Your logs are full of information and have lots of things to tell you. Often seen as a control only large organisations attempt to implement, businesses of all sizes can benefit from looking at their logs in some form. The key is to avoid procrastination and do something rather than nothing.
As documented in this year’s Verizon Data Breach Investigation Report, less then 15% of breach were identified by the companys themselves even though they all likely had the data within their logs. The majority were informed by other parties including partners and law enforcement.
Clearly looking at logs has great value, but where to start? SANS have created an excellent paper, The 6 Categories of Critical Log Information. This documents 6 categories of reports to look at and also explains why and how they can be implemented:
- Authentication and Authorization Reports
- Systems and Data Change Reports
- Network Activity Reports
- Resource Access Reports
- Malware Activity Reports
- Failure and Critical Error Reports
When looking at logs I like to use the simple test as to whether it is important from a security point of view. Does the evidence suggest:
- Harm being carried out?
- The attempt to harm?
- Or a deviation from the norm?
1 and 2 are pretty obvious and an antivirus alert would be a good example. A deviation from the norm is more like an early warning, for example are your logs filling up more quickly than normal which could indicate an attack? Or are network responses slower?
As I said in the introduction, log management should not be the preserve of enterprises, everyone can benefit. The key is to access your logs by which ever means is easiest, e.g. get emails from your AV, spend 5 minutes per day looking at your firewall log or write a simple parser for you web server logs. The more time you spend looking at your logs the more you’ll see and not just from a security point of view.