SANS 20 Critical IT Security Controls #6: Maintaining and Monitoring Audit Logs

All network components log their activity, but most companies don’t have a formal policy of reviewing the logs on a daily basis. Network logs contain evidence of successful penetration your system by attackers. Catching an intrusion early will alert you to a vulnerable system and prevent catastrophic damage. If you don’t examine log files religiously, you may be allowing an attacker to control parts of your network for a long period of time.

The first thing you must do to make system logs useful, is to configure appropriate audit log settings for all hardware devices as well as software – thus, you must configure logging for network firewalls, routers and the UNIX /Linux Windows servers, for example. You must ensure that the logging follows standardized formats such as syslog or the standards outlined in the Common Event Expression (CEE) format. You can use a log normalization tool to standardize logs. You should also configure verbose logging for all network boundary devices such as firewalls, intrusion prevention systems and inbound and outbound proxies. Make sure that the logs capture any blocked access attempts as well. You must also log all unauthorized and failed attempts to log into a server or database.

Your system and network administrators must scan the logs daily to se if there’s any unusual activity in the system that may indicate a malicious attack. You must record verbose logs of all remote access to your internal network through VPN and dial-up as well as other mechanisms. Since logging can take up a lot of space, ensure that you’ve adequate disk space to store all logs, and automate the archiving and compression of older logs on a regular basis.

It’s important to dedicate a server for logging purposes , thus making it harder for an attacker to tamper the logs. Use write-only devices to protect the logs. A Security Event/Information Management (SIEM) tool helps to aggregate and consolidate s logs from different machines for log correlation and analysis. Your administrators must correlate attack detection events with stored vulnerability scanning results to see of the attacker gained access through a known vulnerability.

Leave a Reply

Your email address will not be published. Required fields are marked *

*