4.4.2 Activities
Log aggregation, alerting, scanning, archiving.
Security monitoring and logging activities encompass the systematic collection, evaluation, and protection of system data to ensure organizational visibility and accountability.
Log Aggregation and SIEM Centralizing data from disparate sources is essential for identifying complex attack patterns that span multiple systems. - Log Aggregation: The process of gathering logs from various hosts (servers, firewalls, endpoints) into a single console. This reduces the burden of manual "per-box" inspections. - SIEM (Security Information and Event Management): A tool that provides real-time analysis of security alerts. SIEMs facilitate Correlation, which links seemingly unrelated events (like a failed login on a workstation followed by a database export) to identify a single incident. - Log Collectors: Specialized agents or services that forward local events to a centralized SIEM or syslog server. - Time Synchronization: Ensuring all devices use NTP (Network Time Protocol) so that log timestamps match, which is critical for incident reconstruction and forensics.
Alerting and Thresholds Automated notifications ensure that security personnel can respond to anomalies without constant manual monitoring. - Alerting: The proactive notification triggered by specific events. Alerts should be tuned to avoid False Positives (benign activity flagged as malicious) and Alert Fatigue. - Thresholds: Defined limits that trigger actions. For example, a "5 failed logins in 1 minute" threshold might trigger a lockout or an administrator alert. - Reporting: The scheduled summary of activities used for compliance, trend analysis, and executive overviews.
Scanning and Discovery Continuous assessment identifies vulnerabilities and unauthorized changes within the environment. - Vulnerability Scanning: Automated probes used to find missing patches, misconfigurations, or known weaknesses. - Network Reconnaissance: Using utilities (like Nmap or IP scanners) to discover active hosts and open ports on a subnet. - Log Analysis: The activity of parsing logs to find "indicators of compromise" (IoCs) that automated tools might miss.
Archiving and Log Integrity Logs must be preserved and protected to maintain their value as evidence and for regulatory compliance. - Retention Policy: Defining how long logs are kept based on legal or business requirements. - WORM (Write Once, Read Many): Storage media used to prevent the alteration or deletion of log data. - Separation of Duties: A critical administrative control where the person who manages the system (Administrator) is not the same person who reviews the logs (Auditor). This prevents an admin from performing unauthorized actions and سپس deleting the digital trail. - Hiding the Evidence: Attackers often attempt to clear logs to stay persistent; archiving logs to a remote, read-only server prevents this.
Quick recall - SIEM: Centralized tool for log aggregation, correlation, and alerting. - NTP: Essential for maintaining a consistent timeline across logs. - Separation of Duties: Prevents an admin from erasing their own tracks in a log file. - Correlation: The SIEM logic that links multiple events into one security incident. - False Positive: A legitimate action mistakenly identified as a threat.