Log Data can detect and avoid network security disasters in advance

Log data can be a valuable information treasure or a valuable data quagmire. To protect and improve your network security, log data of various operating systems, applications, devices, and security products can help you discover and avoid disasters in advance, and find the root cause of the security event.

Of course, the value of log data for network security depends on two factors: first, your system and device must be properly set to record the data you need. Second, you must have appropriate tools, training, and available resources to analyze collected data.

You cannot analyze what you don't have

Before you can analyze log data, you need to collect data. More importantly, the program or device that records data should be set to collect the data you need. For example, Microsoft's Windows operating system can check various activities and logs in Event Viewer Security. However, in Windows 2000 and XP, the security check function is not enabled by default. The default security check settings of Windows Server 2003 may not meet your needs.

For Windows security check events, you can choose to record successful attempts or failed attempts. If you only choose to record failed access files and folder data, the recorded data will not show when the file was successfully cracked. If you only record successful attempts to access a user account, the recorded data will not show you the username and password of the account that the hacker did not guess for 50 times.

Whether you are using a Windows operating system or any other device or program, you must spend some time and effort learning about your security log function in advance, set the log options properly for your needs. Although it seems logical to simply record everything, monitoring and recording of security events will increase the workload of the processor and require the use of memory and hard disk space. You need to understand the available log options, and select the best balance between recording everything and not recording, so as to record valuable data for you.

Information Overload

Once you have collected the log data, the challenge is how to use the data effectively. Anton Chuvakin, security strategist for netForensics in Edison, New Jersey, pointed out: "Once the technology is appropriate and logs are collected, a monitoring program needs to be implemented to evaluate the traps and possible upgrades in the action.

Network and security administrators often spend time collecting log data, but they do not process the data or have no ready-made resources to monitor and analyze the data. Because no one monitors the log data, information about network reconnaissance or potential attacks may be ignored and the validity period may be lost.

When a security event occurs, view the log data to determine the time when the event occurred. However, in many cases, the amount of data to be viewed is too large. If people do not pass technical training or will not view the data, it makes no sense to have log data.

Currently, tools such as Security Event Management (SEM) applications are used to monitor security events and use some logic or filters to help administrators obtain meaningful data. However, these tools still need to be configured and used properly to be efficient. People need to understand the filtered data and take measures.

Collecting mountain Event Log Data is useless if no trained personnel or resources monitor and analyze the log data. In the next lecture of this series, I will provide some tips to help you understand the meaning of these log data and use this data to protect your network and enhance network security.

Log Data is a valuable and practical tool for managing computers or networks. It is very valuable to monitor log data in advance to find suspicious signs of activity or analyze log data in the event of a security event.

The first step is to ensure that your system and device are correctly configured to check and record events. If the log data has been captured and stored, you need an effective workflow to check and analyze the data. The following suggestions can provide you with some guidance and ensure that you use your log data most effectively and fully.

1. Regularly check Log Data

Although it is very effective to use log data as evidence of court when a security event occurs, such a security event may not happen if the log data is analyzed regularly.

A workflow should be established to determine how long the collected log data will be checked and analyzed. Regular analysis of the massive log data collected by various applications and devices throughout the network helps identify and diagnose faults, and may detect ongoing attacks.

2. view log information with an open eye

The common error in log data analysis is to identify known events or log entries. However, most of the valuable content in log data appears to exist in log projects that are good or normal on the surface. By checking these log items with an open eye, you may find suspicious activity signs. If you only view the error information, this sign is likely to be missed.

If the focus of log review is on finding known malicious activities, any new threats or attacks against customers will be missed due to oversight.

3. View data through a lens

Devices and applications throughout the network will collect log data. Unfortunately, there is no common format or method to record and display event information.

For accurate comparison, some form of conversion is generated, that is, the log data is normalized ". Once the data is compressed into a common component, it is easy to analyze the network as a whole, rather than as a separate log project. In this way, you can better deal with or respond to the detected problems based on priorities.

It is very difficult to process log data. Logs contain precious diamond information. However, you need to dig a lot of dirt to find these diamonds. Massive log data makes effective use of this data an insurmountable challenge. However, tools such as SEM (security event manager) can help you find data. However, the process of using log data is not determined, and training personnel are not able to effectively analyze log data and respond to the information found in the log data are useless.