Reviewing Equipment System Logs - Do I have to?

Pete Boergermann - BankInfoSecurity.com Contributor

Gone are the days when we could just throw a hub on a closet shelf, run a few network cables, connect some PCs and a server to it and have a network. Logs? What logs? Why would we want to look at them? Times have changed and most devices connected to your network have logging capabilities. These devices have the ability to produce large amounts of valuable data. But it can be overwhelming to manage. A new industry that creates technology to manage security event logs is just starting up. As this technology matures, we may end up with products that can correlate the data between devices and alert us to events on a global multi-device level. Maybe these new products will be able to learn and adapt to new event information, possibly make assessments based on trends, then send only the alerts that need to be acted upon. Now that securing of our networks is so important we should be asking questions like: "What do we log, and why?" "How often do we need to look at it and who should review them?" Then reality hits and these comments come to mind... "I really have other things I need to do" "Reviewing them is boring and time consuming." "I will get to them tomorrow."

Let us start by defining what system log data is. Most network-able equipment has the ability to record, based on predetermined settings, events or a history of activity. These events, called system logs, can be as simple as a port on a switch getting disconnected or as specific as a table on a database running out of room. The format of the information is typically defined in the following categories: Critical, Warning and Informational. They may also have a minor and major rating. The information contained in the events can be easy to read or very cryptic and each manufacturer seems to follow a different standard. So, some equipment system logs can be a great source of information and others are completely useless. To get to these logs, you will need to connect and log into each device individually to view the information. Be warned, unless you have a centralized repository to collect the data, a considerable amount of time can be spent getting to and reviewing that data.

So where do you start? First, define a risk profile for your network equipment. Which devices are critical to your network infrastructure? A switch with PCs and printers connected to it would be low risk. A switch with servers attached to it would be a high risk. The reasoning behind this is, if a couple of PCs get disconnected it would only affect a few users; if a server gets disconnected it could affect all your users. Firewalls, Routers, and Servers are network devices that should have logging enabled without question. Next review your logging options with the Vendor provided documentation. What are the recommended settings? Debug mode logging can cripple your device, rendering it useless; verbose mode may only need to be used when you are experiencing problems. If you are experiencing unusual or unexplained problems, these system logs will prove very valuable. Spend some time reviewing them. SANS Institute teaches a very valuable concept, "Know Thy Network". If you know what typical behavior is, then non-typical behavior is easier to detect. This is best done when there's not an emergency.

Now for the question that makes most network professionals squirm before answering: How often should you look at this information? Initially we need to discuss Regulations. What industry are you in? If you are a member of the Financial or Health Care industry, then you need to know what is expected with reference to equipment logging before your next audit or examination. There are a number of regulations covering the financial industry, such as the Gramm-Leach -Bliley Act designed to safeguard customer information. Other regulations such as Sarbanes-Oxley, and the FTC Information Safeguards also require monitoring of your logs.

Here are what some of the Regulations say:

• "Review security procedures for daily and periodic report monitoring to identify unauthorized or unusual activities."
• "Determine whether logs are sufficient to affix accountability for host activities and to
• support intrusion forensics and IDS and are appropriately secured for a sufficient time period."
• "Appropriate logging and monitoring takes place.
• "...remote access logs can be reviewed daily for access during unusual times. Other logs can be reviewed on other regular cycles for other unusual behaviors...
• "Host Systems - Secure configuration (hardening) - Operating system access - Application access and configuration - Malicious code prevention - Logging - Monitoring and updating
  

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?