Log Data - CompTIA Security+ SY0-701 - 4.9

00:01

We store a massive amount of security related information

00:05

in log files contained in servers, devices,

00:08

and other components on our network.

00:11

Those log files contain information such as the traffic

00:14

flows that were blocked and the traffic

00:15

flows that were allowed.

00:17

We can get a list of exploit attempts,

00:19

especially from intrusion prevention devices.

00:22

We might want to see what categories of URLs

00:25

may be blocked on a particular user's workstation.

00:28

And we can see DNS sinkhole traffic,

00:30

which could point to some type of malicious process occurring

00:33

within our own network.

00:35

This allows us to document every traffic flow

00:38

on the network, where we can provide information

00:40

on what attacks may be occurring,

00:42

and we can correlate that information

00:44

with other logs contained in other devices.

00:48

One of those devices that contains an amazing amount

00:51

of detail about the traffic on our network

00:53

is the firewall log.

00:55

Our firewalls are often monitoring all traffic

00:58

that goes from the inside to the outside of our network and vice

01:01

versa.

01:02

And from there, we can get information

01:04

about the source and destination IP addresses associated

01:07

with those traffic flows.

01:08

We can see what port numbers are being used.

01:11

And we can see what the firewall does with those traffic flows.

01:14

Does the firewall allow the traffic flow to proceed?

01:17

Or is that traffic flow blocked on the firewall?

01:20

If you're using a Next Generation Firewall, or NGFW,

01:24

you can also get information about the applications

01:27

that are in use.

01:28

These next generation firewalls are also

01:30

very good at providing feedback on URLs

01:32

or URL categories that are being used.

01:35

And they may also be able to point us

01:37

to suspicious data or any anomalies

01:39

with the information within these traffic flows.

01:42

Here's a view of firewall logs from a next generation

01:45

firewall.

01:46

Each one of these lines is a separate flow

01:49

of traffic traversing the network.

01:50

Each one of these traffic flows contains the time and date

01:53

of the traffic flow, the source IP address,

01:56

and in the case of this firewall,

01:57

the MAC address that received that data.

02:00

You can also see the destination IP

02:01

address and the application that is used for this traffic flow.

02:05

And then you finally get to see the disposition, or result

02:08

of this traffic flow whether it was

02:10

accepted through the firewall or whether it was blocked.

02:14

The applications that we use can also

02:16

create log files that may be very useful when

02:19

analyzing security events.

02:21

This might include information from the Windows Event Viewer

02:24

log, specifically the application log

02:27

section of the Event Viewer.

02:29

If you're using Linux or Mac OS, you can look in the /var/log

02:33

directory.

02:34

And all of this information would probably

02:36

be rolled up into one single security information and event

02:40

manager, or SIEM.

02:42

And all of this information can then

02:44

be filtered out or viewed in different ways inside

02:47

of the SIEM itself.

02:49

You may not realize it, but the endpoint devices

02:52

you're using also contain a great deal of log detail.

02:55

If you're using a laptop, a desktop, a phone, a tablet,

02:58

or any other endpoint device, there

03:01

is an extensive amount of log information available.

03:04

For example, you may be able to view information on log

03:06

in and log off events.

03:08

Maybe there's information on system events or processes

03:11

running on that endpoint.

03:13

And there might be details about the management of the device,

03:16

such as password changes or lock outs.

03:18

And you can also view information

03:20

on any directory services.

03:21

All of these endpoint logs can also be rolled up to a SIEM

03:25

so that you can then parse out that data

03:27

and view different correlations between what's

03:29

happening on the endpoint, what's happening

03:31

on the network, and any other devices that you

03:34

may be monitoring.

03:35

Once you have all of this endpoint log

03:37

information in the SIEM, you can now

03:39

start comparing and correlating that data against log

03:42

file information from other devices.

03:44

So you can track each step of the way

03:47

for a particular traffic flow or a potential security event

03:51

inside of the SIEM, all by consolidating these log

03:54

files together into one single source.

03:57

There's also an extensive amount of security information stored

04:01

in the operating systems themselves.

04:03

Many operating systems keep a log

04:05

file associated with security events.

04:07

So you can monitor individual applications.

04:10

You can see if there are brute force attacks or any changes

04:13

to critical system files, and anything

04:15

relating to authentication is usually also stored

04:18

in these security log files.

04:20

This log file information inside the operating system

04:23

may be able to provide you with a heads up

04:25

of any type of security events.

