Log|Event|Information ManagementAyman SaeedSr.Network Security Engineer, PS DEPRaya IT

Log Management

• Collection• Retention

Ex. Kiwi Syslog Server

Information|Event Management

• Collection• Normalization• Retention• Correlation• Alerting• Reporting

Log Types and Log Sources

• Audit Logs• Transaction Logs• Intrusion Logs• Connection Logs• Performance Records• User Activity Logs

• Firewall• IPS• Router/Switch• Servers• Databases• Business Applications• Antivirus

Log Chaos : Login|Logon|Log in

Log Chaos : Accept|Permit|Allow

Log Chaos: Syslog|WinEV|DB|File

Firewalls/VPN

IntrusionDetectionSystems

VulnerabilityAssessment

NetworkEquipment

Server and Desktop OS Anti-Virus Applications Databases

User Activity Monitoring

Critical file modifications

Policy

Changes

Malicious IP

Traffic

WebTraffic

Log Chaos, in brief.

• There is no standard format for writing logs

• There is no standard Transport method for moving logs

.SIEM, the product

• SIEM , Security Information and Event Management• Again:– Collection– Normalization– Retention– Correlation– Alerting – Reporting

Event Collection

– SIEM vendors create a group of documents for collecting logs from supported products.

Normalization

– UserID > Username– LoginName > Username– ID > Username– Username > Username

Retention

Example:• IDS+DMZ+Online = 90 days• Firewall+DMZ+online = 30 days• Servers+internal+online = 90 days• All+DMZ+archive = 3 years• Critical+internal+archive = 5 years• Other+internal+archive = 1 year

Correlation

25 events based on cross-referencing intrusion alerts against firewall entries and host/asset databases much more efficiently than when he must scan 10,000 mostly normal log entries.

Alerting

Alerting on incidents can take various forms :• Email• SMS• SNMP Trap

Reporting

– Compliance Reports (PCI, ISO..)– Security Reports (Critical Attacks,

Failed Logins..)– Audit Reports (Configuration

Changes, VPN Access..)– Operational Reports (Link

Utilization, Top Destination IP..)