If the theory says that Offense will always find a way into your environment (somehow) with a mistake or just better attacks then we must get better at developing Logs and react to attacks as fast as we can.
This interesting and well thought out guide from Crest-approved.org¹ discusses what should be done in the process of starting to take more information in a well thought out manner.
Every environment is different. You need to decide very carefully on how to set up this log analysis method, as every action can be used against you. And don’t forget that not every attack is a dangerous cyber attack.
There should be automated methods of log identification and how lon
The key is to be prepared for an attack and set up the proper resources for what is needed at every step.
If you have a cloud application then getting system logs may not be feasible, but maybe you can work out a way to get them from the vendor.
There really are too many potential configurations for us to say “Here is how to cover all log analysis”.
Set up a filter of important system access for example.
The document has a lot of good points on page 28, but I want to add a few and thus improve upon it.
First Emphasize that Log Analysis purpose is to find attacks from criminals outside and from inside the network.
Collect data and send to a log server.
- Set up a secured device inside the network with limited access (at most 3 people in org) to store logs.
- Set up Filtering scripts to sift through the logs and find server or application access
- Set up Firewall Rules using firewall vendor that claim they are attacks
- Set up a weekly event analysis meeting – to review alerts that are flagged by the current system and scripts.
- Improve alerts using the alert review – to reduce noise and improve actual attack notification. Improve the scripts to reduce noise
- Repeat steps 4 and 5.
- Set up a yearly review of the whole system to see if any major changes should be done.
Obviously this is not a small project – and there are ways to connect to Splunk or vendors that perform log analysis. even though every environment and situation is different the general idea is to have a system of:
- Set up an automated method with scripting or other method
- review the alerts on a weekly basis
- Improve alert review to reduce the noise and find the real attacks.
repeat steps 1-3 logging and alerting automation and review by testing.
If attack found start incident process (if no incident process set one up now.
Remember that even with Compliance it does not mean one is secure. And don’t forget to test the best alerting you have and when you think you can find anything … Hire somebody who will prove you wrong.
Contact Us for help with any of these steps.
1 thought on “If Offense Has Advantage We Must Analyze Logs Better”