Friday, July 15, 2016

Essential log sources

13 Essential log collection sources and alerts that can help support the infrastructure security of an automated log management system
 
ANTI-MALWARE SOFTWARE
These logs can indicate malware detection, disinfection attempt results, file quarantines, when file-system scans were last performed, when anti-virus signature files were last updated, and when software upgrades have taken place.
 

AUTHENTICATION SERVERS

Servers typically log each and every authentication attempt and show the originating user ID, destination system or application, date and time, and success/failure details.
 

FIREWALLS

These very detailed and informative logs can show what activity was blocked according to security policies.
 

NETWORK ACCESS CONTROL SERVERS

These logs can provide useful information about both successful/permitted and unsuccessful quarantined network connections.
 

OPERATING SYSTEMS

Beyond typical log entries, operating system logs can contain information from security software and system applications that can help identify suspicious activity involving a particular host.
 

VULNERABILITY MANAGEMENT SOFTWARE

Scanning and patch management software log entries such as configuration, missing software updates, identified vulnerabilities, and patch/scan currency downloads.
 

WEB PROXIES

Web proxy logs record user activity and URLs accessed by specified users.
 

APPLICATIONS

Logs can include account changes, user authentication attempts, client and server activity, and configuration changes.
 

INTRUSION DETECTION & PROTECTION

These systems record detailed information about suspicious behavior and detected attacks as well as actions taken to halt malicious activity in progress.
 

NETWORK DEVICES

Logs from network devices like routers and switchers can provide information on network communication activity and what types of traffic were blocked.
 

VIRTUAL PRIVATE NETWORKS (VPNs)

VPN logs record both successful and failed connection attempts, date and time of connects and disconnects, and the types and amount of data sent and received during a session.
 

WEB APPLICATION FIREWALLS

WAFs generate “deny logs” which identify blocked application requests, useful in identifying attempted attacks that included applications as a possible attack vector.
 

CLOUD-SPECIFIC SOURCES

New sources of log data from specific public cloud environments such as Amazon Web Services (AWS), Microsoft Azure, and Rackspace Public Cloud must be considered for collection. (Example: CloudTrail logs in AWS)
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Protecting Your Business From Your Remote Employees

A significant portion of your workforce is currently moving to perform full- or part-time remote work as a result of COVID-19.  As you modif...

  • Home Depot information
    Home Depot   said today that cyber criminals armed with custom-built malware stole an estimated 56 million debit and credit card numbers fro...
  • Data Privacy Day
    Nearly every day is some kind of holiday or special observance at the local, state or national level. Some days are assigned to multiple ca...