PDF
August Patch Tuesday
Ivanti
 
PPTX
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPTX
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
PDF
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
From MVP to Full-Scale Product A Startup’s Software Journey.pdf
KodekX
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Transform Your ITIL® 4 & ITSM Strategy with AI in 2025.pdf
PDCA Consulting
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
A comparative study of natural language inference in Swahili using monolingua...
IAESIJAI
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
A Presentation on Touch Screen Technology
memembruh336
 
OMC Textile Division Presentation 2021.pptx
JahangirAlam816069
 
August Patch Tuesday
Ivanti
 
Tartificialntelligence_presentation.pptx
ry7r52mzb4
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
1. Introduction to Computer Programming.pptx
bonakiduza1024
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
Accuracy of neural networks in brain wave diagnosis of schizophrenia
IAESIJAI
 
Enhancing emotion recognition model for a student engagement use case through...
IAESIJAI
 

Log management & SIEM

  • 1. Log Management Security Incidents & Events Management (SEIM)
  • 2. Agenda • What are logs • Why do we need logs • Problems & Challenges • Best Practices • SIEM
  • 3. What are Logs • Historical Record of events that happened. • Records events and status of systems in a time sequential format. • Record of activity on the system/network. • Provide an Audit trail of who done what, where, when and why (5Ws)
  • 4. Why are Logs Important? Logs can assist us in • Determining what happened - AuditTrail • Intrusion Detection • Incident Containment • Forensic Analysis • Proactive Protection • RealTime Alerts • Providing a Network Baseline • Determining the Health of the Network • Troubleshooting issues • Proactive maintenance
  • 5. Where to find Logs • Logs are everywhere • Operating Systems • Applications • Devices • Routers • Firewalls • IDS • Switches
  • 7. The Challenges • Different vendors different log formats. • Regulatory Requirements. • Logs were written by developers • Format is not easy to read • Messages can be obscure • Logs contain enormous amount of information. • Identifying anomalies can be difficult • Logs can be overwhelming • Amount • format
  • 8. Best Practices • Develop logging Policy • Determine what information is relevant to you. • What devices are important? • What events are important? • Don’t forget to turn on logging! • Timing of events, e.g. user logons in morning. • What reports you and the business want/need? • Group servers into zones based on their function or criticality and priorities events accordingly.
  • 9. Best Practices • Baseline your systems & network. • Determine how your network normally behaves. • Repeat at regular intervals • Secure log files on all devices. • Encrypt logs if possible • Ensure all devices use same time source. • If using more than one time zone use UTC. • Use NTP protocol from a secure source to synchronize time
  • 10. Best Practices • Centralize log collection • Dedicated server to collect all logs. • Be careful of network traffic volumes. • Be aware of limitations of server to process number of events. • Configure all devices send logs to central log server. • Make sure central server is secure. • Secure transmission of logs. • e.g. Syslog uses UDP by default. Consider using IPSec or next generation Syslog (Syslog-NG)
  • 11. Best Practices • Normalize the data • All events such asWindows, Syslog, SNMP etc. should be normalized into same format. • Review the Logs • Ensure logs are regularly reviewed • Manually • Automatically • Scripts • CommercialTools • FreewareTools
  • 12. Best Practices • Log Retention • Based on disk space. • May be regulatory requirements. • Archive ontoWORM type devices and store in secure area. • Log Rotation • Determine time schedule • Based on volume of data • Develop meaningful naming convention. • Move data to rotated file
  • 13. SIEM • Set ofTools,Applications and Correlation searches. • Built on top of Log Management Solution. • real-time analysis of security alerts, events and logs • continuous monitoring of all ongoing events • Alerts once incident is found • Helps in showing security posture • Facilitates discovery of security problems and breaches • Investigations
  • 14. • Inbound/outbound suspicious activities • Event correlation for advanced threats • DDOS attacks • Unauthorized remote access • Critical service monitoring • Malware monitoring • IP Reputations • Risk & Compliance • SecurityThreats analysis