The Importance of Logging and Monitoring in CISSP Domain 6
To Download the FREE PDF of MindMaps
Your information will remain 100% private. Unsubscribe with 1 click.
Hey I’m Rob Witcher, and I’m here to help YOU pass the CISSP exam. I am going to walk you through a review of the major topics in Domain 6, specifically focusing on logging and monitoring.
This is the third of three mind map videos for domain 6. I have included links to the other MindMap videos in the description below.
Log Review & Analysis
In a penetration test we identify potential vulnerabilities, and then we attempt to exploit them. To verify if the vulnerability truly exists and can be exploited, and thus eliminating false positives. Vulnerability assessments tend to be faster and more automated but generate far more false positives. Penetration tests are slower and more manual, and have a much higher likelihood of negatively impacting a system, but they provide a much clearer picture of the security of a system.
Errors. If we see for example that our webserver is generating many Error 404 – file not found messages, this is a clear indication that something is broken and needs to be fixed on the web-server.
Modifications – more specifically, unauthorized modifications. It is not uncommon for attackers to exploit a vulnerability to break into a system, and then patch that vulnerability behind themselves – after they have installed something like a backdoor. Therefore, looking for unauthorized patching of a system may be an indication of a breach.
And of course from a security perspective, one of the main things we are monitoring for is if any of our systems have been breached: being used for crypto currency mining, or data exfiltration is occurring or if we are about to have a bad time with ransomware.
As I mentioned, one of the major challenges is the plethora of devices and systems that can generate log data across an organization, and the volume of event data that they can produce. It is very much the challenge of looking for a needle in a haystack. Accordingly, we need to use systems that automate many of the tasks and analysis required for logging and monitoring.
If we are performing a vulnerability assessment, then we skip execution and go straight to reporting. In a pen test however, the execution step is where we attempt to exploit any vulnerabilities we have identified. Actually break-in to a system.
Security Information and Event Management (SIEM)
These systems are commonly referred to a SIMs - Security Information and Event Management systems.
Before we can begin feeding data into a SIM system, we first need to enable logging on devices across the environment so that we are generating log data.
Limiting log file size
Something we have to be careful about though is limiting log file sizes on these endpoint devices – such as firewalls, routers, switches, etc. Many of these devices can generate a lot of data but have very limited onboard storage to store this log data. We therefore need a couple of methods to limit log files sizes.
Circular overwrite is the idea that you set a maximum log file size, say 10mb of 10,000 lines and then begin writing log event data. When the system reaches that maximum, then it will circle back to the top of the log file and begin overwriting until it reaches for max file size again, and circles back yet again. Rinse & repeat.
Clipping levels are about setting a threshold. Below the threshold, log nothing, above the threshold, begin logging. For example, we typically don’t care about one or two failed login events – we all mistype our password occasionally. But 10 failed login attempts in quick succession, or 50, or 10,000. We definitely care about that. Someone is trying to brute force a password. So, we could set the threshold at say 3 failed login attempts. Below 3, nothing is logged. 3 or more, we log it.
Another important consideration when generating log data is the timestamps for each log event
We need consistent timestamps. We need timestamps in the same format: say year, month, day, and 24 hour clock. This way we can more easily correlate events from different system because they have consistent timestamps
Network Time Protocol (NTP)
We also need the clocks in all our systems across the environment to by synchronized. It is very difficult to trace how and attacker traversed a network if one system’s clock is 3 seconds slower, another is 5 seconds fast, another’s date is sent to 1979. There is a protocol we can use to synchronize all our system clocks: NTP – network time protocol.
When a log event is generated on any device in the environment, we want to transmit that event data in Realtime to our SIM system
Collection / Aggregation
Our SIM system collects and aggregates all this event data from across the environment in one central system
Next the SIM system will normalize the data. Clean up the event data from disparate devices so that all the data, the variables, are comparable.
So that the SIM system can now analyze all the event data that is pouring in to look for that proverbial needle in the haystack. The SIM system will apply various analysis techniques such as event correlation, statistical models, rules, etc. to look for errors and anomalies.
SIM systems will also retain log event data for long-term storage to enable longitudinal analysis and tracking, and to meet contractual or regulatory requirement for log retention.
And finally, when event data no longer needs to be retained, it can be securely and defensibly destroyed.
Continuous Monitoring or sometimes referred to as Continuous Security Monitoring (CSM) is the process where an organization identifies all their systems, identifies the risks associated with each system, applies the appropriate controls to mitigate the risks, and then continuously monitors the controls to assess their effectiveness against the ever changing threats landscape.
And that is an overview of logging and monitoring from a security perspective.
If you found this video helpful you can hit the thumbs up button and if you want to be notified when we release additional videos in this MindMap series, then please subscribe and hit the bell icon to get notifications.
I will provide links to the other MindMap videos in the description below.
Thanks very much for watching! And all the best in your studies!