When it comes to securing any corporate environment, the more in depth detail you have, the better. Depending on the size of an organization, a single day can be comprised of millions, or even billions of logs. At first glance this can seem like nothing more than informational nonsense, but these bread crumbs are the key to not only diagnosing a problem, but also possibly uncovering a breach.
It should first be noted that if one can identify a possible hack through these logs, the hacker is likely aware, and will try to cover their tracks to the best of their ability. Having a secure offsite location to collect and control the integrity of these logs is crucial to keeping your piece of mind. Not to mention that most compliance standards require this level of log aggregation architecture and security anyway.
One of the most important things to understand when it comes to reviewing logs, is how to differentiate between what should be looked at, and what can be tossed to the side. Often referred to as an event rather than just a log, the information in this file can be used to identify the more important activity occurring throughout an environment. While the definition of an event can be customizable, and vary depending on an organization’s needs, many focus around unusual user activity, network connections, and privilege escalations.
It is likely that once an organization begins reviewing all of these events, they will quickly become overwhelmed with the vast amount of information or alerts that need to be reviewed. The best way to prioritize the order in which these will be looked at, is by applying what’s known as a risk rating to all of the devices in the environment. Understanding that certain nodes or devices are more important than others, and that some can contain more mission critical information, gives them a higher risk rating if they become compromised. If this happens, the impact to the business is increased exponentially.
So how exactly does an organization begin this difficult process of collecting and reviewing logs intelligently? Modern software referred to as a SIEM, or security incident and event management tool, can quickly jumpstart your organization down this path, while allowing you to sleep more soundly at night.