SlideShare a Scribd company logo

What Every Organization Should Log And Monitor

Anton Chuvakin, profile picture
Anton Chuvakin

The document outlines essential logging and monitoring practices for organizations, emphasizing the importance of log management strategies, incident response, and compliance with regulations. It covers types of logs to collect, the process of centralizing logs, and the need for a phased approach in setting up a log monitoring program. Additionally, it highlights challenges in deployment, the significance of real-time analysis, and the importance of logs in forensic investigations and regulatory compliance.

Technology
1 of 29
1
2
3
4
5
Most read
6
Most read
7
8
9
10
11
12
Most read
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
What Every Organization Should Log and Monitor: A Checklist? Anton Chuvakin, Ph.D., GCIA, GCIH Security Strategist November 15, 2004
WARNING! This presentation is from 2004. Now in 2008, I might not share all the view expressed in the presentation. It is posted the way it was originally presented in the hopes of being useful for somebody.
Highlights Monitoring and logging overview Log consolidation strategy: which log sources to include first Monitoring and event response strategy Log correlation to automate the monitoring Using logs for forensics and incident response Management and compliance reporting
Definitions Logging Auditing Monitoring Event reporting Log analysis Alerting
Security Data Overview Audit logs Transaction logs Intrusion logs Connection logs System performance records User activity logs Various alerts Firewalls/intrusion prevention Routers/switches Intrusion detection Hosts Business applications Anti-virus VPNs What data? From Where?
Value of Logging and Monitoring Monitoring Incident detection Loss prevention Compliance Logging Audit Forensics Incident response Compliance Analysis Deeper insight Internal attacks Fault prediction
Log Management Process Collect the data Convert to a common format Reduce in size, if possible Transport securely to a central location Process in real-time Eliminate false positives Alert on threats Store securely Report on trends
Log Process Overview
Centralize the Logs! Accessibility All audit records in one place Cross-device searchability and analysis Categorization Correlation De-duplication / volume reduction Reduced response time Increase in the efficiency of existing security point solutions
Retention Time Question I have the answer!  No, not really. Regulations? Unambiguous: PCI – keep’em for 1 year Tiered retention strategy Online Nearline Offline/tape
Monitoring or Ignoring Logs? How to plan a response strategy to activate when monitoring? Where to start? How to tune it?
Monitoring Strategy
Setting Up Log Monitoring Program Phased approach Security gear to connect E.g.: DMZ, then core, then other internal systems Log types to integrate E.g.: IDS (with vulnerability data), then firewalls, then hosts, then others Log management components to deploy E.g.: collection, reporting, correlation, incident management, others Growth of user community E.g.: security team, then IT or auditors
Challenges to Deployment Organization political boundaries Inherent in any project involving “integration” Data crossing network and state boundaries Potentially subject to data privacy law Access to remote locations where the data sources are Remote management, but not remote installation Custom applications Unsupported and undocumented log formats Defined and current escalation trees for incidents Who would act on the alert? How is change management handled?
Timing is everything! Timing requirements for analysis Real-time fallacy: “we have to have it when?”  Log review vs alert monitoring: different challenges and different timing
“Real-Time” Tasks Malware outbreaks Convincing and reliable intrusion evidence Serious internal network abuse Loss of service on critical assets
Daily Tasks Unauthorized configuration changes Disruption in other services Intrusion evidence Suspicious login failures Minor malware activity Activity summary
Weekly Tasks Review inside and perimeter log trends and activities Account creation/removal Other host and network device changes Less critical attack and probe summary
Monthly Tasks Review long-term network and perimeter trends Minor policy violation summary Incident team performance measurements Security technology performance measurements
“On Incident” Tasks Use SANS six-step incident workflow Review all relevant logs on a central logging system Collect additional logs, if needed
Reporting Operations Reports for Level 1 personnel Analytic Deep analysis reports Management “ Boss pleasers” 
Logs in Support of Compliance Application and asset risk measurement Data collection and storage to satisfy auditing of controls requirements Support for security metrics Documented incident resolution procedures Industry best-practices for incident management and reporting Proof of security due diligence Example regulation include: HI PAA , SOX, GLBA,…
Logs for Forensics What? You think this is evidence? Bua-ha-ha-ha  “ Computer Records and the Federal Rules of Evidence “ “ First , parties may challenge the authenticity of both computer-generated and computer-stored records by questioning whether the records were altered, manipulated, or damaged after they were created. Second , parties may question the authenticity of computer-generated records by challenging the reliability of the computer program that generated the records. Third , parties may challenge the authenticity of computer-stored records by questioning the identity of their author.”
Logging Device Highlights Usage metrics, violations Application Clean status, update failures Anti-virus Failures, crashes, unauthorized Host Attacks, intrusions, probes, abuse NIDS/NIPS Failures, DoS, outbound Firewall
Example: OS Account/group changes Account logins Changes in permissions for critical files/directories Shutdowns Patches/hotfixes Elevated privileges
Example: NIDS and NIPS Intrusion attempts Probes Admin privilege abuse Miscellaneous network anomalies AUP violations
Exception vs Audit? Should I log “normal stuff”? Firewall deny vs allow Resource access Alert vs log question
Summary Extensive logging is a must ! You now have some hints on what you should log and how to plan Monitoring helps extract more value from logs And its huge! Logging helps with compliance and forensics It might even be mandated and …
Q&A? More information? Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA anton@chuvakin.org Security Strategist Author of “Security Warrior” (O’Reilly 2004) – www.securitywarrior.org My book on logs is coming soon! See www.info-secure.org for my papers, books, reviews and other security resources related to logs

