4.9 Log data

Question 1

Security log files

Answer 1

• Detailed security-related information
  –Blocked and allowed traffic flows
  –Exploit attempts
  –Blocked URL categories
  –DNS sinkhole traffic
• Critical security information
  –Documentation of every traffic flow
  –Summary of attack info
  –Correlate with other logs

Question 2

Firewall logs

Answer 2

Traffic flows through the firewall
–Source/destination IP, port numbers, disposition
* Next Generation Firewalls (NGFW)
–Logs the application used,
–URL filtering categories, anomalies and suspicious data

Question 3

Application logs

Answer 3

• Specific to the application
  –Information varies widely
• Windows
  –Event Viewer / Application Log
• Linux / macOS/
  –var/log
• Parse the log details on the SIEM
  –Filter out unneeded information

Question 4

Endpoint logs

Answer 4

• Attackers often gain access to endpoints
  –Phones, laptops, tablets, desktops, servers, etc.
• There’s a lot of data on the endpoint
  –Logon events, policy changes, system events,
  processes, account management, directory services,
  etc.
• Everything rolls up to the SIEM
  –Security Information and Event Manager
• Use with correlation of security events
  –Combine IPS events with endpoint status

Question 5

OS-specific security logs

Answer 5

• OS security events
  –Monitoring apps
  –Brute force, file changes
  –Authentication details
• Find problems before they happen
  –Brute force attacks
  –Disabled services
• May require filtering
  –Don’t forward everything

Question 6

IPS/IDS logs

Answer 6

• Intrusion prevention system/Intrusion detection system
  –Usually integrated into an NGFW
• Logs contain information about predefined
  vulnerabilities
  –Known OS vulnerabilities, generic security events
• Common data points
  –Timestamp
  –Type or class of attack
  –Source and destination IP
  –Source and destination port

Question 7

Network logs

Answer 7

• Switches, routers, access points, VPN concentrators
  –And other infrastructure devices
• Network changes
  –Routing updates
  –Authentication issues
  –Network security issues

Question 8

Metadata

Answer 8

• Metadata
  –Data that describes other data sources
• Email
  –Header details, sending servers, destination address
• Mobile
  –Type of phone, GPS location
• Web
  –Operating system, browser type, IP address
• Files
  –Name, address, phone number, title

Question 9

Vulnerability scans

Answer 9

• Lack of security controls
  –No firewall
  –No anti-virus
  –No anti-spyware
• Misconfigurations
  –Open shares
  –Guest access
• Real vulnerabilities
  –Especially newer ones
  –Occasionally the old ones

Question 10

Automated reports

Answer 10

Most SIEMs include a report generator
–Automate common security reports
* May be easy or complex to create
–The SIEM may have its own report generator
–Third-party report generators may be able to
access the database
* Requires human intervention
–Someone has to read the reports
* These can be involved to create
–Huge data storage and extensive processing time

Question 11

Dashboards

Answer 11

• Real-time status information
  –Get summaries on a single screen
• Add or remove information
  –Most SIEMs and reporting systems allow for customization
• Shows the most important data
  –Not designed for long-term analysis

Question 12

Packet captures

Answer 12

• Solve complex application issues
  –Get into the details
• Gathers packets on the network
  –Or in the air
  –Sometimes built into the device
• View detailed traffic information
  –Identify unknown traffic
  –Verify packet filtering and security controls
  –View a plain-language description of the application data