[go: up one dir, main page]
Scribd
Upload
15 views9 pages

Security Event Logging and Monitoring

The document outlines the learning objectives related to network log ingestion, event differentiation, and centralized log monitoring. It describes various network devices that generate logs, such as routers, firewalls, and intrusion detection systems, and explains the processes of security event logging, monitoring, and alert creation. Additionally, it emphasizes the importance of having structured processes to manage security events, alerts, and incidents to protect organizational data and operations.

Uploaded by

nawrami
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
15 views9 pages

Security Event Logging and Monitoring

The document outlines the learning objectives related to network log ingestion, event differentiation, and centralized log monitoring. It describes various network devices that generate logs, such as routers, firewalls, and intrusion detection systems, and explains the processes of security event logging, monitoring, and alert creation. Additionally, it emphasizes the importance of having structured processes to manage security events, alerts, and incidents to protect organizational data and operations.

Uploaded by

nawrami
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Learning Objectives

Learners will be able to…

Identify what network devices are used for log ingestion

Differentiate between an event, an alert, and an incident

Identify the software used to centralize network log


monitoring

info

Make Sure You Know


You do not need any prior knowledge before starting this assignment.

Limitations
This is a general overview of the logging and monitoring, as well as
how security events become security alerts.
Network Security

Enterprise Network Security


A network consists of many devices that aid in providing network logging
and monitoring including routers, switches, firewalls, intrusion detection
systems (IDS), intrusion prevention systems (IPS), VPN gateways, and end
devices. A log is a record of events or actions that have occurred on a
system, for example a log provides data about user log in attempts (both
failed and successful attempts), user account activity (user account
creation, deletion, and modification), software changes, websites visited,
etc. Those devices can be either hardware or software installed on the
network. Network devices generate logs that can be used for monitoring,
troubleshooting, and security analysis. Here are some examples of network
devices that typically generate logs that are then sent to a centralized
monitoring system in real-time:

The image shows a series of circles in a hub-and-spoke


configuration. At the center is SIEM/SOAR. Around the center
circle are smaller ones labeled “Firewalls”, “IDS/IPS”, “WAPs”,
“End Devices”, “Load Balancers”, “VPN Gateways”, “Routers”,
and “Switches”.

Routers: Routers are devices that connect multiple networks and direct
traffic between them. They generate logs that include information
about network traffic, routing decisions, and configuration changes.

Switches: Switches are devices that connect multiple devices on a


network and allow them to communicate with each other. They
generate
logs that include information about network activity, such as port
utilization, MAC addresses, and VLAN activity.
Firewalls: Firewalls are devices that control network traffic based on
predefined security rules. They generate logs that include information
about network traffic, security policy violations, and threat
detection.

Intrusion Detection Systems and Intrusion Prevention Systems


(IDS/IPS): IDS/IPS devices monitor network traffic for signs of
suspicious activity and generate alerts or logs when potential threats
are detected. IPSs not only detect but also prevent potential threats
from occurring.

Load Balancers: Load balancers are devices that distribute network


traffic across multiple servers or data centers. They generate logs
that include information about network traffic, server utilization,
and load balancing decisions.

VPN Gateways: VPN gateways are devices that provide secure remote
access to a network. They generate logs that include information about
VPN connections, authentication, and traffic flow.

Wireless Access Points (WAPs): WAPs are devices that provide


wireless
access to a network. They generate logs that include information about
wireless clients, signal strength, and network usage.

End Devices: End devices are devices used by human interaction like
laptops, desktop computers, printers, copiers, and cell phones. They
generate logs about user login attempts, user account modifications,
software changes, command line executions, and file deletion.
Ingesting Data

SIEM Log Ingested Data


Here is an example showing the different network devices used for log
ingestion into a SIEM, along with the count of events each device has
generated:

The image shows seven different logs being ingested into a SIEM.

In the example shown, there are active directory logs (adidaspsv1), badge
logs (badgesv1), router logs (cisco_router1), email server logs (mailsv1),
and three web server logs (www1, www2, www3) being ingested into Splunk
Enterprise, a popular SIEM tool. What logs are ingested is based on the
architect of the network, so each enterprise will be different in what
devices are sending logs to the SIEM along with the naming convention of
those devices.

