Effective Log Analysis

July 28, 2013, by | Start Discussion

Log analysis is a responsibility that a secu-rity Analyst need fulfill with at most conviction in all organizations. If our is equipped with security devices like firewall, AV,VPN  which is crucial to the organization and breach in any such devices affects the reputation which indirectly or directly hurts the business. Then by performing Log analysis one can foresee many threats and prevents early attacks. Log analysis helps to find the traffic pattern that is occurring in an organization if there is a deviation in the trend of logs under observation from standard trend then it can be considered as a security Incident and investigation should be done on such traffics. Log Analysis also helps to comply some Regulatory standards like PCI DSS, SOX, GLBA.

Log analysis also enhances and facilitates the development of new security policies and detection vulnerabilities. Storage and management of logs is also very crucial when we need to do a forensic analysis and incident management.

There are many tools available in market to analyze the Logs. Open source tools (http://www.logalyze.com/ and MindTree tool).In today’s world an SIEM is more valuable to an organization rather than a normal other log management solu-tions.SIEM has features of correlation that other solutions don’t have. Some of the SIEM tools that are commonly used are RSA envision,Archsight,Event Tracker, Juniper STRM,Splunk etc.SIEM service provider’s collects logs based on EPS (the no of events collected per second) i.e. higher the EPS value more the number of events it will collect per second. The pricing of these devices varies based on the number of events col-lected per second or based on the number of devices sending logs to the collector or the entire appliance cost.

Storage of logs is also an important feature that we need to consider while dealing with log analysis. All the logs in a network device need to be stored for at least 2years for any investigation. It is not compulsory that all the 2yrs data are available readily it is based cost that can spend on infrastructure and utility and criticality of device. Old logs can be backed up in tape and is securely stored. This type of storage is storage is called off-line storage. When we are in need of the data we can request the backup admin to plugin those tapes for log retrieval.But it should be noted that logs should not be tampered. Segregation of duty control needs to be implemented here. Whenever a legal case happen to come to our environment it is compulsory to provide logs to the court.
Talking about Compliance, out of the 12 requirement of PCI DSS, requirement 10 talk about logging and log management. Logs should be reviewed daily and the integrity of the logs also should be maintained. Here I would like to showcase how we can do log analysis on firewall. Say the firewall we consider is Checkpoint firewall.

First thing we need to do is to monitor all the drop communications in FW.You can filter the SIEM based on Drop packets only. After that you need to see the destination ports of all Dropped communications. When you monitor internal FW you will find only internal IPS as the source IPS.There are some common ports which you will see always while monitoring dropped logs (53,445,161,80,123,389,3268)

Whenever we see many drops to a particular Destination IP with same Destination port we need to investigate why such dropped traffic occurred, this could be some botnet activity that has spread across our network. I have recently come across such an incident where one botnet was spread across 10 machines where our end point security was not able to detect it.During the FW log analysis enormous traffic to port 80 to a single destination IP was dropped which we felts as something suspicious. On detail investigation of that end machines we were able to identify a botnet which is connecting to one C&C Servers.

Above is a sample setup that I have created in lab. is the firewall that we are monitoring using Event tracker (SIEM tool) all the logs are pushed to a logging server and from the logging servers events are pushed to SIEM.So is the event source which we have integrated to SIEM. is an users machine in-fected with a malware which establishes many http connections to a malicious IP.You can check the rating of the websites from (http://safeweb.norton.com/)In this case if we are using an AV which doesn’t have signature for this particular malware, then by analyzing the firewall logs we can see some suspicious activity is happening on the users machine.Once you find the users machine then you can go ahead with the normal static Malware analysis process to find the exe file which is causing such traffics. You can use various tools like Reg-shot, processmonitor, wireshark, hijackthis, rootkit revealer to find the exe file.

By default all firewalls will deny all source-to-destination traffic unless a rule or access list is given to permit traffic. So there is no point in investigating accept logs. But in the meanwhile when you do log analysis on all the successful communication of a URL filtering software you can come across many Websites which your URL filter dare to filter those contents. Your employee can create a website that can be used to host contents and can be used to transfer files from the organization to the outside world.

In this dynamic world, Security threats are changing daily from Phishing mails to a website hack or by logging your manager’s account to apply resignation we must be aware about all the incidents and need to think about its preventive measures.

Ben Abraham has more than 5 years of experience in the field of Information Security and in implementing,auditing and optimizing SIEM solutions to the clients. He also has knowledge in reverse engineering malware to find the behaviour and has carried out ISO27001 audits, PCIDSS, firewall audits and IT security policy development. Ben has got opportunities to work in companies like Mphasis, Infosys and Ernst & Young. He wishes to learn more about various Information Security domain and conduct training in this domain.

Leave a Reply