- I write a blog, covering a wide range of information security and IT topics. Check it out.
- Check out my cheat sheets with tips for incident response and other information security topics.
- Learn to turn malware inside-out at my SANS Institute course on analyzing malicious code.
Related resources:
- Critical Log Review Checklist
- My other Security Management Practices articles
This article was originally published in September 2006 at SearchSecurity.com.
Establishing a Practical Routine for Reviewing Security Logs
The term security information management (SIM) refers to the discipline of collecting and analyzing security events to detect or investigate malicious activities. Essential to this process are the individuals who review the gathered data and decide whether the events constitute an incident and should be escalated. Information security logs that are not regularly reviewed are hardly useful and can be a liability to an organization.
Sometimes reviewing security logs can be fun. Don't get me wrong—sifting through mounds of data to identify the notable events is not always my favorite pastime. However, the pursuit of correlating seemingly unrelated events, determining the cause of an unusual alert or detecting an intrusion at its onset can be pretty rewarding.
Even though the review of security logs is critical to the success of a SIM program, doing so regularly and comprehensively is not easy. Here are a few recommendations for establishing a process to ensure that important events don't go unnoticed:
- Schedule a regular time for reviewing logs. Creatures of habit, most of us find it harder to forget chores that we conduct according to a predictable schedule. Decide on a time that will allow you to devote attention to log-reviewing duties and stick with that schedule. Mark that time slot as "busy" in your calendar to prevent unwanted meetings or other interruptions.
- Automate repetitive log-processing tasks. Manually reviewing every entry in the log is monotonous, time-consuming and important alerts will be missed as a result. Make use of the log-processing tool's ability to group similar records together, prioritize events, and filter entries that are not currently relevant. Automating such tasks speeds up the reviewing process and improves its accuracy.
- Alternate log-reviewing responsibilities. There are several advantages to varying who is responsible for reviewing the logs. It helps prevent the fatigue of performing repetitive tasks. It also exposes data to another individual's fresh perspective. Consider alternating the responsibilities on weekly or monthly basis among qualified members of your team.
- Track the problems addressed by reviewing logs. Routine tasks are easy to take for granted. Keep track of the problems, such as service downtime or a network intrusion, that were prevented or remediated as a result of reviewing security logs. This practice will gather metrics for assessing the usefulness of reviewing the logs, which is particularly helpful during budget or bonus allocation times.
A practical routine for reviewing security logs is regularly scheduled, partially automated, alternated among team members, and linked to problem resolution. Not only will such processes bring vigilance to the log-reviewing duties, but it will also ensure that an organization gets the most out of the valuable data captured by the its SIM systems.
About the Author: Lenny Zeltser is a seasoned IT professional with a strong background in information security and business management. His areas of expertise include cloud services and malicious software. Lenny focuses on safeguarding customers' IT operations at Radiant Systems. He also teaches how to analyze and combat malware at SANS Institute. Lenny explores security topics at conferences, in books and in articles. He also volunteers as an incident handler at the Internet Storm Center. You should follow Lenny on Twitter and read his daily blog.
Copyright © 1995-2011 Lenny Zeltser. All rights reserved. RSS Feed.
The information on this site does not necessarily represent positions or opinions of my employer.