As a part of our SIEM Best Practices Series, today we look at how you can work towards identifying all available log sources for better monitoring efficiency. For a more holistic outlook on managing your SIEM System, check out this free resource by Advoqt, a White Paper on SIEM Best Practices.
The search party
For the execution of your security monitoring goals, it is vital to identify all the tools in your environment from which you can capture log data. Most companies will have network firewalls, proxies, Intrusion detection/prevention systems, web application firewalls, wireless access controllers, network access controllers, domain controllers, windows security logs, windows application logs, antivirus logs, among others.
Create a list of these sources and make sure they are all available in your SIEM. If they are not being collected, then identify what needs to be done to add those missing pieces to your security puzzle.
Setting your priorities straight
If we need to prioritize which logs are the most useful, it depends on the security goals of the company; however, some of the most critical logs come from the following sources:
- Windows security logs: These devices hold the keys of your kingdom, especially from domain controllers. Everything that is happening in domain controllers should be monitored. If you have enough resources to collect all access logs, then do it, however, be it that the volume is too big for your SIEM, you must monitor the creation or modification of new users, at the very least. One of the simplest and most important use cases is to detect the creation of new users in your domain or new domain administrators.
- Firewall logs: These are one of the most basic kinds of logs that companies will collect and one of the most important as well. Firewall logs will help you detect who connects where and when thus having visibility over such activity may prove to be your number one priority. From these logs, you can come up with so many different use cases, such as policy violation arising from usage of an insecure protocol like telnet (unencrypted administrative access) or correlation with threat intelligence information to detect if any of your endpoints are compromised with malware. Also, we found this whitepaper on Firewall Rules Management to be pivotal to improving our client’s firewall infrastructure.
- Proxy logs: When the goal is to understand user behavior, nothing is better than proxy logs. These logs could be a rich source of information regarding user behavior analytics and still be successful at determining factors such as:
- At what time of the day they begin/end tasks
- How much time do they spend focused on the job vs. spending time online for personal use
- If they are looking for a new job.
From a security point of view, it’s an excellent source of information informing of connections to known malicious websites by performing correlation with known malicious URLs for phishing or malware.
- DNS logs: These logs are vital when the goal is to detect advanced data exfiltration and/or malware. DNS logs will let you detect the presence of compromised hosts faster than any other logs. And the best part of it is that in most cases it will allow you to react before is too late.
For some companies, the best approach is to implement a network sensor probe that will help you collect a combination of these events except for windows event logs. By collecting raw data from the network, it’s easy to identify multiple kinds of threats in your network. At Advoqt’s Security Operations Center, we love to collect raw network traffic for further analysis, using a combination of opensource tools like BRO, Xplico, Suricata and some other in-house tools with Python Scapy.
Such activities are an ongoing process that will reap results in the medium and long term. But, we’re just scratching the surface here. There are EIGHT more aspects to consider as you work towards implementing a full-proof SIEM system. Which is why we recently released our SIEM Best Practices White Paper to allow you to set-up/revise your SIEM System. Click here to access your free copy.
Solutions for a fast-paced and large enterprise may need tailored consultation and improvisation, beyond what can be conveyed in a white-paper. We invite you to get in touch with us to know how we can help maximize the benefits of your security efforts.