In the world of cybersecurity monitoring and detection, there is an exhaustive amount of log sources. Understanding which are important, and which to collect can be a daunting task.
Rather than covering all of them, this article details a few critical log sources you should monitor.
Before we dive into it, we’ll cover the basics of log management.
What is Log Management?
Logs are computer-generated files within your organization’s systems and networks. They document events that happen within your company’s servers, firewalls, workstations, etc. Logs supply information on an array of activities across your network. A log source is any device, system, application, and network.
Log management is a fundamental IT and security practice. It centralizes data into one location and supports several governance, risk, and compliance requirements that include log collection, monitoring, analysis, and reporting.
Having a log management software solution, like a SIEM, to centralize data makes it easier for cybersecurity teams to access the information they need to make decisions.
Let’s take a look at a few log sources.
Firewalls are used to monitor and manage incoming and outgoing traffic to and from the environment it is protecting. Every firewall has a logging feature to document how this traffic is handled. Through these logs, you can obtain information like destination IP addresses and port numbers of traffic going to and from your network.
Firewall logging is beneficial because it can discover incoming threats to your network. Aside from detecting incoming malicious activities, it can monitor outgoing connections from assets to detect if they have been compromised.
Proxy Server Logs
Proxy server logs identify requests made by applications and users on your network. It also includes application updates.
There is an invaluable amount of information you can access through proxy logs to detect suspicious activity.
Some examples of data you can withdraw from proxy logs are the domain or URL being accessed, the IP address, the network port, the user agent, and the requested file name when accessing a website. One easy way to use this information for threat detection is to identify IP’s and URL’s that match known malicious patterns.
Domain Name System, or DNS, translates domain names into IP addresses. DNS is vital for the internet to function properly and provides a hierarchy of names for computers, networks, and services.
DNS can be used by attackers for data theft and several other malicious activities. These logs provide vital information about DNS data and identify information related to any attacks. This is why it is crucial to monitor DNS logs. You can access detailed information on DNS signing, client IP, and records requested.
Some DNS attacks include tunneling, hijacking, and cache poisoning.
Log Management and SIEM
As we mentioned above, log management tools are designed to collect and centralize data. Security Information and Event Management (SIEM) tools are log management solutions built to reduce the attack surface, identify threats and improve response time in the event of a security incident.
Log management tools and SIEM have their differences. For example, a SIEM includes automated security event correlation and threat detection whereas log management only centralizes and stores log files.
It’s crucial to understand the features and capabilities of both types of tools prior to choosing one over the other, or deciding to use both.
Log management would make sense to use if you’re only looking for an IT tool to help manage resources and troubleshoot network or application outages. A SIEM makes sense to use for cybersecurity and compliance.
If you’re unsure of where to start, contact Sedara today.
Get Sedara’s Updates
Subscribe to Sedara Declassified to get timely updates on new and evolving threats–and what to do about them–just like our clients do.