Cyber Defense eMagazine May 2019
Cyber Defense eMagazine May Edition for 2019 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cybersecurity expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group
Cyber Defense eMagazine May Edition for 2019 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cybersecurity expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
• Wherever possible, send all logs to a centralized log aggregator – make it the known sense of<br />
truth. If you can, try to have your logs on a dedicated resource. That is to say, don’t use your SIEM as a<br />
log aggregator, rather send all logs to the aggregator and have them forward to the SIEM (and whatever<br />
other resources you need logs from).<br />
• Ensure everything is logging. Applications, operating systems, and network/appliance traffic. Log<br />
successes as well as failures. Be careful not to over log though. I’ve seen ambitious logging projects<br />
collapse miserably because they simply became overwhelmed with amounts of data they had not<br />
projected for. By throttling back from verbose logging to a more targeted approach they were able to get<br />
back on track.<br />
• Ensure all sensitive logs are encrypted in transmission. If an attacker can sit on the wire and read<br />
your logs, they will be able to pick your bones clean.<br />
• Be sure to spec your log storage devices (and budgets) properly – and plan for expansion. Logs<br />
can be large, even with little activity. Anyone who has ever sat watching a Wireshark capture on a<br />
Windows network will tell you that operating system is extremely chatty. It’s surprising how much disk<br />
space you can chew up at a fast clip. Don’t size your log storage for current consumption, but also for<br />
projected growth.<br />
• At a minimum grab authentication events, security related events, device errors, database or file<br />
actions, and other critical pieces of information required to grab a minimal picture of what is happening<br />
on all machines.<br />
• Pick a log format and stick with it. If you can, try to have all logs recorded in a common format.<br />
This makes parsing and searching much easier for all concerned.<br />
• Make sure your logs are redundant, backed up, and recoverable. By this I mean:<br />
<br />
<br />
<br />
make sure your logs are able to fail over to another system if your main aggregator fails<br />
make sure you make frequent backups, with copies being stored off site<br />
make sure you can recover your logs; finding out you can’t during a legal discovery<br />
process isn’t a place you want to find yourself in<br />
• Pick a strategy that will best suit your needs. How frequently do you need to access logs, and<br />
how far back are your average searches going? Your budget and operational requirements will drive your<br />
decision making process.<br />
• Ensure all devices are syncing their time to the same common source. Timestamp disparities are<br />
an analyst’s nightmare, and render logs as potentially useless for investigative or legal use.<br />
• IT/networking teams can very often be helpful in selling costs to the management, or even sharing<br />
budget, as effective logs are also very effective troubleshooting tools. When something breaks, it usually<br />
shows up in the logs pretty quickly. Wherever possible, make logging a shared vision between teams.<br />
82