More Related Content

PPT
Application Security
Reggie Niccolo Santos
 
PPTX
Introduction to Incident Response Management
Don Caeiro
 
PPTX
Best cloud security practices with MITRE ATT&CK
Shriya Rai
 
PPTX
Digital forensic tools
Parsons Corporation
 
PPTX
Identity and Access Management (IAM): Benefits and Best Practices 
Veritis Group, Inc
 
PDF
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
PDF
ATT&CK Updates- Defensive ATT&CK
MITRE ATT&CK
 
PDF
Finding attacks with these 6 events
Michael Gough
 
Application Security
Reggie Niccolo Santos
 
Introduction to Incident Response Management
Don Caeiro
 
Best cloud security practices with MITRE ATT&CK
Shriya Rai
 
Digital forensic tools
Parsons Corporation
 
Identity and Access Management (IAM): Benefits and Best Practices 
Veritis Group, Inc
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
Edureka!
 
ATT&CK Updates- Defensive ATT&CK
MITRE ATT&CK
 
Finding attacks with these 6 events
Michael Gough
 

What's hot (20)

PPTX
Introduction to Cybersecurity Fundamentals
Toño Herrera
 
DOCX
Zero-Day Vulnerability and Heuristic Analysis
Ahmed Banafa
 
PDF
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
PDF
certified-ethical-hacker-cehv12_course_content.pdf
infosec train
 
PPTX
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
PPTX
Database security
MaryamAsghar9
 
PPTX
Introduction to information security
jayashri kolekar
 
PPTX
Azure key vault
Rahul Nath
 
PPTX
Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecu...
APNIC
 
PPTX
Microsoft Active Directory.pptx
masbulosoke
 
PDF
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
PPTX
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
Allen Baranov
 
PPTX
Logging, monitoring and auditing
Piyush Jain
 
PPTX
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
FredBrandonAuthorMCP
 
PDF
LinPKI EJBCA : une PKI open source en route vers la certification Critères Co...
LINAGORA
 
PPTX
Crowdstrike .pptx
uthayakumar174828
 
PPTX
Azure Key Vault - Getting Started
Taswar Bhatti
 
PDF
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
Identity Days
 
PPTX
SOAR and SIEM.pptx
Ajit Wadhawan
 
PDF
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
 
Introduction to Cybersecurity Fundamentals
Toño Herrera
 
Zero-Day Vulnerability and Heuristic Analysis
Ahmed Banafa
 
Microsoft-CISO-Workshop-Security-Strategy-and-Program (1).pdf
ParishSummer
 
certified-ethical-hacker-cehv12_course_content.pdf
infosec train
 
CLOUD NATIVE SECURITY
Maganathin Veeraragaloo
 
Database security
MaryamAsghar9
 
Introduction to information security
jayashri kolekar
 
Azure key vault
Rahul Nath
 
Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecu...
APNIC
 
Microsoft Active Directory.pptx
masbulosoke
 
OWASP Mobile Top 10 Deep-Dive
Prathan Phongthiproek
 
A Practical Example to Using SABSA Extended Security-in-Depth Strategy
Allen Baranov
 
