Many organizations use automated audit reporting tools. Most systems, for example, are capable of producing many different types of audit logs. These logs detail various types of activity throughout the system, including security data. Examples include the following:
Failed authentication attempts
Technical policy changes
Account changes
Privileged use
Traditionally, the challenge is managing the voluminous amount of data generated by these systems. This problem is further compounded considering the number and different types of systems across an organization. The components within the seven domains of typical IT infrastructure, for example, are all capable of producing audit trails or log data. Making matters more difficult is the fact that an event generated in one domain may likely contribute to other events being generated in the other domains. Yet by maintaining a silo approach to storing and managing this data, correlation of events is not easy and might be impossible.
Fortunately, automated solutions are available and in use by many organizations. These solutions aggregate all of this data centrally and provide mechanisms to correlate, alert, and report upon this data. These solutions can provide meaningful data from otherwise huge amounts of raw log data. From an organizational perspective, automated audit reporting tools or information and event management help simplify compliance, improve security, and optimize IT operations. Specific examples include the following:
Meeting compliance regulations requiring the retention and review of audit records
Identifying security incidents, such as policy violations and fraudulent activity
Diagnosing and preventing operational problems
Conducting forensic analysis
Establishing operational, security, and performance baselines and being able to identify new trends and problems
Reporting on historical data
Table 6-4 provides a sample set of taxonomy for data collected and associated sample events. Security operations should regularly review the data, from which meaningful information can be abstracted. Additionally, operations should leverage programmatic alerts and correlation rules to help identify suspicious activity.
TABLE 6-4 Types of log data and information the data might reveal.
Data Category | Common Events | Suspicious Activities Revealed |
---|---|---|
Computer performance | Resource usage, errors, availability, shutdowns, and restarts | Unauthorized use, compromised systems, denial of service (DoS) attacks |
Network performance | Traffic load, errors, network interface status, network scans | DoS and distributed denial of service (DDoS) attacks, information-gathering activities as a precursor to actual attack |
Users | Logon and logoff data, privilege use and modifications, failed system access attempts | Brute-force attacks on passwords, compromised accounts, privilege abuse |
Applications | Application-specific events depending on type, such as web servers, firewalls, databases, remote access servers, and Domain Name Servers (DNS) | Attempts to exploit vulnerabilities, brute-force attacks, information-gathering activities as a precursor to actual attack, DoS attacks |
File system | Access to data, changes to access control lists, changes to file properties, file additions, and file deletions | System compromise, privilege abuse |
Audit and logging systems need to be maintained to perform an efficient analysis of events. Whereas a single failed logon, for example, might not be a cause for concern, many rapid failed logon attempts should be. Maintaining and managing audit logs through the use of these systems also provides the organization with a great mechanism to respond to audit requests. This, of course, provides an auditor with a trove of available data to support the evidence-gathering process. Auditors can take, for example, a representative sampling of logs from the various systems across the IT infrastructure to ensure that automatically audited events comply with the stated policies and procedures.
18.220.163.91