September 13, 2019
Security Logging and Incident Response: A Tale of Two Customers
Security logs can greatly improve the speed and effectiveness of the investigation into an incident.
In my role as the technical lead for CDW’s incident response practice, I spend much of my time working with organizations in the midst of battling a security incident. I’ve observed that the technology environments at some organizations put us in a much better position to respond quickly and effectively; in particular, the presence of centralized logging and archiving allows us to rapidly determine the sources and targets of attacks related to an incident and complete our investigation. Recent experiences with two organizations provide useful examples of how valuable effective logging can be.
Case 1: Missing Logs Make It Difficult to Identify Malware Activity
In one of those incidents, the organization had received a series of notices from its internet service provider stating that it had detected malicious scanning activity emanating from the organization’s network. The organization ignored those messages for a while, until the ISP threatened to cut off its service. At that point, the organization’s IT team contacted the CDW incident response team to determine whether CDW could identify the source of the malicious scanning.
We discovered that several systems on the network were infected with malware. There was virtually no logging within the IT environment, with Windows hosts having default audit log settings. We were able to determine that the malware had resided on the network for quite a while based on registry analysis, but not much else because of the lack of archived event logs. We weren’t able to pinpoint the date beyond that time frame or determine how the malware had entered the network because the necessary logging information simply didn’t exist. We did get the incident contained, eradicated the malware and provided remediation steps, but the organization couldn’t determine what actions and activity the malware had conducted within its environment in the previous weeks or months.
Case 2: Comprehensive Log Data Makes Remediation More Effective
By contrast, just last week I worked with another business that had a malware outbreak on its network. In this case, the IT team did have comprehensive logs, including an open-source log management solution, and we were able to quickly pinpoint the source of the infection and the time of the initial attack. Knowing how long the malware had existed in their environment helped the organization’s management assess the risk of other malicious activities. The log data also helped us to quickly isolate the affected system based on a list of hosts derived through simple queries of the open-source log management solution. The organization began rebuilding infected systems, purging the malware from the network, and was back up and running in days, with the reassurance that we had fixed the root cause of the problem. That’s the difference that logging makes in incident response.
How to Improve Your Security Logs
If you review your own security program and find a greater resemblance to the first organization than the second, there are simple steps you can take to build or revitalize your security logging program:
1. Enable Logging Everywhere
Make sure that all servers, domain controllers, network devices, firewalls, applications and workstations are logging security events and retaining those logs for an appropriate period. Retention of log data for at least 45 to 60 days is a great starting point, and CDW recommends expanding this period to six months if you have the storage capacity.
2. Configure Comprehensive Logging
The default logging settings provided by many manufacturers simply don’t meet modern security requirements. For example, Windows servers will, by default, log successful events but not failures, while in other cases they may log failures but not successful events. Information about both failed and successful attempts is crucial to an effective logging program. Here are recommendations we offer customers for configuring logging.
3. Collect Logs Centrally
If you have the resources to implement a security information and event management solution, that’s fantastic. CDW offers a variety of products from vendors such as Splunk, LogRhythm and others. If not, consider starting with a simple, free solution, such as Microsoft’s Windows Event Forwarding (WEF) service combined with an Elasticsearch solution.
4. Tune Your Logging
Log analysis is difficult work, made harder by the fact that most environments are full of operational noise. When first configuring centralized log analysis, you’ll discover misconfigurations and other operational issues that clutter your logs. Either correct those issues or tune them out of your log analysis to glean useful information from your logs.
Following these steps builds the foundation for a strong cybersecurity program. In many cases, effective logging will allow you to quickly detect potential incidents and stop them in their tracks. If you do experience a security breach, you’ll have a wealth of information ready to facilitate a quick and effective response.