Logging, monitoring and auditing
Piyush Jain
 
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
FredBrandonAuthorMCP
 
LinPKI EJBCA : une PKI open source en route vers la certification Critères Co...
LINAGORA
 
Crowdstrike .pptx
uthayakumar174828
 
Azure Key Vault - Getting Started
Taswar Bhatti
 
Réussir son projet de sécurisation des Identités en 5 commandements (parce qu...
Identity Days
 
SOAR and SIEM.pptx
Ajit Wadhawan
 
Threat Modeling Using STRIDE
Girindro Pringgo Digdo
 
Ad

Similar to What Every Organization Should Log And Monitor (20)

PPT
Logs for Information Assurance and Forensics @ USMA
Anton Chuvakin
 
PPT
FIRST 2006 Full-day Tutorial on Logs for Incident Response
Anton Chuvakin
 
PPT
NIST 800-92 Log Management Guide in the Real World
Anton Chuvakin
 
DOC
Audit logs for Security and Compliance
Anton Chuvakin
 
PDF
Wc4
Said Wali
 
PPT
Log Forensics from CEIC 2007
Anton Chuvakin
 
PPTX
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
Anton Chuvakin
 
PPTX
Zero Day Response: Strategies for the Security Innovation in Corporate Defens...
Anton Chuvakin
 
PPT
O'Reilly Webinar Five Mistakes Log Analysis
Anton Chuvakin
 
PPTX
Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
Anton Chuvakin
 
PPTX
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Anton Chuvakin
 
PDF
Events Classification in Log Audit
IJNSA Journal
 
PDF
Securing your IT infrastructure with SOC-NOC collaboration TWP
Sridhar Karnam
 
PDF
UNIT -III SIEM aur baato kaise hai aap log.pdf
hefagi6193
 
DOC
Logging "BrainBox" Short Article
Anton Chuvakin
 
PPT
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
guestc0c304
 
PPT
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
Anton Chuvakin
 
DOC
Log Management in the Age of Compliance
Anton Chuvakin
 
PPT
Six Mistakes of Log Management 2008
Anton Chuvakin
 
PDF
Understanding the Event Log
chuckbt
 
Logs for Information Assurance and Forensics @ USMA
Anton Chuvakin
 
FIRST 2006 Full-day Tutorial on Logs for Incident Response
Anton Chuvakin
 
NIST 800-92 Log Management Guide in the Real World
Anton Chuvakin
 
Audit logs for Security and Compliance
Anton Chuvakin
 
Wc4
Said Wali
 
Log Forensics from CEIC 2007
Anton Chuvakin
 
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
Anton Chuvakin
 
Zero Day Response: Strategies for the Security Innovation in Corporate Defens...
Anton Chuvakin
 
O'Reilly Webinar Five Mistakes Log Analysis
Anton Chuvakin
 
Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
Anton Chuvakin
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Anton Chuvakin
 
Events Classification in Log Audit
IJNSA Journal
 
Securing your IT infrastructure with SOC-NOC collaboration TWP
Sridhar Karnam
 
UNIT -III SIEM aur baato kaise hai aap log.pdf
hefagi6193
 
Logging "BrainBox" Short Article
Anton Chuvakin
 
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
guestc0c304
 
Logs for Incident Response and Forensics: Key Issues for GOVCERT.NL 2008
Anton Chuvakin
 
Log Management in the Age of Compliance
Anton Chuvakin
 
Six Mistakes of Log Management 2008
Anton Chuvakin
 
Understanding the Event Log
chuckbt
 
Ad

More from Anton Chuvakin (20)

