Wednesday, September 28, 2011

Which Logs are Security Logs?

This was originally posted on my RSA Conference Blog


Many of the security logging discussions center about the following topics:
1-      Log Collection
2-      Log Transport
3-      Log Storage
4-      Log Taxonomy
5-      Log Analysis / Correlation
6-      Log Protection / Security

These are all good topics but a very important topic is rarely discussed, and it is usually the most important one:

What are the security logs?


It is easy to work with security devices (Firewall, IDP, DLP, AV etc), their logs/alerts are classified as security logs, but what about regular applications or infrastructure components that are not build as a “security device” or security in mind? Do we need to process all logs from these devices? Which logs are more important?  Which logs go to “security” queue?

Let’s go with example, if you are the security architect, what would you recommend to a system owner who came up with a new application that writes the logs to a flat file or a database? Even if the logs are shipped to a syslog collector or an OS log queue; does it change the question?
The question is same “Which” logs? What do you want?

Here is a quick check list of activities to ask for the logs:

1-      Logs for all access (User, Admin, Service, Application etc)
2-      Logs for all changes (changes in monitored files, configurations, hardware,software – MACD logs)
3-      Logs for critical transactions in the applications
4-      Logs from user repository (e.g if AD, LDAP, RADIUS is used) access, change and transaction logs from user repository
5-      Logs for anomalies (changes in baseline activity, failed attempts, unexpected connections etc)

Since a security architect cannot know all applications, this is a good start to communicate with 3rd party developers and application/system owners for security log generation.


For a structured approach here are a few good reads to start with:
NIST 800-92, Guide to Computer Security Log Management

Common Event Expression White Paper (also has a history on other initiatives)

Watch Your Logs! Quick intro

No comments: