Security Guidelines and Management

Security Management Log Management Malware incident handling Forensic Techniques Vulnerability Management Program

Log Management A Log is a record of events that happen in computer systems and networks of an organization Three types of logs are of interest in security Security software logs Operating system logs Application logs

Log Management Configuring log sources Log analysis Initiating responses Long term storage Monitoring logging status Monitoring log archival Upgrades of logging software Clock synchronization Reconfiguration Documenting log process anomalies

Security Software Logs Anti-malware software logs detected malware file and system disinfection attempts quarantines previous scans updates of virus databases IDS/IPS log suspicious behavior and detected attacks IPS actions to prevent ongoing malicious activities Remote Access software successful and failed login attempts dates and times user connected and disconnected amount of data user sent and received per session use of resources may be logged with more refined software

Security Software Logs Web proxies log all urls requested Vulnerability management software log patch installation history vulnerability status of each host Authentication servers log all login attempts Routers log most recently blocked traffic Firewalls store results of analysis of suspicious activities Network quarantine servers status of quarantined hosts reason for quarantines

Operating System Logs System events Audit records Shutting down Restarting services Failed events Audit records Failed/successful authentication events File accesses Security policy changes Account changes Use of privileges

Application Logs Applications provide their own custom logging mechanisms. Granularity can be very high. Typical logs: Client requests and server responses (email servers, web servers, financial records) Account information (authentication, change of accounts, password cracking, use of privileges) Usage information (number of transactions in a given time period, unusual activity like bulk mails) Significant operational actions (application startup, shutdown, failures, configuration changes

Need for Log Management Logs are usually in proprietary format and difficult to manage Routine log reviews and analysis are beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems Logs can also be useful for performing auditing and forensic analysis, supporting the organization’s internal investigations, establishing baselines, and identifying operational trends Legal compliance. For critical applications like, health, public financial records, bank accounts, Government requires the organizations to maintain logs Protecting the trustworthiness of the log sources and also, the logs themselves need to be protected from malicious activities

Challenges in Log Management Multiple Log Sources Inconsistent log content (like recording only pieces of information) Inconsistent timestamps (especially when logging across multiple hosts) Inconsistent formats ( XML, plain text, binary)

Log Management Infrastructure A three-tier Architecture Log generation : Synchronized hosts generate Logs analysis and storage : One or more log servers that receive the logged data. This transfer is either real-time or periodic. Such servers are called collectors or aggregators Log monitoring : analyze and monitor the logged data using application consoles

Features of the Infrastructure General Log parsing is extracting data from a log so that the parsed values can be used as input for another logging process Event filtering is the suppression of log entries from analysis, reporting, or long-term storage because their characteristics indicate that they are unlikely to contain information of interest Event aggregation, similar entries are consolidated into a single entry containing a count of the number of occurrences of the event

Features of the Infrastructure Storage Log rotation is closing a log file and opening a new log file when the first file is considered to be complete. Benefits are: compression of logs and analysis Log archival is retaining logs for an extended period of time, typically on removable media, a storage area network (SAN) or a server. Two forms of archival Retention : is archiving logs on a regular basis as part of standard operational activities Preservation : is keeping logs that normally would be discarded, because they contain records of activity of particular interest Log compression is storing a log file in a way that reduces the amount of storage space needed for the file without altering the meaning of its contents

Features of the Infrastructure Log reduction is removing unneeded entries from a log to create a new log that is smaller Log conversion is parsing a log in one format and storing its entries in a second format. Text to XML etc Log normalization, each log data field is converted to a particular data representation and categorized consistently. Example converting all date/times into a common format Log file integrity checking involves calculating a message digest for each file and storing the message digest securely to ensure that changes to archived logs are detected

Features of the Infrastructure Analysis Event correlation is finding relationships between two or more log entries E.g., rule-based correlation, which matches multiple log entries from a single source or multiple sources based on logged values, such as timestamps, IP addresses, and event types Log viewing is displaying log entries in a human-readable format Log reporting is displaying the results of log analysis Disposal Log clearing is removing all entries from a log that precede a certain date and time Some popular implementations are syslog, SIEM software, Host-based intrusion detection systems,

Roles/Responsibilities in Log Management System and network administrators, responsible for configuring logging on individual systems and network devices, analyzing logs periodically, reporting results of log management activities, and performing regular maintenance of logs and logging software Security administrators, responsible for managing and monitoring the log management infrastructures, configuring logging on security devices (e.g., firewalls, network-based intrusion detection systems, antivirus servers), reporting on the results of log management activities, and assisting others with configuring logging and performing log analysis Computer security incident response teams, use log data when handling incidents Application developers, need to design or customize applications so that they perform logging in accordance with the logging requirements Information security officers, who oversee the log management infrastructures Auditors, who may use log data when performing audits Individuals involved in the procurement of software to generate computer security log data.