Most companies have logs that are generated daily, but not all companies think to review these or know the importance of them. Log reviews are an important part of security that everyone should be doing but in many cases they are not performed correctly (or at all). They should be a regular, or daily, check of log data to look for anomalies. So how do you know if something is an anomaly? First you need to understand what is normal for your network. Understanding normal will help you spot abnormalities if or when they happen.
Things to look for:
- Unauthorized Activity
- Connection Time-outs
- Failed Login Attempts
- Unauthorized Configuration Changes
- Suspicious Traffic Patterns
*These are only some of the abnormalities that you may find in your logs.
Logs can be checked before and after an attack to see what may have happened and where it happened. Seeing spikes in real-time can be the first step to analyzing a potential problem. For example, large spikes can indicate an automated attack or an attempted Denial of Service attack. Having a regular review can help you catch these fluctuations so appropriate measures can be taken.
Don’t only focus on spikes! Reviews are a way to catch potential drops in data as well. While a drop may not seem like something to be worried about, they can indicate that the log is incomplete and data may be missing. Not having the full data can be troublesome as you won’t have access to see something that may have occurred. If you were to troubleshoot an issue that arose without the full log data, you could be missing critical information such as; authorization failures, session management failures, and excessive use, to name a few.
Whether manually or with the help of software, reviews that are done regularly can potentially save a company from intrusion attempts, misconfigured equipment, falling out of compliance, or malicious attacks.