Shulou(Shulou.com)06/01 Report--

Log management

With the increase of the number and types of information threats, organizations must identify real threats through a large number of data filtering and anomaly detection.

Traditional methods of dealing with growing log and event data rely on basic log collection tools or expensive large-scale deployment of SIEM systems

Log collection guidelines:

A, log management is the core content of terminal detection and response: it provides a convenient channel for information diagnosis of interest events, based on event data, historical service directory-related log information and events, and can meet management strategies and industry standards.

B: security Trade JACK: in order to provide these benefits, the central log management system needs to collect logs through operating systems, applications, data, IDS/IPS and network devices such as firewalls and switches.

C, please answer this question, what happened? This will help you better understand your environment, detect and defend against *. Similarly, malicious * people prefer to hide their * * paths through log deletions or resets to hide their activity. so it's important to detect that they find *.

BOOT CAMP: you know that.

1, priority first thing: open your log, each important system has a log you can enable, in a large number of events, important logs can not be enabled, so important errors when detecting and responding to new information threats.

2. Set up your log collection: know what data needs to be collected, in a large number of organizations, log data will be collected through worldwide network connections to geographically distributed devices.

Create a map and architecture for your log collection, including the location and type of the log, in addition to the daily increase in the log, the length of time the log is retained as active and archived, and who accessed it.

3. Use backup log management. By adding one or more backup log administrators to your company, you can assign daily management operations to meet the growth needs of your organization. The role of log deputy administrator can be improved by giving you a log division based on geography, business unit or business application.

4. Collect logs accurately: each log contains unique data, and when combined, the accumulated data will provide insight into new types of network threats, in a branch event, you will need all the terminal data: network device logs, operating system logs, databases, applications, servers and more logs, these collection processes need to ensure that when the system, the device Or when other assets are damaged, you can be 100% sure that your log data is safe.

5, centralized storage: because the data is easily accessible, various collection logs and events are very important. For rapid investigation, forensics and detection, and response to terminal threats, good log management products like tripwire log center can collect in-depth and detailed log data. Similarly, terminal events and network activity information are stored in a large model data report and analysis database.

A court investigating the cause and manner of an event can benefit from a set of logs and event management files. When an investigation is on the way, it will help log management tools to determine the daytime length of files and unseal log data for investigation and audit, which is also useful for hiring a high level of compression to reduce storage space, while protecting logs from tampering.

ADVANCED TRAINING

6. Association rules: identify new information threats by identifying suspicious events based on the comprehensive consideration of system changes, weak configuration and vulnerability, a large number of products quickly define and customize event correlation rules by drag-and-drop, as well as filter and detect anomalies, suspicious behaviors, changes and known threat patterns and IoC, in addition, you can predefine malicious behavior and omission models.

7. Alarm: when your log matches related rules, advanced log management products can identify possible events and quickly review through the use of alarm and response switches, this will reduce the need for special expertise and resources to create relevance rules in many complex formats.

COMBAT READY

Integration: integrate your log management solution to provide exceptional security and business content to your organization through security configuration management products such as tripwire enterprise and vulnerability management products such as tripwire ip360, which helps to prioritize the most important threats.

The integrated log management system can use association rules to detect and alarm suspicious events that affect the security status of the system.

9. Integrated business, security, risk, user content: integrated business and user content allows you to easily monitor assets and users, when integrated, based on close observations, for example, you may want to carefully monitor the highest value of assets to record which contractor has entered, and you can further optimize risk by correlating suspicious events. These events can be identified through tripwire log center, through tripwire ip360 for vulnerability identification, and through tripwire enterprise for suspicious changes. For example, when using a vulnerability management solution like tripwire ip 360, this log management solution can provide increased network and threat awareness in your environment, combined with vulnerability information can provide insight, which allows you to identify risks and prioritize your security efforts.

10. Collect and forward: in order to forward relevant and data to your SOC and third-party tools such as SIEM, threat Smart Solutions, pre-filter daily data to identify anomalies and IOC models. Advanced log management solutions can filter and detect abnormal, suspicious behavior and changes, as well as models based on threat and IoC data.

11. Automation: extend relevant rules to provide alarms and remedies, identify personnel and resources need to be notified, when special situations are identified, and then extend relevance to contact personnel responsibility investigations and repair alarms, also consider that script responses to association rules can automatically remove, reduce or strengthen your terminal.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.