As a part of our SIEM Best Practices Series, today we look at how you can work towards identifying all available log sources for better monitoring efficiency. For a more holistic outlook on managing your SIEM System, check out this free resource by Advoqt, a White Paper on SIEM Best Practices.
The search party
For the execution of your security monitoring goals, it is vital to identify all the tools in your environment from which you can capture log data. Most companies will have network firewalls, proxies, Intrusion detection/prevention systems, web application firewalls, wireless access controllers, network access controllers, domain controllers, windows security logs, windows application logs, antivirus logs, among others.
Create a list of these sources and make sure they are all available in your SIEM. If they are not being collected, then identify what needs to be done to add those missing pieces to your security puzzle.
Setting your priorities straight
If we need to prioritize which logs are the most useful, it depends on the security goals of the company; however, some of the most critical logs come from the following sources:
- Windows security logs: These devices hold the keys of your kingdom, especially domain controllers. Everything that is happening in domain controllers should be monitored. If you have enough resources to collect all access logs, then do it, however, be it that the volume is too big for your SIEM, you must monitor the creation or modification of new users, at the very least.
- Firewall logs: These are one of the most basic kinds of logs that companies will collect and one of the most important as well. Firewall logs will help you detect who connects where and when thus having visibility over such activity may prove to be your number one priority. From these logs, you can come up with so many different use cases, such as policy violation arising from usage of an insecure protocol like telnet (unencrypted administrative access) or correlation with threat intelligence information to detect if any of your endpoints are compromised with malware. NOTE: This whitepaper on Firewall Rules Management has been pivotal to improving our client’s firewall infrastructure.
- Proxy logs: When the goal is to understand user behavior, nothing is better than proxy logs. These logs are a rich source of information regarding user behavior analytics including determining factors such as:
- At what time of the day they begin/end tasks
- How much time do they spend focused on the job vs. spending time online for personal use
- If they are looking for a new job.
From a security point of view, it’s an excellent source of information informing of connections to known malicious websites by performing correlation with known malicious URLs for phishing or malware. Check out PhishIQ.Advoqt.com for a free tool to detect malicious URLs.
- DNS logs: These logs are vital when the goal is to detect advanced data exfiltration and/or malware. DNS logs will let you detect the presence of compromised hosts faster than any other logs. And the best part of it is that in most cases it will allow you to react before is too late.
For some companies, the best approach is to implement a network probe that will help you collect a combination of these events except for windows event logs. By collecting raw data from the network, it’s easy to identify multiple kinds of threats. At Advoqt’s Security Operations Center, we love to collect raw network traffic for further analysis, using a combination of opensource tools like BRO, Xplico, Suricata and some other in-house tools with Python Scapy.
There are EIGHT more aspects to consider as you work towards implementing a full-proof SIEM system. Our SIEM Best Practices White Paper gives you a clear roadmap. We invite you to get in touch with us to learn how we can help maximize the return on investment of your security program.