Reporting Up: Recommendations for Log Analysis
What kind of log information should be reported up the chain?
At a certain point during log examination analysts start to ask, “What information is important enough to share with my supervisor?” This post covers useful categories of information to monitor and report that indicate potential security issues. And remember: reporting up doesn’t mean going directly to senior management. Most issues can be reported directly to an immediate supervisor.
This type of information indicates someone is doing something they’re not supposed to. To identify policy violation issues, monitor:
· Non-service accounts where, for example, a user or admin account is being used for services instead of a service account
· Account sharing indicating multiple staff members using a single account (e.g., logins from different locations or networks at a similar time)
Significant Shifts in Statistics
Monitoring a significant change in statistics means looking at volume of particular events as an indicator that something might be wrong. Examples include:
· Failed logins to critical resources (e.g., failed attempts on the finance server)
· Increased communication with known malware/bad actor sites, such as identifying a list of malware domains and any users communicating with them
· Significant uptick in bytes transferred, which suggests someone may be moving a lot of data in or out of the network
Overall Areas to Monitor and Report
There are also plenty of areas you should monitor regularly and report up if unusual activity suggests there may be an issue, such as:
· Account types
Monitoring usage of account types like service accounts, privileged accounts (e.g., administrators, users with access to critical resources, executive accounts), dormant accounts and recently terminated accounts help identify if the account is being misused or accessed by the wrong people.
· Physical security
Information about access control such as badge swipes or RFID data can help identify security issues at facilities and workplaces.
· User logins by department
Report to each department where and when users are logging in to ensure personnel access assets appropriately.
· Login monitoring
Login monitoring can include logins outside of business hours and remote logins vs.local logins to gauge after-hours or remote activity.
· Privileged account creation
Privileged accounts are rare, so several accounts being created may indicate an issue.
· New software installations
If there are policies in place on what can be uploaded, tracking software installations shows if employees aren’t playing by the rules.
· New processes in an environment
If a process is identified that was not there before, it could be an early indication of a malware compromise.
· Bandwidth usage
Tracking bandwidth usage can include examining high usage in general and/or high-bandwidth-using users or resources (which may signal an attempt to exfiltrate data).
· Assets connecting from a new location
If assets that connect to the network from a particular (or assigned) location are connecting from a new location, it might be a warning sign.
· Connection attempts by stolen assets
A lost laptop or mobile device that attempts to connect to your environment may suggest a security risk.
· Unusual patterns in downloads
This type of activity could indicate an issue—especially if tied to other unusual usage.
With the volume of log data available, monitoring data related to policy violations, a significant shift in statistics, and general network activity is a good place to start reporting up.Knowing what to share with supervisors increases both the value of log data and your value to the organization.