04:27

For example, this log file might show that a particular service

04:30

was disabled.

04:31

And that service is not one that would normally be manually

04:35

disabled by the administrator.

04:36

That single log file event may cause a security alert

04:40

to be generated, and you may be able to stop a particular event

04:44

from occurring just by monitoring this log data.

04:47

As you can imagine, we are collecting a very large amount

04:50

of data across all of our systems.

04:53

And so we may not want to send all of our log information

04:56

into a SIEM, but instead, only send the information

05:00

that's important for us to be able to make security

05:02

decisions.

05:04

Another great place to gather information

05:06

is from IPS or IDS events.

05:08

This would be associated with intrusion prevention systems

05:11

or intrusion detection systems.

05:13

These days, we don't tend to use standalone IPS or IDS systems.

05:18

Instead, that functionality is often

05:20

built into a next generation firewall.

05:22

An IPS log is going to provide information

05:25

about known vulnerabilities or known types of attacks.

05:28

So it might look something like the log

05:30

file I've taken from an open source IPS called Snort.

05:34

In this IPS, we have a timestamp.

05:37

It shows us the class of the alert,

05:39

and it tells us that it's a possible denial

05:41

of service attack, specifically a SYN flood attack.

05:45

It has a priority inside the IPS of two.

05:48

It gives us a source IP address, a source port number,

05:51

and a destination IP address and destination port number.

05:55

We can now take all of these individual events

05:58

and also roll those up into our SIEM

06:00

so that we can now start extracting and correlating

06:03

this data with all of the other devices on our network.

06:07

There's also a great deal of log information

06:10

we can gather from our network infrastructure devices.

06:13

This might include our switches, our routers,

06:16

our wireless access points, or even VPN concentrators.

06:19

These log files can identify any changes

06:21

that might occur to any of our routing tables.

06:24

We might be able to identify authentication errors that

06:27

are occurring to someone trying to gain access to a switch

06:30

or to a router.

06:31

And we might also be able to identify

06:33

other types of attacks that are occurring on the network.

06:36

For example, in this log, we can see

06:39

there is an informational entry that

06:41

shows a TCP SYN attack was identified on port gigabit

06:45

eight.

06:45

And we can see that the TCP SYN traffic destined

06:48

to the local system has been automatically blocked

06:52

for 60 seconds.

06:54

Sometimes, you can gather important information

06:57

that is contained within the documents that were

06:59

transferring over the network.

07:01

Stored inside of the documents that we are often

07:03

creating in our word processors, our spreadsheets, our graphics

07:07

programs, and others is information that

07:10

describes that particular file.

07:12

For example, if you're reading an email in your email client,

07:15

you don't often see the large amount of metadata

07:18

that's stored within the header of that email.

07:20

But if you ask your email client to show you the entire email

07:23

document, you can often see information

07:26

that's hidden within the email headers, things

07:28

such as the servers that sent the email or the addresses that

07:31

were specified as the destination.

07:34

You can also see this if you look

07:36

at the description of pictures taken with a mobile device.

07:39

You may be able to tell what mobile device was used

07:41

and even information about the GPS

07:44

coordinates that were associated with this location

07:47

of the picture.

07:48

There's even metadata in the browsers that we're using,

07:50

things like the operating system that we're using,

07:53

the browser type, or the IP address that you're using.

07:56

And if you look at the metadata that's inside

07:58

of a word processing document or a spreadsheet,

08:00

you may find information on the person that

08:02

created that document, their address, their phone number,

08:05

and perhaps their title.

08:07

To give you an idea of what some of this metadata

08:09

might look like, let's look at the header of an email message.

08:13

You can see there is extensive information

08:15

in this email header including the IP addresses

08:18

that this message was received by.

08:20

We can see SPF information, other details about signatures

08:24

and information that can help you determine where this email

08:27

message originated, and the process

08:29

that it used to be transferred into your inbox.

08:33

If you're performing vulnerability scans

08:35

on your network, then you're creating an extensive amount

08:38

of log information.

08:39

This is going to give you details

08:41

about what this vulnerability scam was able to identify.

08:45

For example, it may identify devices

08:47

on your network that don't have a firewall configured.

08:49

There may be no antivirus on that device or anti-spyware.

08:53

And we're able to identify that in the logs

08:56

of our vulnerability scans.

08:58

We might also be able to identify

09:00

devices that are misconfigured.

