Abstract Need
John_matt
Session5Notes.htmlAuditing, Logging and SIEM
Objectives
- Define purpose of auditing systems for Information Assurance.
- How are auditing and logging systems different?
- List the components of a complete auditing system.
- What is a Security Information and Event Management (SIEM) system?
- Read about at least one SIEM system.
Topics
Auditing System; Logging System, Log Management, Security Information and Event Management, SIEM
OERs
- National Institute of Standards and Technology. (2006). . Guide to Computer Security Log Management. NIST Special Publication 800-92. Retrieved from: http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf.
- Gupta, S. (2012). The SANS Institute. Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment. Retrieved from: https://www.sans.org/reading-room/whitepapers/detection/paper/33985
- OWASP. (Las Revision: 2016). Logging Cheat Sheet. Retrieved from: https://www.owasp.org/index.php/Logging_Cheat_Sheet
- eSecurityPlanet. Top 10 SIEM Products. Nov. 2018. Retrieved from: https://www.esecurityplanet.com/products/top-siem-products.html
Review Questions
- What is the definition of auditing and what role does an auditing system play in the context of Information Assurance?
- What are the components that make up an auditing system?
- What are the functionality of your favorite SIEM system? Can it play an important role in your organization?
(These questions are intended to be a self-test of your comprehension of this session's material; answers to these questions do not need to be turned in.)
Session Notes
The topic for this session is auditing. Our focus is on automated software tools for auditing events, especially those events related to security and compliance.
Auditing is a posteriori technique for determining what had really happened, who/what caused the potential breach, and what vulnerabilities led to the breach. An auditing system is an important component for use in computer forensics and penetration analysis and study, and, thus, for system trust and system assurance. Often, the terms auditing and logging are interchangeably used, but they are slightly different, Logging is writing out information, whereas auditing strictly speaking is analysis of the collected information. Logging is done real-time as an event of interest occurs, whereas auditing can be done real-time or in the background. In any case, a (complete) auditing system should have three components: 1. Logger to log the events, (2) Analyzer to detect "a situation", and (3) Notifier to inform/alert an admin/threat analyst what had happened or what is happening.
There are different types of logs depending on the configuration of the logger. For example, in an MS Windows, a central logger may be consolidating the Windows system event log (records system crashes, component level failures, etc.), application event log (client requests and server responses, usage data, authentication attempts), and security event log (records critical events set by system administrators such as logging in/out system file access, etc.).
What to collect depends on the goals of the auditing system. If you collect too much data, it can slow down the operation of the entire system/enterprise and if you collect too little, you may not have the information you need. In the case of information security, we need to start with the policies that need to be enforced or adhered to, and design the audit system to collect information that can lead to assessing whether one or more policies are being violated and perhaps stop the violating action before it occurs. The logs collected should also provide enough information to fix the vulnerabilities that are being exploited by at breach. In information security, logging and auditing are also done to look for patterns that show an attack is likely to occur. In many enterprises, logs need to be generated, kept and analyzed for demonstrating compliance to various laws and regulations including Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act of 1996 (HIPAA) and Sarbanes-Oxley Act (SOX) of 2002.
Log analysis using automated tools is perhaps intellectually most challenging. Violation of a simple policy might be straight forward to detect (e.g., no more than 5 attempts for a log in), but patterns to predict a major attack such as a denial of service attack (DoS) is not. Event correlation, root cause analysis and establishing causal relationship between events are not that simple.
The auditing systems devoted to security are lately known as the Security Information and Event Management (SIEM) systems. These systems sport a log management infrastructure encompassing log analysis, log storage and log monitoring tiers. SIEM products also perform event correlation, alerting/ reporting and forensic investigation based on event analysis. There are many SIEM solutions commercially available today. Generally, SIEM systems complement host and network-based intrusion detection systems (HIDS and NIDS). SIEM has a broader view of the events happening in an enterprise whereas NIDS focus on the perimeter and HIDS focus on a particular host. So, SIEM has more collection points from applications, host operating systems, and middleware.
The NIST document is mostly about log management, less about analysis, .i.e., auditing.
The Gupta work outlines the architecture and functionality of a SIEM system that he has built. He has built a SIEM system using open source tools. This paper demonstrates how one can build a cost effective logging, alerting and monitoring solution by an organization that cannot afford commercially available SIEM solutions.
If you are interested in building a security logging system for your enterprise, the OER from OWASP should come very handy.
If you are interested in learning about various SIEM systems in the market today, the OER from eSecurity Planet is a good start.
____________________________________________________________________________
© 2020 University of Maryland Global Campus
