The Graylog blog

Centralized Log Management for Incident Response

Centralized log management incident response access monitoring

Today’s reality is that you’ll never be 100% secure. Remote work and digital transformation add more access points, devices, and applications than ever before. At the same time, your team is constantly responding to alerts that could be an incident. Although, most often, it’s not. 

Basically, you need to reduce the mean time to investigate (MTTI) and the mean time to respond (MTTR). Centralized log management with security analytics and anomaly detection can help you get the Security Information and Event Management (SIEM) capabilities you need for faster incident response. 

Faster incident response reduces the incident’s impact

You’re going to be hard-pressed to meet the 1-10-60 framework timing in today’s cloud-connected environment. Detecting an incident within a minute isn’t likely. According to research, security practitioners are struggling:

  • 55% missed a critical alert
  • 22% of those said they missed critical alerts daily
  • 41% said they missed a critical alert weekly

Even if you detect the alert in time, the investigation process can still be slow. Research found the following incident response duration, defined as “effort in hours taken for investigation”:

  • 34.4 hours for attacks that lasted up to a week
  • 48.9 hours for attacks that lasted up to a month
  • 105.6 hours for attacks that lasted more than a month

The longer attackers are in your systems and networks, the more damage they can do. 

Incident Response for Cyber Resiliency

In a world where it’s hard to keep up with threat actors, cyber resiliency is as impactful as cybersecurity. 

The National Institute of Standards and Technology (NIST) notes this in NIST Special Publication (SP) 800-160 Vol. 2 Rev. 1 “Developing Cyber-Resilient Systems”:

Prepare: Maintain a set of realistic courses of action that address predicted or anticipated adversity. 

Discussion: This objective is driven by the recognition that adversity will occur. It specifically relates to an organization’s contingency planning, continuity of operations plan (COOP), training, exercises, and incident response and recovery plans for critical systems and infrastructures.

Transform: Modify mission or business functions and supporting processes to handle adversity and address environmental changes more effectively.

Discussion: This objective specifically applies to workflows for essential functions, supporting processes, and incident response and recovery plans for critical assets and essential functions.

As part of SP 800-160 Vol 2, NIST traces the controls back to SP 800-53 Rev 5’s “Incident Response (IR)” Control Family. Under the Discussion of IR-4 “Incident Handling”, NIST states:

Incident-related information can be obtained from a variety of sources, including audit monitoring, physical access monitoring, and network monitoring; user or administrator reports; and reported supply chain events.

You’re using your logs to both investigate incidents and meet the compliance requirements to prove that you have controls in place.  

In the end, your investigation capabilities both mitigate the damage that the incident causes and document your activities that prove your cyber resilience. 

Using Centralized Log Management for Incident Response

Incident response isn’t easy. In a digital world that moves too fast, you need to investigate and respond faster. When your centralized log management solution incorporates security analytics and anomaly detection, you can investigate with the lightning-fast speed you need. 

Incident investigations are a lot like news articles. You need to know the following:

  • Who
  • What
  • When
  • Where
  • How

You already probably know the “why” – it’s either money, politics, or disrupting business. 

Who and When: User Session

Everything in the cloud starts with access monitoring. According to the 2022 Data Breach Investigations Report, Credentials were part of the path in more than 40% of attacks. Monitoring user sessions gives you visibility into credential-based attacks with information like:

  • User login
  • User logout
  • Failed login
  • Resources accessed
  • Account changes

Centralized log management incident response access monitoring

Additionally, when your centralized log management includes User and Entity Behavior Analytics, you can correlate these events with additional information like:

  • File permission changes
  • File modifications
  • File deletions
  • Rare websites
  • Webmail
  • Email servers
  • Removable media
  • Rare processes
  • DNS

With this data, you can trace a brute force attack more easily, reducing investigation time and making you more cyber resilient.

What and Where: Firewalls 

Firewalls connect and deny user devices and ID to their Source IP Addresses, so collecting

and analyzing this data at the network perimeter tracks end-user behavior.  They also track

outbound and inter-network activity.  If you have this information at your fingertips, you

can conduct your investigation faster and with precision. If you can trace the IP address you can block it as part of your response activities.

centralized log management incident response firewalls

How: Intrusion Detection Systems (IDS)/Intrusion Prevention Systems (IPS)

To contain the incident, you need to know what’s happening, and this is where the IDS/IPS comes to the rescue. 

Your IDS/IPS does the packet inspection and pattern detection that can tell you about potential evasion techniques, like whether a cybercriminal is:

  • Sending fragmented packets
  • Sending traffic to a different port after reconfiguring a protocol
  • Scanning the network
  • Attempting to obscure the source of the attack

Don’t Wait for Detections – Look for Incidents

Part of cyber resilience is assuming that threat actors have already compromised your environment. In other words, you have an incident; you just haven’t detected it yet. Threat actors change their methodologies, but threat intelligence helps you keep up with them. Creating parameterized searches gives you a way to automate investigations so that you can engage in proactive threat hunting and look advanced threat activities like:

  • Abnormal user access to sensitive information
  • Abnormal time of day and location of access
  • High volumes of files accessed
  • Higher than normal CPU, memory, or disk utilization
  • Higher than normal network traffic

centralized log management incident response threat hunting

Graylog Security: Analytics for Incident Response

Graylog Security gives you the advanced anomaly detection and security analytics you need without making extra work for you. Every second counts when you’re responding to an incident. Graylog Security is designed to parse terabytes of data in seconds, allowing you to find important log data in real-time quickly.

With our lightning-fast speed combined and the ability to create dashboards, you can build and combine multiple searches for any type of analysis into one action for reduced MTTI and MTTR. All of this reduces dwell time which, in turn, reduces the incident’s impact.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog Blog delivered to your inbox once a month.