EVERYTHING YOU WANTED TO KNOW ABOUT LOG MANAGEMENT BUT WERE AFRAID TO ASK
What’s in the LOG?
- The information you need to answer
- Who’s attacking us today? and
- How did they get access to all our corporate secrets?
Every time there is some activity in your device, it will create a LOG for you. Now the matter is how to find and analyze these LOGS.
How to find LOGS in windows device?
It depends on type of device you are using, for ex- In Windows system there is an Event Viewer. Below are the steps to view windows logs.
- Press Windows+ S to search and type “Event”
- Click on “View Event Logs”
An event viewer will be open. There you will find your windows logs. Similarly every device or application, either it is windows or cisco router creates logs.
But now the main challenge is to manage and understand these logs. If you go through these logs you will find it bit complex and in unmanaged form so there are some tools which use to create ALERTS, WARNING and REPORT on these logs EX: RSA SA, IBM Q-RADAR etc. You also can investigate through these tools on the basis of some in-built or customized rules.
How these tools work on LOGS?
Here we make some rules for ex: If an attacker tries to use Brute-Force Attack to crack password, we make a rule for multiple login failure followed by same ip / username/ password(for reverse brute-force).
It will generate a warning + alert and then you can easily investigate the case.
Similarly we can create alerts for new user creates or privileges change for non admin user etc.
SIEM A Single View of Your IT Security
SIEM is about looking at what’s happening on your network through a larger lens than can be provided via any one security control or information source.
- Your Intrusion Detection only understands Packets, Protocols & IP Addresses
- Your Endpoint Security sees files, usernames & hosts
- Your Service Logs show user logins, service activity & configuration changes.
- Your Asset Management system sees apps, business processes & owners
None of these by themselves can tell you what is happening to your business in terms of securing the continuity of your business processes… But together, they can.
SIEM is Security Information and Events management, which is nothing more than a management layer above your existing devices and security controls.
In other words SIEM is a technology connects and unifies the information contained in your existing systems, allowing them to be analyzed and cross-referenced from a single interface. The more valid information depicting your network, systems, and behavior the SIEM has the more effective it will be in helping you make effective detections, analyses, and responses in your security operations.
In next article we will discuss about how industry works with SIEM and Security Analytics.
Have something to add ?? share it in comments .
Follow us on Facebook, Google Plus and Twitter.