Log|Event|Information ManagementAyman SaeedSr.Network Security Engineer, PS DEPRaya IT
Log Management
• Collection• Retention
Ex. Kiwi Syslog Server
Information|Event Management
• Collection• Normalization• Retention• Correlation• Alerting• Reporting
Log Types and Log Sources
• Audit Logs• Transaction Logs• Intrusion Logs• Connection Logs• Performance Records• User Activity Logs
• Firewall• IPS• Router/Switch• Servers• Databases• Business Applications• Antivirus
Log Chaos : Login|Logon|Log in
Log Chaos : Accept|Permit|Allow
Log Chaos: Syslog|WinEV|DB|File
Firewalls/VPN
IntrusionDetectionSystems
VulnerabilityAssessment
NetworkEquipment
Server and Desktop OS Anti-Virus Applications Databases
User Activity Monitoring
Critical file modifications
Policy
Changes
Malicious IP
Traffic
WebTraffic
Log Chaos, in brief.
• There is no standard format for writing logs
• There is no standard Transport method for moving logs
.SIEM, the product
• SIEM , Security Information and Event Management• Again:– Collection– Normalization– Retention– Correlation– Alerting – Reporting
Event Collection
– SIEM vendors create a group of documents for collecting logs from supported products.
Normalization
– UserID > Username– LoginName > Username– ID > Username– Username > Username
Retention
Example:• IDS+DMZ+Online = 90 days• Firewall+DMZ+online = 30 days• Servers+internal+online = 90 days• All+DMZ+archive = 3 years• Critical+internal+archive = 5 years• Other+internal+archive = 1 year
Correlation
25 events based on cross-referencing intrusion alerts against firewall entries and host/asset databases much more efficiently than when he must scan 10,000 mostly normal log entries.
Alerting
Alerting on incidents can take various forms :• Email• SMS• SNMP Trap
Reporting
– Compliance Reports (PCI, ISO..)– Security Reports (Critical Attacks,
Failed Logins..)– Audit Reports (Configuration
Changes, VPN Access..)– Operational Reports (Link
Utilization, Top Destination IP..)