Understanding Security Logs and SIEM

Dec 29, 2024

Lecture Notes: Security-Related Information in Log Files

Overview

  • Log files store extensive security-related information on servers, devices, and network components.
  • Logs include blocked/allowed traffic flows, exploit attempts, URL categories, and DNS sinkhole traffic.

Firewall Logs

  • Firewalls monitor internal and external traffic, providing:
    • Source and destination IP addresses
    • Port numbers
    • Traffic flow disposition (allowed or blocked)
    • Application information (Next-Generation Firewalls)
    • URL categories and anomalies
  • Each traffic flow records time, date, source IP, destination IP, and application used.

Application Logs

  • Applications generate useful logs for security analysis:
    • Windows Event Viewer (Application log section)
    • Linux/macOS logs (e.g., /var/log)
  • Logs are often consolidated into a Security Information and Event Manager (SIEM).

Endpoint Device Logs

  • Laptops, desktops, phones, and tablets contain detailed logs:
    • Login/logout events
    • System events and running processes
    • Device management (password changes, lockouts)
    • Directory services
  • Endpoint logs are also integrated into SIEM for correlation with network data.

Operating System Logs

  • OS logs track security events:
    • Application monitoring
    • Brute force attacks
    • Changes to system files
    • Authentication events

Intrusion Prevention/Detection Systems (IPS/IDS)

  • IPS/IDS often integrated into Next-Generation Firewalls.
  • Logs show known vulnerabilities and attack types (e.g., SYN flood attacks).

Network Infrastructure Device Logs

  • Devices like switches, routers, and access points log:
    • Routing table changes
    • Authentication errors
    • Attack identifications (e.g., TCP SYN attacks)

Metadata in Files

  • Documents and emails contain metadata providing:
    • Email headers, sender/receiver info
    • Device details in photos (e.g., GPS)
    • Document creator details

Vulnerability Scans

  • Scans create logs identifying security issues:
    • Missing firewalls or antivirus
    • Misconfigurations (e.g., open shares)
    • Outdated or vulnerable systems/applications

SIEM Reports and Dashboards

  • SIEM automates report generation on security data.
  • Dashboards provide a quick, customizable view of security status.

Network Packet Analysis

  • Tools like Wireshark capture detailed packet-level data.
  • Analyzes traffic flows and network security issues.

Conclusion

  • Extensive security log data is collected across systems.
  • SIEM is crucial for filtering and correlating important security information.
  • Efficient report generation and dashboard views aid security management.