Source: E-generation time
This is the first part of a series of lectures on security log analysis. The first part below discusses the importance of log monitoring and analysis. The second part will help you understand the log data and use the data to effectively protect your network and enhance the security of your network.
Log data can be a valuable information treasure or a valuable data quagmire. To protect and improve your network security, log data of various operating systems, applications, devices, and security products can help you discover and avoid disasters in advance, and find the root cause of the security event.
Of course, the value of log data for network security depends on two factors: first, your system and device must be properly set to record the data you need. Second, you must have appropriate tools, training, and available resources to analyze collected data.
You cannot analyze what you don't have
Before you can analyze log data, you need to collect data. More importantly, the program or device that records data should be set to collect the data you need. For example, Microsoft's Windows operating system can check various activities and logs in Event Viewer Security. However, in Windows 2000 and XP, the security check function is not enabled by default. The default security check settings of Windows Server 2003 may not meet your needs.
For Windows security check events, you can choose to record successful attempts or failed attempts. If you only choose to record failed access files and folder data, the recorded data will not show when the file was successfully cracked. If you only record successful attempts to access a user account, the recorded data will not show you the username and password of the account that the hacker did not guess for 50 times.
Whether you are using a Windows operating system or any other device or program, you must spend some time and effort learning about your security log function in advance, set the log options properly for your needs. Although it seems logical to simply record everything, monitoring and recording of security events will increase the workload of the processor and require the use of memory and hard disk space. You need to understand the available log options, and select the best balance between recording everything and not recording, so as to record valuable data for you.
Information Overload
Once you have collected the log data, the challenge is how to use the data effectively. Anton Chuvakin, security strategist for netForensics in Edison, New Jersey, pointed out: "Once the technology is appropriate and logs are collected, a monitoring program needs to be implemented to evaluate the traps and possible upgrades in the action.
Network and security administrators often spend time collecting log data, but they do not process the data or have no ready-made resources to monitor and analyze the data. Because no one monitors the log data, information about network reconnaissance or potential attacks may be ignored and the validity period may be lost.
When a security event occurs, view the log data to determine the time when the event occurred. However, in many cases, the amount of data to be viewed is too large. If people do not pass technical training or will not view the data, it makes no sense to have log data.
Currently, tools such as Security Event Management (SEM) applications are used to monitor security events and use some logic or filters to help administrators obtain meaningful data. However, these tools still need to be configured and used properly to be efficient. People need to understand the filtered data and take measures.
Collecting mountain Event Log Data is useless if no trained personnel or resources monitor and analyze the log data. In the next lecture of this series, I will provide some tips to help you understand the meaning of these log data and use this data to protect your network and enhance network security.