09:01

For example, there may be shares that

09:03

are available that you can access

09:05

without using any type of username or password.

09:08

Or perhaps there's an operating system

09:10

that has the guest access turned on when

09:13

the best practice for your organization

09:14

might be to completely disable all guest accounts.

09:18

And of course, once you update the signatures inside

09:21

of your vulnerability scanner, it

09:23

can identify any operating systems or applications

09:26

which may have known vulnerabilities

09:28

that need to be patched.

09:29

Here's a summary of the results from a vulnerability scan.

09:33

This log information shows that there are certain operating

09:35

systems that were running on our network that are currently

09:38

unsupported.

09:39

And there might even be NFS shares

09:41

that are on our network that are readable by anyone

09:43

in the world.

09:45

As you've probably seen already, there

09:47

is an extensive amount of log information

09:50

that you would need to go through

09:51

to be able to find details hidden within all of this data.

09:55

Fortunately, most SIEMs have the ability

09:57

to create a set of automated reports.

10:00

This may be a feature that is built into the SIEM itself,

10:03

or you may be able to use a third party report

10:06

generator to simply access the information that is currently

10:09

stored in the SIEM.

10:10

Of course, these reports aren't very valuable

10:13

unless someone actually reads them.

10:14

And one stumbling block that many organizations will find

10:18

is they will create these automated reports,

10:20

but then simply ignore them when they arrive in their inbox.

10:24

This might also take a bit of finesse

10:26

to be able to find the right mix between the type of report

10:30

that you need and the amount of time

10:32

that it takes to create that report.

10:34

When you have a SIEM that may contain terabytes and terabytes

10:37

of data, it may take an extensive amount

10:39

of processing power just to create a single report.

10:42

So you may need to be very specific about the reports

10:45

that you'd like to generate so that you can create them

10:48

as efficiently as possible.

10:51

Instead of waiting for a day or two

10:53

to receive reports that are generated by the SIEM,

10:56

it might be useful to have a summary of information

10:59

that you could view at a glance.

11:00

This is often available through a dashboard.

11:03

Many SIEM and other security devices

11:06

allow you to customize a screen, containing

11:08

information that will be important to review

11:10

at a glance.

11:11

These dashboards may be customizable,

11:14

or there might be predefined dashboards

11:16

built into the SIEM itself.

11:18

This is often the type of data that's

11:19

useful to see at a glance or on the main screen

11:23

of your security operations center.

11:25

This commonly doesn't show long-term information primarily

11:29

because it takes such a long amount of time

11:31

to be able to compile all of that data together.

11:33

The dashboard is designed to give you something

11:35

that you can view instantly and get an understanding of how

11:39

the current status might be.

11:40

For example, you can see a breakdown of the system itself,

11:44

any active firewall rules, you can

11:46

see warnings that have come through,

11:48

and information about users and devices

11:50

that might be on the network.

11:52

One of the best places to gather data on your network

11:56

is from the network itself.

11:58

Being able to analyze the packets going over the network

12:01

can give you a great deal of insight into the operations

12:04

of the networking equipment, the applications, and any security

12:08

issues.

12:08

This may require that you use a third party

12:11

utility, such as the Wireshark utility that we see here.

12:14

This may be able to provide you with the ability

12:17

to capture data that's running across the wired network

12:19

and the wireless network.

12:21

And in some cases, devices like switches, routers, or firewalls

12:25

may have the ability to capture packets inside

12:28

of those devices themselves.

12:30

These captures give us detailed information about traffic flows

12:34

at the packet level.

12:36

Everything going across the network is captured,

12:38

and that allows us to analyze every bit and byte that's

12:41

transferred over the network.

12:43

The Wireshark summary view here in the top pane

12:46

shows a packet by packet breakdown of everything that's

12:49

being sent over the network.

12:51

You can see the highlighted frame is one that's

12:53

being sent as HTTP traffic.

12:55

And you can see the GET command is written inside of the packet

12:59

capture itself.

13:00

You can then see all of the following packets that

13:03

describe the transfer of this file that was requested

13:06

with the GET command.

13:07

The bottom half of the screen is the detail pane.

13:10

This provides us with a breakdown

13:12

of everything highlighted in that single frame

13:15

at the top of the page.

13:16

In this case, we can see the ethernet data.

13:19

We can see what's involved in the IPv4 header.

13:22

We have details about the TCP header.

13:24

And then we have the HTTP data itself

13:27

being shown all in that detail view.