The following is part two of a two-part series on security log data analysis. Part one discussed the importance of log monitoring and analysis. Part two below will help you make sense of log data.
Log data is a valuable and essential tool in managing computer or network security. The ability to proactively monitor log data for signs of suspicious activity or analyze log data in the event of a security incident is invaluable.
The first step is to ensure that your systems and equipment are properly configured to audit and log events to begin with. Assuming that log data is being captured and stored, you need an effective process for regularly reviewing and analyzing the data. The following tips will help guide you and ensure that you get the most effective and efficient use of your log data.
1. Review log data regularly
While log data is exceptionally useful as a forensic tool to be used when a security incident occurs, if the log data had been analyzed on a more regular basis perhaps the security incident would never have occurred.
A process should be in place to define the frequency for reviewing and analyzing log data that has been collected. Periodic analysis of the mountains of log data collected by various applications and devices throughout the network can help identify and troubleshoot issues, and possibly detect attacks as they are occurring.
2. View log data with an open mind
A common mistake when analyzing log data is to specifically seek out known bad events or log entries. Much of the value in the log data, however, is in the seemingly good or normal entries. By viewing the log entries with an open mind you may catch patterns or signs of suspicious activity that might be missed if you only look for bad information.
Any number of emerging threats or custom attacks could slip by unnoticed through a log review that was focused only on finding known malicious activities.
3. Look at the data through a single lens
Devices and applications throughout the network will collect log data. Unfortunately, there is no universally accepted format or methodology for how to log and display event information.
In order to compare apples to apples, some sort of transformation, typically referred to as "normalizing" the data, has to occur. Once the data is boiled down to its common components, it becomes much easier to analyze the network as a whole rather than as separate entities, and it can enable better prioritization for handling or responding to issues that are detected.
Log data is tough to get a handle on. It contains precious diamonds of information, but you have to dig through a lot of dirt to find the diamonds. The sheer volume of log data makes using it effectively a seemingly insurmountable challenge. There are tools, such as Security Event Manager (SEM) applications, that can help sift through the data, but such tools will prove useless without a defined process for how to use the log data along with trained personnel who can effectively analyze and respond to information found in the log data.
About the author: Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the About.com Guide for Internet/Network Security, providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security.
More information from SearchWindowsSecurity.com
Tip: Get help setting up effective log monitoring and analysis in part one
Webcast: Making sense of authentication and logon events in the Windows security log
Tip: Advanced tool to find security holes in Windows XP
