While all cybersecurity professionals agree that log management is integral for robust proactive and reactive security, managing the enormous amount of data logs can be a challenge. While you might be tempted to collect all logs generated from your systems, software, network devices, and users, this “fear of missing out” on an important notification ultimately leads to so much noise that your security analysts and threat hunters cannot find the most important information.
Effectively triaging log management through your security information and event management (SIEM) technology enables you to proactively mitigate risk and engage in meaningful forensic analysis after an event occurs.
HOW ARE LOGS USED IN A SIEM?
SIEM systems collect and aggregate event log data from your organization’s systems, networks, and software so that you can gain real-time visibility into cybersecurity risks, remediate weaknesses that lead to an attack, or investigate how an attack occurred.
From a high level, this seems easy. Send all data through the SIEM, and wait until it spits out the information you need. In reality, when you don’t choose the log data purposefully, you get more information than necessary. With all that noise, security analysts can miss the important alerts because they get bogged down by the inconsequential ones.
WHAT COMMON LOGS ENABLE PROACTIVE DETECTION AND REACTIVE INVESTIGATION?
Since nearly every device, user activity, system, network, and application sends log event data to your SIEM, you need to know the most important types of logs before drilling down to the specific data you want to prioritize.
Security logs provide valuable insight into login and logout activities by associating a user name with a computer, often including an IP address as well. Security logs include:
- Logon events
- Account logon events
- Account management
- Object Access
- Privilege use
- Policy change
- Process tracking
- System events
For example, if your logon event or account logon events indicate an uptick in failed logins, then it might be indicative of a brute force attack.
Endpoint logs provide data about activity occurring on the devices that connect to your network. This information includes:
- File scans
- Software compatibility
- Disc access
- Kernel drivers
- Live terminal sessions
- File quarantine
- Server message handling
For example, file scans can be used to detect malicious software before an end-user downloads it to a device.
HOW TO CHOOSE THE MOST IMPORTANT LOG EVENT DATA
The most difficult part of connecting your event logs to your SIEM lies in choosing the ones that provide the most impactful data. To reduce the impact of data security events, organizations need reports that help monitor and respond to the “cyber kill chain.” The cyber kill chain model focuses on activities attackers in which attackers engage to successfully infiltrate IT ecosystems and exfiltrate data.
Thus, the reports organizations should focus on managing are ones that help provide visibility into:
- Reconnaissance and Probing
- Command and Control (C2)
- Action on targets
By determining the log event data that has the most impact on securing your infrastructure, you can more effectively mitigate new risks and investigate data security events.
WHAT LOGS SHOULD YOU SEND TO A SIEM?
When trying to determine the most impactful log event data, organizations should look to those events that provide the best visibility into the cyber kill chain. Additionally, you want to choose the logs that best enable correlation at each step.
RECONNAISSANCE AND PROBING
Monitoring potential network and system anomalies is the first line of defense. Gaining visibility into potential cyber attack reconnaissance includes reviewing the following logs:
- Intrusion prevention system/intrusion detection system alarms (IPS/IDS)
- NMAP Port Scan
- SMB port scan
- Vulnerability scans
- Website filtering
After engaging in reconnaissance, cybercriminals weaponize devices. Some important logs to collect as part of detecting a potential attack or investigating a security event include:
- Endpoint detection and response tool
As part of the delivery phase, cybercriminals send malicious software to users’ machines which then installs, often without the end-user’s knowledge. Some logs that enable detection and forensics include:
- Email security
- Suspicious download
- Reverse shell
Once the malicious code is delivered, the exploitation phase leverages a vulnerability in the target application, device, or operating system to auto-execute the program without the end-user realizing it. Some logs that enable detection and investigation include:
- Host delivery
- Software modification
- VPN concentrator
The exploitation phase enables the installation phase during which the attacker can either seek out another vulnerability to create a backdoor into the organization’s IT stack or escalate privileges to gain privileged access to sensitive data. When mitigating the impact or investigating this stage of the cyber kill chain, these logs can give insight:
- Software installation
- Hash extraction
COMMAND AND CONTROL (C2)
In order to exfiltrate information, malicious actors need to send the data to an outside server as part of the command and control phase. To maximize your log event data collection, you can consider the following logs:
- Router logs
- Switch connection
- Switch traffic
ACTION ON TARGETS
Once the malicious actors have gained access to an IT stack and ensured data transfer communication via a C2 server, they can complete the last stage of the attack where they change, delete, or steal information. At this point, you’re most likely investigating the data security event rather than proactively defending against it. Some logs that enable forensic investigation include:
- Object access
- Data Loss Prevention (DLP) Server
- Privilege escalation/use
- Internal reconnaissance
- Pass the hash to Web Server
- Pass the Hash to Email Server
- Network share
- Copy SQL database
- File transfer
USING AUTOMATION FOR SIEM TRIAGE WITH GRAYLOG
Feeding log data into your SIEM removes the manual processes, but the vast amount of data can still overwhelm security teams. When planning your log management processes, you want to consider not just what data you’re collecting but also how to use that data meaningfully. With too much data, a security team becomes overwhelmed and misses important alerts. With too little data, the important alerts never make it to the system.
With orchestration automation, you can prioritize certain log events so that they more rapidly surface risk. Creating Event Definitions that use Conditions allows you to trigger more meaningful notifications. Graylog ships with default alert conditions and alert notifications that can be extended with plugins.
With Graylog, an Event can be used to group similar fields, change field content, or create a new field to enable more robust Alerting and Correlation. By leveraging automation, you can collect the log data your organization needs the most for more purposeful proactive and investigative cybersecurity activities.