Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Guidelines and Management

Similar presentations

Presentation on theme: "Security Guidelines and Management"— Presentation transcript:

1 Security Guidelines and Management

2 Security Management Log Management Malware incident handling
Forensic Techniques Vulnerability Management Program

3 Log Management A Log is a record of events that happen in computer systems and networks of an organization Three types of logs are of interest in security Security software logs Operating system logs Application logs

4 Log Management Configuring log sources Log analysis
Initiating responses Long term storage Monitoring logging status Monitoring log archival Upgrades of logging software Clock synchronization Reconfiguration Documenting log process anomalies

5 Security Software Logs
Anti-malware software logs detected malware file and system disinfection attempts quarantines previous scans updates of virus databases IDS/IPS log suspicious behavior and detected attacks IPS actions to prevent ongoing malicious activities Remote Access software successful and failed login attempts dates and times user connected and disconnected amount of data user sent and received per session use of resources may be logged with more refined software

6 Security Software Logs
Web proxies log all urls requested Vulnerability management software log patch installation history vulnerability status of each host Authentication servers log all login attempts Routers log most recently blocked traffic Firewalls store results of analysis of suspicious activities Network quarantine servers status of quarantined hosts reason for quarantines

7 Operating System Logs System events Audit records Shutting down
Restarting services Failed events Audit records Failed/successful authentication events File accesses Security policy changes Account changes Use of privileges

8 Application Logs Applications provide their own custom logging mechanisms. Granularity can be very high. Typical logs: Client requests and server responses ( servers, web servers, financial records) Account information (authentication, change of accounts, password cracking, use of privileges) Usage information (number of transactions in a given time period, unusual activity like bulk mails) Significant operational actions (application startup, shutdown, failures, configuration changes

9 Need for Log Management
Logs are usually in proprietary format and difficult to manage Routine log reviews and analysis are beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems Logs can also be useful for performing auditing and forensic analysis, supporting the organization’s internal investigations, establishing baselines, and identifying operational trends Legal compliance. For critical applications like, health, public financial records, bank accounts, Government requires the organizations to maintain logs Protecting the trustworthiness of the log sources and also, the logs themselves need to be protected from malicious activities

10 Challenges in Log Management
Multiple Log Sources Inconsistent log content (like recording only pieces of information) Inconsistent timestamps (especially when logging across multiple hosts) Inconsistent formats ( XML, plain text, binary)

11 Log Management Infrastructure
A three-tier Architecture Log generation : Synchronized hosts generate Logs analysis and storage : One or more log servers that receive the logged data. This transfer is either real-time or periodic. Such servers are called collectors or aggregators Log monitoring : analyze and monitor the logged data using application consoles

12 Features of the Infrastructure
General Log parsing is extracting data from a log so that the parsed values can be used as input for another logging process Event filtering is the suppression of log entries from analysis, reporting, or long-term storage because their characteristics indicate that they are unlikely to contain information of interest Event aggregation, similar entries are consolidated into a single entry containing a count of the number of occurrences of the event

13 Features of the Infrastructure
Storage Log rotation is closing a log file and opening a new log file when the first file is considered to be complete. Benefits are: compression of logs and analysis Log archival is retaining logs for an extended period of time, typically on removable media, a storage area network (SAN) or a server. Two forms of archival Retention : is archiving logs on a regular basis as part of standard operational activities Preservation : is keeping logs that normally would be discarded, because they contain records of activity of particular interest Log compression is storing a log file in a way that reduces the amount of storage space needed for the file without altering the meaning of its contents

14 Features of the Infrastructure
Log reduction is removing unneeded entries from a log to create a new log that is smaller Log conversion is parsing a log in one format and storing its entries in a second format. Text to XML etc Log normalization, each log data field is converted to a particular data representation and categorized consistently. Example converting all date/times into a common format Log file integrity checking involves calculating a message digest for each file and storing the message digest securely to ensure that changes to archived logs are detected

15 Features of the Infrastructure
Analysis Event correlation is finding relationships between two or more log entries E.g., rule-based correlation, which matches multiple log entries from a single source or multiple sources based on logged values, such as timestamps, IP addresses, and event types Log viewing is displaying log entries in a human-readable format Log reporting is displaying the results of log analysis Disposal Log clearing is removing all entries from a log that precede a certain date and time Some popular implementations are syslog, SIEM software, Host-based intrusion detection systems,

16 Roles/Responsibilities in Log Management
System and network administrators, responsible for configuring logging on individual systems and network devices, analyzing logs periodically, reporting results of log management activities, and performing regular maintenance of logs and logging software Security administrators, responsible for managing and monitoring the log management infrastructures, configuring logging on security devices (e.g., firewalls, network-based intrusion detection systems, antivirus servers), reporting on the results of log management activities, and assisting others with configuring logging and performing log analysis Computer security incident response teams, use log data when handling incidents Application developers, need to design or customize applications so that they perform logging in accordance with the logging requirements Information security officers, who oversee the log management infrastructures Auditors, who may use log data when performing audits Individuals involved in the procurement of software to generate computer security log data.

Download ppt "Security Guidelines and Management"

Similar presentations

Ads by Google