| Event Log, Audit Log and Syslog messages have | | | | to use an agent to forward events from these |
| always been a good source of troubleshooting and | | | | applications. Finally, if you are using an IBM z/OS |
| diagnostic information, but the need to back up | | | | mainframe or AS/400 system you will need |
| audit trail files to a centralized log server is now a | | | | further agent technology to centralize event and |
| mandatory component of many governance | | | | audit log messages. |
| standards. Contemporary, SIEM solutions need to | | | | 6. Audit trail history must be securely stored in |
| be | | | | order to prevent retrospective editing or any |
| flexible enough to cater for all devices, | | | | tampering. The PCI DSS requires that audit trails |
| operating systems, platforms, databases and | | | | are promptly backed up to a centralized log |
| application | | | | server or media that is difficult to alter. The best |
| sufficiently scalable to cope with thousands of | | | | centralized log server solutions employ file-integrity |
| devices generating millions of events | | | | monitoring for the log backup files so that any |
| intelligent, correlating events and identifying | | | | modifications can be detected and alerted. |
| true security incidents only so resources can | | | | 7. Firewalls (Checkpoint, McAfee Sidewinder, |
| focus on genuine threats and attacks. | | | | Juniper, Netscreen, Cisco ASA, Nokia, Intrusion |
| This is an introductory 'Top Ten of Audit Trail and | | | | Protection System (IPS), Intrusion Detection |
| Event Log Monitoring'. | | | | Systems (IDS), routers and RADIUS accounting |
| 1. Security Standards and Corporate Governance | | | | and authorization services, vulnerability scanning |
| Compliance Policies such as PCI DSS and GCSx | | | | solutions such as Retine eEye, Nessus and other |
| CoCo require logging mechanisms and the ability | | | | Pen Testing solutions, wireless routers, switches all |
| to track user activities as they are critical in | | | | natively generate syslog messages to report a |
| preventing, detecting, or minimizing the impact of | | | | range of events from the low-level informational |
| a data compromise. Other policies such as FISMA, | | | | logs through to critical events. |
| Sarbanes Oxley, NERC CIP, ISO 27000 and | | | | 8. Syslog messages are defined in RFC 3164 and |
| HIPAA all benefit from a means of centralizing | | | | is officially known as the BSD Syslog Protocol. |
| audit log events to identify security incidents. | | | | Syslog messages are sent using UDP on port 514 |
| 2. The state of the art in Audit Log Correlation | | | | by default although different ports can be used. |
| technology provides automated configuration | | | | Syslog messages use a range of Facility Codes |
| assessment, proactively testing and assessing a | | | | and Severity Codes. The Facility Codes range |
| server environment against preconfigured, | | | | from 0 to 23 and determine the message type. |
| out-of-the-box policies, helping to enable a minimal | | | | The Severity Codes range from 0 to 7 as |
| deployment window. The best solutions leverage | | | | follows: |
| industry standards, specifically benchmarks from | | | | 0 Emergency: system is unusable |
| the Center for Internet Security (CIS), the | | | | 1 Alert: action must be taken immediately |
| National Institute of Standards and Technology | | | | 2 Critical: critical conditions |
| (NIST), and the Defense Information Systems | | | | 3 Error: error conditions |
| Agency (DISA). These benchmarks include | | | | 4 Warning: warning conditions |
| thousands of configuration assessments enabling | | | | 5 Notice: normal but significant condition |
| automatic sustainable policy compliance testing for | | | | 6 Informational: informational messages |
| FISMA. | | | | 7 Debug: debug-level messages |
| 3. Security standards such as PCI DSS and GCSx | | | | 9. The Security Incident and Event Management |
| CoCo mandate the need to track and monitor all | | | | or SIEM market as defined by Gartner covers |
| access to network resources and cardholder data | | | | the advanced generation of solutions that not only |
| Logging mechanisms and the ability to track user | | | | harvest audit logs and provide centralized log |
| activities. The presence of logs in all environments | | | | server functions but parse event log messages |
| allows thorough tracking and analysis if something | | | | and analyze event logs as they are stored. This |
| does go wrong. Determining the cause of a | | | | allows event logs to be correlated to identify |
| compromise is very difficult without system | | | | hacker activity and attack patterns and notify IT |
| activity logs. A central event log analyzer is the | | | | security teams. The best SIEM systems employ a |
| best option to use. | | | | range of artificial intelligence capabilities to |
| 4. It is vital that your system for centralizing audit | | | | recognize threat signatures by cross-referencing |
| log trails is robust and comprehensive. PCI DSS | | | | events from IPS, IDS and RADIUS systems, |
| requires your audit trail history is retained for at | | | | Anti-Virus, Host Integrity Monitoring systems, File |
| least one year with at least 3 months history | | | | Integrity Monitoring software, Firewalls, Active |
| available for immediate access. The best audit-log | | | | Directory and watching for classic hacker activity |
| tracking software solutions provide real-time | | | | such as deletion of log files and "brute force" |
| indexing of logs with instant keyword search and | | | | hacks where repeated/sequential logon failures or |
| correlation facilities. | | | | bad password events will be generated. |
| 5. While Unix and Linux hosts can forward audit | | | | 10. The goal for any SIEM solution is to provide |
| trail and system events using syslog, Windows | | | | comprehensive log harvesting, automatically filter |
| servers do not have an in-built mechanism for | | | | out all 'information only' or 'normal operation' |
| forwarding Windows Events and it is necessary to | | | | events while placing a spotlight on a manageable |
| use an agent to convert Windows Event Logs to | | | | list of genuine, serious attack patterns or security |
| syslog. The Windows Events can then be | | | | incidents. Even a medium sized enterprise can |
| collected centrally using your audit log server. | | | | have thousands or hundreds of thousands of |
| Similarly, applications using Oracle or SQL Server | | | | events generated by devices in their |
| or bespoke or non-standard applications do not | | | | infrastructure so a properly implemented SIEM |
| use syslog to forward events and it is necessary | | | | system is invaluable. |