Do you log all critical events?  Do you archive them somewhere?

The best practice for maintaining log data integrity is to centrally store all pertinent log data somewhere isolated from your network. In the event of an intrusion or a malicious insider attack, the logs that are accessible to the intruder can and will be wiped or modified in an effort to “cover their tracks”. In the event of a system crash, your logs will have already been exported. The best way to protect against this is to have a real-time log receiver on a hardened and isolated system. With the help of an agent or minor configuration change, the copied logs are already safe and secure from tampering. Keeping your logs together in a single repository is the foundation for proper Log Management.

Who’s reviewing your logs?

In a security-focused IT environment, log files should be reviewed regularly to identify anomalies and ensure systems are secure. Although many groups assign this to newbies, this is not the job for an IT novice. In order to actually identify anomalies, the log analyst needs to be well versed in what to expect when reading these logs. That would mean a highly educated and very experienced resource needs to analyze this data.  In any enterprise, this would be an expensive resource to allocate to this job. This is where a proper Security Information and Event Management system comes into play. With a properly configured, full featured, SIEM system, you always have a knowledgeable resource analyzing your log files. Furthermore, this analysis happens instantly. There is no review step afterwards to identify an issue. A brute force attack is launched on your internal systems at 1:00AM means you’re being notified at 1:00AM about the situation.

React or Research

If you know, immediately, that something is happening, you can react accordingly. Perhaps you disable the network on the machines being attacked. In addition, you disable the specific credentials being targeted. Maybe you identify a specific source IP and block the source. In any case, you have an opportunity to prevent major damage or data loss. After successfully neutralizing the attack and mitigating the risk caused by it, you triumphantly deliver an incident report to the executive team summarizing the incident and how it was stopped before any damage occurred.

If you don’t know about the situation until 9AM, after a thorough log review, you’re doing research. The damage is done and, now, you get to figure out what was lost, if anything. You shore up any vulnerabilities exploited by the attack and remove any compromised systems from your network. After you’re confident the immediate risk is reduced, you nervously await the response to the incident report you’re about to deliver to the executive team. The first question from them will probably be, “How can we prevent this from happening in the future?” The simple answer is a SIEM solution.