Log Review & Analysis MindMap (3 of 3) | CISSP Domain 6

6.28k views1130 WordsCopy TextShare
Destination Certification
Review of the major Log Review & Analysis topics to guide your studies, and help you pass the CISSP ...
Video Transcript:
hey I'm Rob Witcher from destination certification and I'm here to help you pass the cisp exam we're going to go through a review of the major topics related to log review and Analysis in domain 6 to understand how they interrelate and to guide your studies this is the third of three mindmap videos for domain 6 I've included links to the other mindmap videos in the description below these mindmap videos are one part of our complete CSP Master Class logging events from multiple systems aggregating the data and analyzing the data essentially logging and monitoring is an
important part of security assessment where can we collect logging data from across the organization the answer is essentially everywhere almost every system can generate log event data network devices like firewalls rotors and switches IDs and IPS systems intrusion detect protection inion prevention systems servers desktops laptops operating systems applications antimalware etc etc we must be selective though many systems are capable of generating an avalanche of event data so we need to configure systems to Only log what is relevant we also need the capability to review all the logging event data that is being generated ideally as
close to real time as possible it's not super ideal to review your logs and realize you've had a significant breach months after it occurred and what are we looking for when analyzing the logs errors and anomalies more specifically what exactly are we monitoring for errors if we see for example that our web server is generating many error 404 messages file not found this is a clear indication that something is broken and we need to go and fix something on the web server modifications more specifically unauthorized modifications it's not uncommon for attackers to exploit a vulnerability
to break into a system and then patch that vulnerability behind themselves after they've installed something like a back door therefore looking for unauthorized patching of a system may be an indication of a breach and of course from a security perspective one of the main things we're monitoring for is if any of our systems have been breached being used for cryptocurrency mining or data exfiltration is occurring or if we were about to have a bad time with ransomware as I mentioned one of the major challenges is the plethora of devices and systems that can generate log
event data across the organization and the volume of data that can be produced it is very much the proverbial challenge of looking for the needle in a haystack accordingly we need to use systems that can automate many of the tasks and Analysis required for logging and monitoring these systems are often referred to as Sim systems security information and event management systems before we can begin feeding data into a Sim system we first need to enable logging on devices across the environment so that we're generating log of event data something we have to be careful about
though is limiting log file sizes on these endpoint devices such as firewalls routers switches Etc many of these devices can generate a lot of data but have very limited onboard storage to store this log event data we therefore need a couple of methods to limit log file sizes typically on endpoint devices circular overwrite is the idea that you set a maximum log file size of say 10 megabytes or 10,000 lines and then begin writing log data when the system reaches that maximum then it will Circle back to the top of the log file and begin
overwriting until it reaches the max log file size again and then circles back yet again rinse and repeat flipping levels are about setting a threshold below the threshold log nothing above the threshold begin logging for example we typically don't care about one or two failed login events we all mistype our passwords occasionally but 10 failed l attempts in quick succession or 50 or 10,000 we definitely care about that someone is trying to brute force a password so we could set the threshold of say three failed login events below three nothing is logged above three failed
login events within 60 seconds we start logging another important consideration when generating log data is time stamps for each log event we need consistent time stamps we need time stamps in the same format same year months day in 24-hour clock this way we can more easily correlate events from different systems because they have consistent time stamps we also need the clocks in all of our systems across the environment to be synchronized it's very difficult to trace how an attacker traversed a network if one system's clock is 3 seconds slower another is 5 Seconds fast and
another's date is set to 1979 there's a protocol we can use to synchronize all of our system clocks ntp Network time protocol when a log event is generated on any device in the environment we want to transmit that data in real time to our Sim system our Sim system collects and Aggregates all this event data from across the environment into one Central system next the Sim system will normalize the data clean up the event data from disparate systems so that all the data the variables are comparable in the same format so that the Sim system
can now analyze all the event data that is pouring in to look for the proverbial needle in the Hy stack the Sim system will apply various analysis techniques such as event correlation statistical models rules Etc to look for errors and anomalies Sim systems will also retain log event data for long-term storage to enable longitude and Analysis and tracking and to meet contractual or regulatory requirements for log retention and finally when log event data is no longer needs to be retained it can be securely and defensively destroyed continuous monitoring or sometimes referred to as continuous security
monitoring CSM is the process where an organization identifies all of their systems identifies the risks associated with each system applies the appropriate controls to mitigate the risks and then continuously monitors the controls to assess their effectiveness against the everchanging threat landscape obviously a good practice all right and that is an overview of logging and monitoring within domain six covering the most critical Concepts that you need to know for the exam want to learn three three of the most common mistakes people make when preparing for the cisp exam and of course most importantly how to avoid
these mistakes if the answer is yes you should check out our free guide here at desert.com three mistakes to avoid link is in the description below as [Music] well
Related Videos
Investigations MindMap (1 of 6) | CISSP Domain 7
9:37
Investigations MindMap (1 of 6) | CISSP Do...