Overall, the logs generated by network devices can provide valuable


insights into network activity, performance, and security. And enterprises
can use log data to detect and respond to security incidents, troubleshoot
network issues, and optimize network performance.
Logging

Security Event Logging


Security event logging is the process of collecting and storing records of
security-related events that occur on a computer system. Here are some
examples of the types of logs that can be generated by computer systems
and applications.

The image shows four different types of events: System,


Application, Security, and Network. System events could be an
application failing to start or crashing. Application events could
be the number of web requests sent to the server. Security
events could be a failed login attempt. A network event could be
the loss of connectivity to a router.

So how do those logs make it to a centralized system? Log collectors are


tools or systems that collect, store, and analyze log data from various
devices in an organization’s IT environment. They are typically used to
centralize log data from multiple devices and applications, making it easier
to monitor and analyze activity across the organization’s infrastructure.

Log collectors are an important part of an organization’s overall security


and IT operations strategy. They can provide valuable insights into network
activity, performance, and security, allowing organizations to quickly detect
and respond to potential threats or issues.
Monitoring

Security Event Monitoring


Security event monitoring is the process of actively and continuously
monitoring computer systems and networks for security-related events and
anomalies. The goal of security event monitoring is to detect and respond
to security threats in a timely manner, before they can cause significant
damage to the organization.

As enterprise network devices log network activity, that information is then


sent to a centralized monitoring system, for example a SIEM. Logs are then
processed to determine whether it is a security event, an alert, and/or an
incident based on pre-configured rules. A security event is any occurrence
within an information system that has the potential to impact the security
of the system. Examples of security events include failed/successful
password attempts, the creation or modification of user accounts, changes
to system configurations, and network traffic. An event provides details
about everything that is occurring on the network and can be normal
activity or unauthorized activity.
Events

SIEM Events
Here is an example of events generated within Splunk Enterprise:

The image shows the Splunk Enterprise tool. In the search bar, a
"*" wildcard was entered. The results shows all of the events in
the system.

A wildcard (*) is used in the search bar to show all events over the last 24
hours. Events may contain data such as the time the event occurred, the
end user, IP addresses (both source and destination), system information,
and generate information about the kind of event.

A security alert is a notification generated by a security system that


indicates a potential security issue or threat. Alerts are generated based on
predefined rules or thresholds that are set by the organization’s security
team. For example, an alert may be generated when a user attempts to log
in with incorrect credentials multiple times, indicating a possible brute-
force attack.
Alert Creation

SIEM Alert Creation


Here is an example of an alert being created in Splunk Enterprise:

The image shows the Splunk Enterprise tool as it collects details


about an alert. Fields such as title and description contain
information about the alert.

Certain information is required when creating an alert such as a title, a


search query, permissions, the type of alert, triggered conditions, actions to
be taken when it is triggered, along with setting the severity of the alert.

Security events will still be ingested showing everything happening on the


network and can provide additional information when investigating alerts.
Alerts are mainly triggered based on a sequence of events happening. For
example, one event detailing a failed log in attempt most likely will not
trigger an alert, but multiple failed log in attempts will trigger an alert.
Triggered Alert

SIEM Triggered Alert


Here is an example of a list of triggered alerts Splunk Enterprise based on
pre-defined conditions we set in the previous example:

The image shows several alerts for multiple failed login


attempts.

As alerts are triggered, they are then investigated by Tier I SOC Analysts to
determine whether an attempt by a malicious actor is being made to access
the network or if an authorized user just simply forgot their password.

A security incident is a security alert that has been confirmed as a real and
actionable threat to the organization’s information systems or data.
Incidents require further investigation and response by the organization’s
security team. Examples of security incidents include malware infections,
installation of unauthorized software, data breaches, port scans, and
unauthorized access to sensitive information. After a Tier I SOC Analyst
determines a security incident, they then escalate that incident to a Tier II
SOC Analyst for further investigation. The Tier II SOC Analyst will either
close the alert based on their findings or confirm the Tier I SOC Analyst
findings and provide additional information for further escalation to a
Security Engineer or to the customer in a SOCaaS environment. The
severity of the incident will determine response times for investigation and
eventual closure of the incident.

To summarize, a security event is a potential security issue, a security alert


is a notification of a potential issue, and a security incident is a confirmed
and actionable threat. It’s important for organizations to have processes in
place for detecting and responding to security events, alerts, and incidents
to minimize the impact of security threats on their operations and data.

You might also like