PPTX
SecureWorld 2025 Keynote Déjà Vu All Over Again_ Learning from Cloud's Early...
Anton Chuvakin
 
PPTX
Detection Engineering Maturity - Helping SIEMs Find Their Adulting Skills
Anton Chuvakin
 
PPTX
Future of SOC: More Security, Less Operations
Anton Chuvakin
 
PPTX
SOC Meets Cloud: What Breaks, What Changes, What to Do?
Anton Chuvakin
 
PPTX
Meet the Ghost of SecOps Future by Anton Chuvakin
Anton Chuvakin
 
PPTX
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
Anton Chuvakin
 
PPTX
SOC Lessons from DevOps and SRE by Anton Chuvakin
Anton Chuvakin
 
PPTX
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Anton Chuvakin
 
PPTX
20 Years of SIEM - SANS Webinar 2022
Anton Chuvakin
 
PPTX
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
Anton Chuvakin
 
PPTX
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
Anton Chuvakin
 
PPTX
SOCstock 2021 The Cloud-native SOC
Anton Chuvakin
 
PPTX
Modern SOC Trends 2020
Anton Chuvakin
 
PPTX
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton Chuvakin
 
PPTX
Generic siem how_2017
Anton Chuvakin
 
PPTX
Tips on SIEM Ops 2015
Anton Chuvakin
 
PPTX
Five SIEM Futures (2012)
Anton Chuvakin
 
PPTX
RSA 2016 Security Analytics Presentation
Anton Chuvakin
 
PPTX
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
PPTX
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
SecureWorld 2025 Keynote Déjà Vu All Over Again_ Learning from Cloud's Early...
Anton Chuvakin
 
Detection Engineering Maturity - Helping SIEMs Find Their Adulting Skills
Anton Chuvakin
 
Future of SOC: More Security, Less Operations
Anton Chuvakin
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
Anton Chuvakin
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Anton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
Anton Chuvakin
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
Anton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Anton Chuvakin
 
20 Years of SIEM - SANS Webinar 2022
Anton Chuvakin
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
Anton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
Anton Chuvakin
 
SOCstock 2021 The Cloud-native SOC
Anton Chuvakin
 
Modern SOC Trends 2020
Anton Chuvakin
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton Chuvakin
 
Generic siem how_2017
Anton Chuvakin
 
Tips on SIEM Ops 2015
Anton Chuvakin
 
Five SIEM Futures (2012)
Anton Chuvakin
 
RSA 2016 Security Analytics Presentation
Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin
 

Recently uploaded (20)

PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
ACSFv1EN-58255 AWS Academy Cloud Security Foundations.pptx
23bcla24
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
KodekX | Application Modernization Development
KodekX
 
Approach and Philosophy of On baking technology
30anthuong17
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
“AI and Expert System Decision Support & Business Intelligence Systems”
ZubinRadhakrishnan
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 

