Here are 10 more Security Log Management at both the Infrastructure and System Levels
Log parsing: using log data to be used as another part of the logging process
Event filtering: suppress data that is not needed like the duplication of a record.
Event Aggregation: Logging same events as one and counting each occurrence.
Log rotation: rotate logs to make them manageable, ex: examine archived logs to perform filtering.
Log archival: keeping logs for a extended period of time on a SAN’s network, two types Log retention archive on a regular basis, or Log preservation, keeping logs that would be discarded because they contain records of activity of particular interest.
--------------------------
Log compression: reduce the amount of storage space needed (filter)
Log reduction: remove entries of no important to make the log smaller
Log conversion: convert logs to different formats XML or database
Log Normalization: Ordered in a particular data representation and categorized consistently. DATES and TIME in a single format
Log file integrity checking - having a message digest for each file MD5 or SHA1
-------------------------------------
Event correlation: finding relationships between one or more entries
Log viewing :Display log entries in human readable format
Log reporting: displays the results of log analysis
-------------------------------------
Log clearing: removing all entries from the log that precede certain date and time. Remove old logged data b/c importance has been archived.
-------------------------------------
Syslog is a central framework for log entry generation, storage and transfer, the syslog format assigns messages based on importance. Two attributes to consider are message type, known as a facility(kernel messages, mail system messages, authorization messages, printer messages, and audit messages). Severity a value assigned, from 0(emergency) to 7 debug.
Mar 1 06:25:43 server1 sshd[23170]: Accepted publickey for server2 from 172.30.128.115 port 21011 ssh2
Mar 1 07:16:42 server1 sshd[9326]: Accepted password for murugiah from 10.20.30.108 port 1070 ssh2
Mar 1 07:16:53 server1 sshd[22938]: reverse mapping checking getaddrinfo for ip10.165.nist.gov failed - POSSIBLE BREAKIN ATTEMPT!
----------------------------
Syslog security does not conform to the use of basic security controls that would give it the confidentiality, integrity and availability of logs. Weaknesses the syslog protocol encounters is the UDP transfer of data, anyone can send information to the syslog server(DOS ATTACKS). MITM on the syslog, and analyze the syslog for a vector.
----------------------------
Reliable Log Delivery, TCP
Transmission Confidentiality Protection, SSH TLS
Transmission Integrity Protection and Authentication,MD5 SHA-1
----------------------------
Robust Filtering –handles messages based on programs or hosts that generate a message or RE matching content in the body.
Log Analysis –Use separate add on programs to analysis data
Event Response – Alert admins through pages or e-mails
Database storage logs, log file encryption,
----------------------------
Security Information and Event Management Software that is a centralized loggin software , SEIM does its job
Agentless which would mean it pulls logs from the hosts by authenticating to each host and retrieving logs, or the host pushing log files on the server this server will then perform even filtering and aggregation and log normalization and analysis on the collected logs
Advantage no installation on hosts, Disadvantage – large amounts of data transferred, some need credentials so you have to install an agent on the host.
Agent-Based all the filtering and aggregation and log normalization is done at the host then transmitted
Advantage all filtering and aggregation don’t on the host, small load going over the network , Disadvantage – installing agents on every host
Saturday, June 14, 2008
Thursday, June 12, 2008
SEC520: Whizzing About - Senecan
Since I've been to busy \n I haven't been posting ANYTHING OH NO! \t Well I decided I'm just going to go on a snippet| \ spree->(enjoy) since this semester has taught me well...these condensed courses have put me in the mind_frame of shaving the bits off everything and putting it to light,_\ I'm going to share my mini definitions.
10 - Question Answers SEC520:
Services such as firewalls, routers, authentication servers, and intrusion detection and intrusion prevention systems provide logs useful information for security purposes.
\System Events – ex: LDAP/Kerberos authentication response for services, error codes, user accounts and systems account with an event are logged and checked for any suspicious activity.
Audit Records – pertain to more administratively tasks that are generated and logged, ex: security policy changes, policy folders/file access, account changes
Client request and server responses are logged in order to check on persons transactions between systems when accessing/ using certain resources or networked resources ex: E-mail, web browsers,, business applications.
Account Information: checks the failed authentication attempts, account changes, and use of privileges. This also identifies any malicious attacks toward the account and the use of what applications used by the client.
Usage information: checks the number of transactions occurred in the case that any malware threat or anything abnormal in size might indicate suspicious activity such as the transfer of company internal information.
Significant operational actions: checks application startup and shutdowns, application failures and major application configurations changes
Log management is necessary to provide sufficient detail of processes for an appropriate period of time. This will enable revision of logs in order to identify any security incidents, policy violations, fraudulent activity, and operational problems shortly after the initial occurrence.
Log Generation: Hosts generate log data; they are retrieved by logging client applications, services that are automated retrieving processes either by authentication or networked log servers.
Log Analysis and Storage: Receive the log data from the hosts that are gathered in real-time, near-real-time, or batches the servers are often called collectors or aggregator's. (Multiple: 1 analysis, 1 storage)
Log Monitoring: Analysis of the data and generation of automated reports.
10 - Question Answers SEC520:
Services such as firewalls, routers, authentication servers, and intrusion detection and intrusion prevention systems provide logs useful information for security purposes.
\System Events – ex: LDAP/Kerberos authentication response for services, error codes, user accounts and systems account with an event are logged and checked for any suspicious activity.
Audit Records – pertain to more administratively tasks that are generated and logged, ex: security policy changes, policy folders/file access, account changes
Client request and server responses are logged in order to check on persons transactions between systems when accessing/ using certain resources or networked resources ex: E-mail, web browsers,, business applications.
Account Information: checks the failed authentication attempts, account changes, and use of privileges. This also identifies any malicious attacks toward the account and the use of what applications used by the client.
Usage information: checks the number of transactions occurred in the case that any malware threat or anything abnormal in size might indicate suspicious activity such as the transfer of company internal information.
Significant operational actions: checks application startup and shutdowns, application failures and major application configurations changes
Log management is necessary to provide sufficient detail of processes for an appropriate period of time. This will enable revision of logs in order to identify any security incidents, policy violations, fraudulent activity, and operational problems shortly after the initial occurrence.
Log Generation: Hosts generate log data; they are retrieved by logging client applications, services that are automated retrieving processes either by authentication or networked log servers.
Log Analysis and Storage: Receive the log data from the hosts that are gathered in real-time, near-real-time, or batches the servers are often called collectors or aggregator's. (Multiple: 1 analysis, 1 storage)
Log Monitoring: Analysis of the data and generation of automated reports.
Subscribe to:
Posts (Atom)