The first stage is preparation, which involves setting up logging, getting the tools in place, verifying logs are being collected, and making a decision about how long the logs should be retained.
The second stage is identification, which is where log analysis begins to flex its muscle. Once a call comes in that one of your systems is attacking another company's network, it's time to start analyzing the logs collected from the firewalls, routers, IDS, etc., to determine whether the call is indicative of an actual compromise and outbound attack, or is a false positive due to backscatter.
Containment is the third stage, which calls for triage in order to prevent any additional systems from becoming compromised and data from being exfiltrated out of your company. Real-time alerting is important to help ensure firewall rules and disabled accounts were done properly.
In the fourth, eradication, stage, the clean-up takes place and protections are put in place to prevent an issue from happening again. For example, if a rootkit was installed or an account compromised, then logs from antivirus management server can show you which systems need to be rebuilt. Similarly, queries to see which hosts that account logged into can be run so a deeper investigation of those hosts can be conducted.
Stage five, recovery, is another area where real-time alerting can help. Once an incident has been cleaned up, the affected hosts need to be monitored to be sure they are operating normally before placing them back into production. Configuring alerts to look for anomalies can help the sysadmins and security team be sure they addressed everything properly during the eradication phase.
The final stage, lessons learned, provides the different teams involved with a chance to look back and see where things failed, what could be improved, and what needs to be done to prevent similar incidents. This is a good time to confirm the logs you needed during the incident response process were available and easy to access. If not, come up with a plan to improve your log management and analysis process, and then present it to management during the debriefing.
Managing and analyzing logs in an enterprise is not an easy task, but it's obviously an important one that can go overlooked and left by the wayside. When done right, however, it is a process that can improve response time for both operational and security staff.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.