Anyone trying to access resources in your network needs to interact with your network devices: firewalls, routers, switches, and IDS/IPSs. Each of these devices generate syslogs that contain important security information and must be audited to gain complete visibility into the activities occurring in your network. Most SIEM solutions, including our own Log360, can collect and analyze syslogs in real time and instantly alert security teams if any security event of interest occurs.
Event correlation plays a crucial role in auditing network device logs. For example, a user logging in via VPN could then go on to do something malicious like install and run a service on a server. To track this kind of activity, you need to be able to correlate VPN logs with server logs. Most new-age SIEM solutions also offer integrated threat feeds which help in detecting all the known, malicious IPs that are trying to interact with your network before they can cause any damage.
So now that you know how to audit your logs, the real question is which logs should you audit? We’ve taken care of the guesswork for you. Here are four specific types of network activity that you need to track:
1. Allowed and denied firewall traffic: It’s important to know the details about the traffic passing through your network. Make sure you are running (or scheduling) daily reports to track network traffic based on source, destination, protocol, and port, and analyze trends in firewall traffic. Then investigate any connections that were denied repeatedly by your firewall.
2. Configuration changes: Changes to network device configurations, like a change to your firewall, can create potentially dangerous deviations from your security policy. Real-time alerts are a must for detecting and reverting such changes before it’s too late.
3. Attack patterns: A lot of network attacks such as spoofing, IP fragment attacks, and SYN floods follow a particular pattern that can be detected by analyzing firewall and IDS/IPS logs.
4. Malicious traffic: At any given point, you need to ensure that all the traffic passing through your network is secure and from trusted sources. Here is where integration with threat feeds such as STIX/TAXII ensures you can instantly detect malicious traffic entering your network, as well as outbound connections to malicious domains and callback servers.
Download our free network device auditing handbook to learn more about auditing and securing your network perimeter with a SIEM solution.