Everyone knows about the importance of log management in IT security. Yet, organizations struggle with implementing effective log management techniques in their networks. This blog series aims to revisit the fundamentals of log management and discuss the different security events you need to keep track of in each of the different systems in your environment.
Compliance regulations such as PCI DSS require organizations to review security events occurring in their networks on a daily basis, which highlights the importance of automating log management. Reviewing security events allows security teams to analyze trends and flag anomalies, which can be used for investigation and to help prevent breaches. For example, a sudden spike in the number of generated security events could mean that a system has been compromised. This is where specialized auditing tools for security information and event management (SIEM) come into the picture. A SIEM solution can generate crucial reports for reviewing security events of interest and also trigger alerts upon detecting security threats.
When it comes to servers, it’s important to track events based on severity, meaning you should check events like failure, warning, and error, first. Next, you can turn your attention to other critical events, such as system or application failures, and check if any of them need further investigation.
Here are a few other basic security events of interest that you should keep an eye on:
-
Startups, shutdowns, restarts, and other system events. Suspicious system events such as repeated shutdowns or restarts could indicate a compromised host.
-
Installation of software or services. This is a good example of a scenario where you need an alert. Because, ask yourself: Do you constantly install new software and services on your important servers?
-
Application errors, including applications that are hanging or crashing. This is important not only from a security aspect, but also to maintain availability.
Logging processes that are being disrupted or discontinued. Attackers know the importance of audit trails in security investigations and try to disable logging before carrying out an attack to hide their tracks.
Ensure you’re tracking these events by running reports on a daily basis for hassle-free security operations. If you want to take it one step further, you can integrate your SIEM solution with a ticketing tool so that security alerts automatically get assigned as tickets to the designated administrator. This ensures that critical security events get immediate attention and there is an accountable resolution process.
To learn about leveraging a SIEM solution to achieve IT security and compliance, register for our free webinar Auditing 101.
Stay tuned for part two of the blog series, where we’ll talk about auditing systems that store sensitive data.