Log Review & Analysis MindMap (3 of 3) | CISSP Domain 6

hey I'm Rob Witcher from destination certification and I'm here to help you pass the cisp exam we're going to go through a review of the major topics related to log review and Analysis in domain 6 to understand how they interrelate and to guide your studies this is the third of three mindmap videos for domain 6 I've included links to the other mindmap videos in the description below these mindmap videos are one part of our complete CSP Master Class logging events from multiple systems aggregating the data and analyzing the data essentially logging and monitoring is an

important part of security assessment where can we collect logging data from across the organization the answer is essentially everywhere almost every system can generate log event data network devices like firewalls rotors and switches IDs and IPS systems intrusion detect protection inion prevention systems servers desktops laptops operating systems applications antimalware etc etc we must be selective though many systems are capable of generating an avalanche of event data so we need to configure systems to Only log what is relevant we also need the capability to review all the logging event data that is being generated ideally as

close to real time as possible it's not super ideal to review your logs and realize you've had a significant breach months after it occurred and what are we looking for when analyzing the logs errors and anomalies more specifically what exactly are we monitoring for errors if we see for example that our web server is generating many error 404 messages file not found this is a clear indication that something is broken and we need to go and fix something on the web server modifications more specifically unauthorized modifications it's not uncommon for attackers to exploit a vulnerability

to break into a system and then patch that vulnerability behind themselves after they've installed something like a back door therefore looking for unauthorized patching of a system may be an indication of a breach and of course from a security perspective one of the main things we're monitoring for is if any of our systems have been breached being used for cryptocurrency mining or data exfiltration is occurring or if we were about to have a bad time with ransomware as I mentioned one of the major challenges is the plethora of devices and systems that can generate log

event data across the organization and the volume of data that can be produced it is very much the proverbial challenge of looking for the needle in a haystack accordingly we need to use systems that can automate many of the tasks and Analysis required for logging and monitoring these systems are often referred to as Sim systems security information and event management systems before we can begin feeding data into a Sim system we first need to enable logging on devices across the environment so that we're generating log of event data something we have to be careful about

though is limiting log file sizes on these endpoint devices such as firewalls routers switches Etc many of these devices can generate a lot of data but have very limited onboard storage to store this log event data we therefore need a couple of methods to limit log file sizes typically on endpoint devices circular overwrite is the idea that you set a maximum log file size of say 10 megabytes or 10,000 lines and then begin writing log data when the system reaches that maximum then it will Circle back to the top of the log file and begin

overwriting until it reaches the max log file size again and then circles back yet again rinse and repeat flipping levels are about setting a threshold below the threshold log nothing above the threshold begin logging for example we typically don't care about one or two failed login events we all mistype our passwords occasionally but 10 failed l attempts in quick succession or 50 or 10,000 we definitely care about that someone is trying to brute force a password so we could set the threshold of say three failed login events below three nothing is logged above three failed

login events within 60 seconds we start logging another important consideration when generating log data is time stamps for each log event we need consistent time stamps we need time stamps in the same format same year months day in 24-hour clock this way we can more easily correlate events from different systems because they have consistent time stamps we also need the clocks in all of our systems across the environment to be synchronized it's very difficult to trace how an attacker traversed a network if one system's clock is 3 seconds slower another is 5 Seconds fast and

another's date is set to 1979 there's a protocol we can use to synchronize all of our system clocks ntp Network time protocol when a log event is generated on any device in the environment we want to transmit that data in real time to our Sim system our Sim system collects and Aggregates all this event data from across the environment into one Central system next the Sim system will normalize the data clean up the event data from disparate systems so that all the data the variables are comparable in the same format so that the Sim system

can now analyze all the event data that is pouring in to look for the proverbial needle in the Hy stack the Sim system will apply various analysis techniques such as event correlation statistical models rules Etc to look for errors and anomalies Sim systems will also retain log event data for long-term storage to enable longitude and Analysis and tracking and to meet contractual or regulatory requirements for log retention and finally when log event data is no longer needs to be retained it can be securely and defensively destroyed continuous monitoring or sometimes referred to as continuous security

monitoring CSM is the process where an organization identifies all of their systems identifies the risks associated with each system applies the appropriate controls to mitigate the risks and then continuously monitors the controls to assess their effectiveness against the everchanging threat landscape obviously a good practice all right and that is an overview of logging and monitoring within domain six covering the most critical Concepts that you need to know for the exam want to learn three three of the most common mistakes people make when preparing for the cisp exam and of course most importantly how to avoid

these mistakes if the answer is yes you should check out our free guide here at desert.com three mistakes to avoid link is in the description below as [Music] well