Pass your certification exam. Faster. Guaranteed.

Log Management Transcription

Welcome to our log management module. It is important to review log files and audit them for accountability. They can provide you with a historical record of all the events that have occurred on your systems and on your network. It is very important to manage your logs appropriately. Even administrators should only have read only access to your log files.

There is no reason that an administrator would need to modify a log, because that would be tampering with your audit trail. They should also not be permitted to delete logs because commonly attackers will delete log files to hide their tracks. So no one in the organization should be permitted to modify or delete logs.

It is important that you have a process in place for creating, storing, transmitting, analyzing and disposing of your computer security log data. Syslog is a standard for central log file storage and allows you to take logs from several different systems and store them in one location. We can see at the bottom here based on our scale that managing log files can be difficult.

Your log management resources need to be balanced against your continuous supply of log data. You will most likely have limited resources but you will constantly increase the amount of logs that you maintain. So you will have to come up with a process of managing this properly. For the CISSP examination you should remember that administrators should have read only access to log files.

And you should also remember that Syslog is a standard for centrally restoring log files from several different systems. You can increase your efficiency by centrally restoring logs in order to make it easier to analyze them. You can combine logs from your security software and devices such as web proxies, routers and firewalls, your intrusion detection systems and intrusion protection systems, your authentication servers and so on.

You can also record logs from your individual systems, the events that have occurred on those systems, and your audit records. You should also perform some synthetic transactions. Synthetic transactions are basically attacks that you create to test to see if there is a vulnerability that can be exploited or to see if a specific action is actually logged.

Or to determine if an administrator even knows that you took a specific action. You could have a problem where your network intrusion detection system or intrusion prevention system is blind to a certain type of attack. So it is important to test different styles of attacks to make sure that the system responds appropriately.

And if it does not, that system either needs to be improved or replaced. Security information and event management systems or SIMS are used to correlate and analyze logs and events from multiple different sources within your enterprise. These logs can be from your devices, such as routers or intrusion detection systems, or from pieces of software or systems in your organization.

It can provide almost real time alerting features, just like in intrusion detection system would. SIM is the combination of two separate log file reporting and recording technologies. S-I-M, System Information Management Technologies are designed to process and handle the storage of your event data and your logs, kind of like Syslog.

And SEM, or event management tools are designed for the real time reporting of events, and alerting to your administrators or to a counsel. SIM's are similar to intrusion detection systems. However, they generate alerts based on the analysis of log data from different systems, where an intrusion detection system would just generate alerts based off of your network traffic.

SIMs can detect additional attacks, because they can combine the network traffic, along with log files from individual systems, and determine that a problem is occurring. It is important that you have policies and procedures in place to manage your log files. These policies should clearly define your goals and requirements, and they should define who is responsible for generating, transmitting, storing, analyzing, and ultimately disposing of the log files.

It is very important that you require the logging of critically important data. You require gathering information to prove your compliance with regulations and applicable laws. And also you should recommend logging other types of data if you have the resources available. All of this information can be helpful in the event that an incident occurs or for detecting the fact that an incident is occurring.

You should configure your log's sources and monitor the logging status to make sure that everything is working properly. You do not want to learn when an incident occurs that your logging has not been working for the last six months. So it's important to monitor to make sure the logs are functioning, at least on a weekly basis.

You should train your administrators to perform log analysis, so that they can look for anomalies or other problems in your network. You should manage the storage of your logs and make sure that the logs are properly rotated and archived. For the CISSP examination, you should remember that your log management policies should require the logging of critical data, require you to gather information to prove your compliance, and that you should also log other types of data if you have the resources available.

It is important to protect your log files, because attackers will usually try to either delete the logs or scrub them, removing specific information. In order to cover their tracks and make it look like they did not access your system. The only individuals that should have any access to your log files should be your administrators.

And they should only have read access. They should not be able to delete or modify the logs. You need to make sure that you have administrative, physical and technical controls in place to protect your logs. In order to simplify the process of storing and archiving logs, many organizations will store their log files centrally and Syslog is the most common storage solution for this.

The integrity of your logs can be protected with hashing algorithms, digital signatures, and host- based intrusion detection systems or intrusion prevention systems. You can protect the confidentiality of your logs and make sure that unauthorized individuals are not able to view them by encrypting the log files. You should archive the logs to write once media, such as DVDs or CDs or even Blu-ray discs.

And these discs should be stored securely in either a safe or other type of secure storage so that only authorized individuals can get to them. By archiving your logs on a monthly basis, for example, you will prevent an attacker from accessing your system and deleting all of the log files.

And since the disks are write once, no one will be able to modify the data on the discs by burning to them a second time. This is why you should not use re-writable discs. This concludes our log management module. Thank you for watching.