What Every Organization Should Log And Monitor

  • 1. What Every Organization Should Log and Monitor: A Checklist? Anton Chuvakin, Ph.D., GCIA, GCIH Security Strategist November 15, 2004
  • 2. WARNING! This presentation is from 2004. Now in 2008, I might not share all the view expressed in the presentation. It is posted the way it was originally presented in the hopes of being useful for somebody.
  • 3. Highlights Monitoring and logging overview Log consolidation strategy: which log sources to include first Monitoring and event response strategy Log correlation to automate the monitoring Using logs for forensics and incident response Management and compliance reporting
  • 4. Definitions Logging Auditing Monitoring Event reporting Log analysis Alerting
  • 5. Security Data Overview Audit logs Transaction logs Intrusion logs Connection logs System performance records User activity logs Various alerts Firewalls/intrusion prevention Routers/switches Intrusion detection Hosts Business applications Anti-virus VPNs What data? From Where?
  • 6. Value of Logging and Monitoring Monitoring Incident detection Loss prevention Compliance Logging Audit Forensics Incident response Compliance Analysis Deeper insight Internal attacks Fault prediction
  • 7. Log Management Process Collect the data Convert to a common format Reduce in size, if possible Transport securely to a central location Process in real-time Eliminate false positives Alert on threats Store securely Report on trends
  • 9. Centralize the Logs! Accessibility All audit records in one place Cross-device searchability and analysis Categorization Correlation De-duplication / volume reduction Reduced response time Increase in the efficiency of existing security point solutions
  • 10. Retention Time Question I have the answer!  No, not really. Regulations? Unambiguous: PCI – keep’em for 1 year Tiered retention strategy Online Nearline Offline/tape
  • 11. Monitoring or Ignoring Logs? How to plan a response strategy to activate when monitoring? Where to start? How to tune it?
  • 13. Setting Up Log Monitoring Program Phased approach Security gear to connect E.g.: DMZ, then core, then other internal systems Log types to integrate E.g.: IDS (with vulnerability data), then firewalls, then hosts, then others Log management components to deploy E.g.: collection, reporting, correlation, incident management, others Growth of user community E.g.: security team, then IT or auditors
  • 14. Challenges to Deployment Organization political boundaries Inherent in any project involving “integration” Data crossing network and state boundaries Potentially subject to data privacy law Access to remote locations where the data sources are Remote management, but not remote installation Custom applications Unsupported and undocumented log formats Defined and current escalation trees for incidents Who would act on the alert? How is change management handled?
  • 15. Timing is everything! Timing requirements for analysis Real-time fallacy: “we have to have it when?”  Log review vs alert monitoring: different challenges and different timing
  • 16. “Real-Time” Tasks Malware outbreaks Convincing and reliable intrusion evidence Serious internal network abuse Loss of service on critical assets
  • 17. Daily Tasks Unauthorized configuration changes Disruption in other services Intrusion evidence Suspicious login failures Minor malware activity Activity summary
  • 18. Weekly Tasks Review inside and perimeter log trends and activities Account creation/removal Other host and network device changes Less critical attack and probe summary
  • 19. Monthly Tasks Review long-term network and perimeter trends Minor policy violation summary Incident team performance measurements Security technology performance measurements
  • 20. “On Incident” Tasks Use SANS six-step incident workflow Review all relevant logs on a central logging system Collect additional logs, if needed
  • 21. Reporting Operations Reports for Level 1 personnel Analytic Deep analysis reports Management “ Boss pleasers” 
  • 22. Logs in Support of Compliance Application and asset risk measurement Data collection and storage to satisfy auditing of controls requirements Support for security metrics Documented incident resolution procedures Industry best-practices for incident management and reporting Proof of security due diligence Example regulation include: HI PAA , SOX, GLBA,…
  • 23. Logs for Forensics What? You think this is evidence? Bua-ha-ha-ha  “ Computer Records and the Federal Rules of Evidence “ “ First , parties may challenge the authenticity of both computer-generated and computer-stored records by questioning whether the records were altered, manipulated, or damaged after they were created. Second , parties may question the authenticity of computer-generated records by challenging the reliability of the computer program that generated the records. Third , parties may challenge the authenticity of computer-stored records by questioning the identity of their author.”
  • 24. Logging Device Highlights Usage metrics, violations Application Clean status, update failures Anti-virus Failures, crashes, unauthorized Host Attacks, intrusions, probes, abuse NIDS/NIPS Failures, DoS, outbound Firewall
  • 25. Example: OS Account/group changes Account logins Changes in permissions for critical files/directories Shutdowns Patches/hotfixes Elevated privileges
  • 26. Example: NIDS and NIPS Intrusion attempts Probes Admin privilege abuse Miscellaneous network anomalies AUP violations
  • 27. Exception vs Audit? Should I log “normal stuff”? Firewall deny vs allow Resource access Alert vs log question
  • 28. Summary Extensive logging is a must ! You now have some hints on what you should log and how to plan Monitoring helps extract more value from logs And its huge! Logging helps with compliance and forensics It might even be mandated and …
  • 29. Q&A? More information? Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA anton@chuvakin.org Security Strategist Author of “Security Warrior” (O’Reilly 2004) – www.securitywarrior.org My book on logs is coming soon! See www.info-secure.org for my papers, books, reviews and other security resources related to logs

Editor's Notes

  • #2: Note the switch; you log first and monitor second! I am not an auditor – value the security prospective.