登录查看更多内容

How do you use logs to identify and analyze incident indicators and root causes?

由人工智能和领英社区提供技术支持

Security monitoring and logging are essential practices for incident handling, as they help you detect, investigate, and respond to security incidents. Logs are records of events and activities that occur on your systems, networks, and applications, and they can provide valuable clues about the source, scope, and impact of an incident. In this article, you will learn how to use logs to identify and analyze incident indicators and root causes, and how to improve your logging capabilities and policies.

此文章中的业界达人

由社区从 3 条内容中精选。了解更多

1 What are incident indicators and root causes?

An incident indicator is any sign or evidence that suggests a security incident has occurred or is in progress. For example, an indicator could be a suspicious network connection, a malware infection, a user account compromise, or a data breach. A root cause is the underlying factor or vulnerability that enabled the incident to happen. For example, a root cause could be a misconfigured firewall, a weak password, a phishing email, or a software bug. Identifying and analyzing incident indicators and root causes can help you contain, eradicate, and recover from an incident, as well as prevent or mitigate future incidents.

添加您的观点

Robert Helin

Marine Veteran and Security leader with 14+ years in risk management, compliance, and team leadership. Skilled in implementing and aligning security strategy with business goals and driving regulatory compliance.
举报内容
The first indicator of any sort of incident is a deviation from the norm. Keeping this in mind, a good baseline of activity for every level of your environment needs to be established. To expand on the given examples, a "suspicious" network connection could be something as benign as a new webserver stood up for your supplier, but combine a new connection with a new timeframe, or new protocol usage, and now you have the beginnings of an incident worthy of further investigation. If your analysts do not have a solid baseline, there will be incidents that slip through the cracks. This is a project that begs for good log-keeping because, as we will see, logs are the lifeblood of incident identification.

已翻译

赞

2 How to use logs to identify incident indicators?

Logs can be a useful tool for identifying incident indicators by providing information about events and activities that occurred on your systems, networks, and applications before, during, and after an incident. For example, logs can show who accessed your systems, what actions were performed, where the connections or requests came from and where they went to, and how your systems performed. To use logs to identify incident indicators, you need to collect and store logs from various sources such as operating systems, firewalls, routers, etc. Additionally, you need to correlate logs from different sources to get a comprehensive view of the incident and its impact. Log analysis tools or security information and event management (SIEM) systems can help with this process.

添加您的观点

Jonah Cummings

“.?.?.is this thing on?”
举报内容
Use two-factor authentication to weed out false positives. If two independent systems both log the same event using different tools, it is likely that you are seeing a real incident.

已翻译

赞

3 How to use logs to analyze root causes?

Logs can also help you analyze root causes by providing information about the factors or vulnerabilities that contributed to the incident. For instance, logs can demonstrate if your systems were patched and updated with the latest security fixes, if your users followed best practices for password management and data protection, if your security tools detected and blocked any malicious activity, or if your incident response plan was effective. To use logs to analyze root causes, you must review and compare logs from before, during, and after the incident in order to identify any gaps, inconsistencies, or anomalies that could explain how the incident happened and how it could have been prevented or mitigated. Additionally, root cause analysis tools or techniques such as fishbone diagrams, 5 whys, or fault tree analysis can be utilized to assist in this process.

添加您的观点

4 How to improve your logging capabilities and policies?

To maximize your logs for incident handling, you need to upgrade your logging capabilities and policies. Start by defining your logging objectives and requirements, such as what types of logs you need, how long you need to retain them, and how you will use them for incident handling. Then, configure your systems, networks, and applications to generate and capture accurate logs that meet your objectives. Additionally, implement a centralized log management system that can collect, store, and analyze logs from various sources. Establish a log retention policy that specifies how long you will keep your logs, where you will store them, how you will protect them, and how you will dispose of them. Moreover, review and audit your logs regularly to ensure they are complete, reliable, and secure. Logging plays an essential role in incident handling as it can help detect incident indicators and root causes. With the tips provided in this article, you can improve your logging capabilities and policies to boost your security posture and resilience.

添加您的观点

Cristian Ruvalcaba, CISSP, CCSP, MFA

Senior Cyber Security Technical Specialist at IBM | Cybersecurity Leader | Advisor and Mentor | Incident Response and Security Awareness Advocate | Technical and Security Evangelist |Writer/Author
举报内容
While it is important to have a clear mission statement, or something to that effect, when defining a logging policy, it is also important to consider any regulation or compliance requirements that may exist for a given organization's business. While there are clear retention requirements set in some regulation and compliance definitions, an organization may need longer retention for internal purposes, or inversely, a lower retention requirement. If the retention requirement is lower, consider that there will likely be a need for multiple retention buckets, including one or more for those relating to regulation.

已翻译

赞

Incident Handling

+ 关注

给文章评分

我们借助人工智能创建了此文章。您认为这篇文章怎么样？

很棒不太好

举报此文章

查看全部

How do you use logs to identify and analyze incident indicators and root causes?

1

2

3

4

1 What are incident indicators and root causes?

2 How to use logs to identify incident indicators?

3 How to use logs to analyze root causes?

4 How to improve your logging capabilities and policies?

Incident Handling

给文章评分

感谢您的反馈

更多Incident Handling相关文章

更多相关阅读内容