Destination Certification
8,333 views
Business Continuity Management (BCM) MindMap (6 of 6) | CISSP Domain 7
8:48
Business Continuity Management (BCM) MindM...
Destination Certification
5,960 views
Network Defense MindMap (3 of 4) | CISSP Domain 4
16:53
Network Defense MindMap (3 of 4) | CISSP D...
Destination Certification
10,420 views
Asset Classification MindMap (1 of 1) | CISSP Domain 2
17:00
Asset Classification MindMap (1 of 1) | CI...
Destination Certification
24,861 views
Security Assessment and Testing MindMap (1 of 3) | CISSP Domain 6
12:49
Security Assessment and Testing MindMap (1...
Destination Certification
10,588 views
CISSP Certified Information Systems Security Professional 2024
9:00
CISSP Certified Information Systems Securi...
StoneRiverElearning
106 views
Risk Management MindMap (3 of 3) | CISSP Domain 1
18:18
Risk Management MindMap (3 of 3) | CISSP D...
Destination Certification
30,123 views
Identifying Vulnerabilities (2 of 3) | CISSP Domain 6
8:32
Identifying Vulnerabilities (2 of 3) | CIS...
Destination Certification
7,375 views
Alignment of Security Function MindMap (1 of 3) | CISSP Domain 1
17:00
Alignment of Security Function MindMap (1 ...
Destination Certification
81,503 views
Trusted Computing Base MindMap (3 of 9) | CISSP Domain 3
14:14
Trusted Computing Base MindMap (3 of 9) | ...
Destination Certification
14,960 views
Malware MindMap (3 of 6) | CISSP Domain 7
9:02
Malware MindMap (3 of 6) | CISSP Domain 7
Destination Certification
6,208 views
Cryptography MindMap (6 of 9) | CISSP Domain 3
22:51
Cryptography MindMap (6 of 9) | CISSP Doma...
Destination Certification
15,897 views
CISSP Domain 8 Review / Mind Map (1 of 2) | Secure Software Development
16:50
CISSP Domain 8 Review / Mind Map (1 of 2) ...
Destination Certification
74,655 views
Cloud Computing MindMap (5 of 9) | CISSP Domain 3
24:36
Cloud Computing MindMap (5 of 9) | CISSP D...
Destination Certification
15,583 views
Patching & Change Management MindMap (4 of 6) | CISSP Domain 7
10:26
Patching & Change Management MindMap (4 of...
Destination Certification
5,968 views
Vulnerabilities in Systems MindMap (4 of 9) | CISSP Domain 3
18:12
Vulnerabilities in Systems MindMap (4 of 9...
Destination Certification
14,335 views
Evaluation Criteria MindMap (2 of 9) | CISSP Domain 3
7:59
Evaluation Criteria MindMap (2 of 9) | CIS...
Destination Certification
16,904 views
Privacy & Intellectual Property MindMap (2 of 3) | CISSP Domain 1
12:27
Privacy & Intellectual Property MindMap (2...
Destination Certification
31,173 views
CISSP Exam Cram: Models, Processes, and Frameworks
52:34
CISSP Exam Cram: Models, Processes, and Fr...
Inside Cloud and Security
56,201 views
Copyright © 2025. Made with ♥ in London by YTScribe.com