When something goes sideways in our technical worlds some of the first questions we get asked, after “when is XXXX going to be back up”, is “what happened?” and “why did it happen?” For sure if the event in question is a security or data breach event the urgency to answer these questions ratchets up even more quickly. You might have legal time-based reporting requirements that include the answer to the above two questions. And you most certainly not only need to explain the event, you quickly need to make sure whatever hole was exploited in the event can’t easily be exploited again.
One tool that has been around for a long time, good old logging functions, has been gaining increased traction and importance as of late in the security world. Long known as a go-to function for tech staff’s for maintaining system / application up time, the ability to analyze a set of interrelated log files from different parts of the network system can be invaluable as forensic evidence in determining what and how a given event on the network happened.
But, to take advantage of all this great value in your log files you need to be doing at least two things:
- Have the logging functions turned on for all your most critical servers, devices and even your critical applications
- Have those logs shipped real-time off their originating devices to a secure central repository
It’s even better if that secure repository is an intelligent repository that is doing real-time analysis of the data it is receiving and then generating alerts back to you when required. In that case, it is quite possible that you might just catch evidence of an attack in its early stages so that you can shut it down before any real damage has occurred.
In the worst case, if your network is compromised, all the log data will be securely air-gapped from the rest of the network, and available to be used to help to determine what happened, why it happened and what needs to be fixed to make sure it won’t happen the same way again.
The increasing importance of logging as a network security tool is but one reason we are seeing increasing emphasis from state auditors on probing for what is being logged, where are the logs kept, for how long, and who is looking at them. To date those questions have been asked about perimeter devices like firewalls and IDS/IPS devices. Expect to see the universe of devices / applications with required logging to increase as awareness increases on their security value.
Please don’t think that none of this is important to you just because your organization is not a bank or retail store thus your network is not a target. Your networks still hold access to banking and other finance related information as well as a wealth of priceless demographic data on students, teachers, staff or other constituents related to your organization. Your systems may also have access, either directly or indirectly, to credit card information. There are no networks today that are safe from or uninteresting to the bad actors out on the Internet.
For those inclined here are a couple recent great blog posts from our friends at Cisco Talos on the logging topic:
The Importance of Logs:
The Significance of Log Sources to Building Effective Intelligence-Driven Incident Response:
If you want to talk about increasing your capability to capture and / or correlate log sources in your organization let us know. We can help guide you through the various options to find the solution that best fits your objectives.