Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

12/11/2009
02:13 PM
50%
50%

Tech Insight: Learn To Love Log Analysis

Log analysis and log management can help breach detection and investigations

The issues and solutions discussed on the previous page map directly into several of stages within the incident response process. To be successful at incident-handling, you need to have the logs available and be able to query them for the necessary information quickly.

The first stage is preparation, which involves setting up logging, getting the tools in place, verifying logs are being collected, and making a decision about how long the logs should be retained.

The second stage is identification, which is where log analysis begins to flex its muscle. Once a call comes in that one of your systems is attacking another company's network, it's time to start analyzing the logs collected from the firewalls, routers, IDS, etc., to determine whether the call is indicative of an actual compromise and outbound attack, or is a false positive due to backscatter.

Containment is the third stage, which calls for triage in order to prevent any additional systems from becoming compromised and data from being exfiltrated out of your company. Real-time alerting is important to help ensure firewall rules and disabled accounts were done properly.

In the fourth, eradication, stage, the clean-up takes place and protections are put in place to prevent an issue from happening again. For example, if a rootkit was installed or an account compromised, then logs from antivirus management server can show you which systems need to be rebuilt. Similarly, queries to see which hosts that account logged into can be run so a deeper investigation of those hosts can be conducted.

Stage five, recovery, is another area where real-time alerting can help. Once an incident has been cleaned up, the affected hosts need to be monitored to be sure they are operating normally before placing them back into production. Configuring alerts to look for anomalies can help the sysadmins and security team be sure they addressed everything properly during the eradication phase.

The final stage, lessons learned, provides the different teams involved with a chance to look back and see where things failed, what could be improved, and what needs to be done to prevent similar incidents. This is a good time to confirm the logs you needed during the incident response process were available and easy to access. If not, come up with a plan to improve your log management and analysis process, and then present it to management during the debriefing.

Managing and analyzing logs in an enterprise is not an easy task, but it's obviously an important one that can go overlooked and left by the wayside. When done right, however, it is a process that can improve response time for both operational and security staff.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18942
PUBLISHED: 2021-02-26
Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to stored XSS. The application reflects previously stored user input without encoding.
CVE-2019-18943
PUBLISHED: 2021-02-26
Micro Focus Solutions Business Manager versions prior to 11.7.1 are vulnerable to XML External Entity Processing (XXE) on certain operations.
CVE-2019-18944
PUBLISHED: 2021-02-26
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to reflected XSS.
CVE-2019-18945
PUBLISHED: 2021-02-26
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to privilege escalation vulnerability.
CVE-2019-18946
PUBLISHED: 2021-02-26
Micro Focus Solutions Business Manager Application Repository versions prior to 11.7.1 are vulnerable to session fixation.