Best Practices: Security Log Mgmt & Compliance Webinar
Andy MilfordWhatsUp Event and Syslog Management Lead Engineer
Rich MakrisSales Engineer
Where Are We Headed Today?
1. Log Management in a Nutshell
2. Compliance Initiatives
3. Log Management Best Practices
4. See our WhatsUp Event Log Management Capabilities in Action
5. Q&A
Log Management in a Nutshell
What are event logs?
On a Windows network, an event is an action, and a grouping or listing of such actions is an event log (sometimes called event log file, .EVT, or .EVTX file).
The action itself can be as simple as a successful (or failed) print job by someone at their machine in an office or a successful (or failed) logon by a computer user.
The Microsoft Windows platform generates log files in several categories: Application, System, Security, DNS Server, Directory Service, and File Replication Service. Additionally, logs are generated by Microsoft Internet Information Services (also called Microsoft IIS).
Why is event log and syslog management such a big deal?
Behind the scenes every day, computer networks across the globe are generating records of the events that occur. Some are routine. Others are indicators of a decline in network health or attempted security breaches.
A log mgmt strategy that includes event and syslog monitoring is the only way to rapidly detect and neutralize threats inside & outside the perimeter
Log Management in a Nutshell cont
What is syslog?
The syslog (also known as the UNIX System Logger or GNU/Linux System Logger) is the system resource for all messages or errors generated by UNIX based systems, or hardware components such as routers and firewalls
Sarbanes-Oxley
Gramm-Leach-Bliley (GLBA)
FISMA
HIPAA
NISPOM
PCI
Massachusetts Privacy Law – MA 201 CMR 17
NERC CIP
MiFID (applies to the Eurozone)
Even if you don’t have to meet compliance standards, log management is critical for network security.
Compliance Initiatives
•Enable Audit Policy Categories–Configure which events to record
•Log Data Collection–Automatically consolidate event records centrally–Utilize both flat file formats & database storage
•Event monitoring- generate rapid alerts as needed–Which criteria should you alert on and how?
•Generating reports for key stakeholders: auditors, security/compliance officers and management teams
–Types of reports, scheduling and distribution
•Auditing Log Data–Centralized log analysis –Ad-hoc forensics
Best Practices Overview
Configure which events to record in your security event logs
• Account Logon Events (Windows 2000 and later only)– Record when a domain user attempts to logon or logoff
• Account Management– Track changes to users, groups, and computer accounts on domain
controllers and member servers and workstations
• Directory Service Access (Windows 2000 and later only)– Track changes to other objects in the directory, such as contacts
• Object Access– Track changes to key files and folders on file and application
servers.
Best Practices: Windows Audit Policies
• Logon Events– Trails logons from both domain and non-domain accounts – lets you
monitor attempted access to unauthorized resources
• Policy Change– Major changes in policies governing account lockouts, password
changes, and even the audit policy itself by administrators (super-users) are recorded in the event logs
• System Events– Records when it is shutdown and restarted, as well as when an
administrator attempts to clear the security event log
Best Practices: Windows Audit Policies Continued
Consolidate Event Records Centrally• Automatically gather log records in near real time or on a
scheduled basis from devices, servers and workstations• Keep your data for years for auditing purposes• Keep your log data in two formats:
−As database records – fast, centralized reporting and analysis
−As compressed flat files – for longer-term storage (e.g. 7+ years)
TIP: Keep an active working set of log data in a DB (often 60 to 90 days), and the rest as a set of flat files. Look for a tool that will let you rapidly re-import older saved log files back into your database should they ever be needed (e.g. in the event of an audit).
Best Practices – Log Data Collection
Best Practices: Event Monitoring & Alerts•Each defined event
should be polled at a regular interval and will generate an alert or notification when an entry of interest is detected
Key to secure your network and initiate rapid response processes
TIP: If you are establishing your event monitoring for the first time, it may better to start by alerting on more events and then throttling back as needed.
Best Practice: Reporting for Security & Compliance Officers
Some questions to ponder during your evaluation process• What report formats are available?• Can you quickly access pre-canned reports and create
custom reports as needed?• Are you tied to a particular reporting format? Will HTML and
the availability of that HTML report to multiple users play a role?
• Can customized filters be easily recalled for repeat use?• From what data sources can reports be generated? Do
those sources include EVT, EVTX, CSV, Microsoft Access, and ODBC databases?
Best Practice: Reporting for Security & Compliance Officers
• Manually sifting through log files to locate relevant information for auditors and management is tedious.
• Log data should be being collected and indexed within a central repository such as a database, so that reporting on trends and other key categories of activities becomes much more manageable.
• A solution should provide predefined and configurable search and filtering capabilities out of the box. In addition, pre-built reports that correspond to categories of activity sought after by auditors should be available. Basic “IT search” is not enough.
Auditing Log Data
• The old event viewer is a tedious way to spot check log files. In a network of any size, you must be able to schedule recurring reports that can quickly show trends and display consolidated event activity of interest for management. Thus the importance of a central database log repository
• The shift from .EVT to .EVTX format -- EVTX logs generated from Windows Vista and later operating systems cannot be viewed on Windows XP and older operating systems. Complications caused by the format change can be eased based on your choice of log reporting and reviewing tools.
Auditing Log Data- Central Log Viewing
• Tools used for the spot-checking of individual log files, in the case of casual review or during a specific audit, must have comprehensive support for both the EVT and EVTX log format, regardless of the operating system where said tool is installed. Different field structures between logging formats and other transformations should be performed automatically to aid the administrator.
• Furthermore, log data should be automatically grouped into related sections, with event identifier codes translated into human readable explanations.
Auditing Log Data- Ad hoc forensics
A Modular Approach to Log Management
Four titles comprise our *patented*Total Event Log Management Suite:
These tools are modular – they work well independently or together.
A Modular Approach to Log Management
And, our approach is agent-optional. This provides a level of flexibility that most other packages simply can’t, because...
Automate Log Collection withWhatsUp Event Archiver
Automatically collect log files with Event Archiver.
Log files are then consolidated automatically in a database – we recommend SQL, though Oracle is also supported.
Automating collection eliminates the process of manually “clearing” and moving log files. This translates into quick return on investment.
Event-Based Monitoring withWhatsUp Event Alarm
Monitor event log data and notifyin near real-time with Event Alarm.
The WhatsUp Event Alarm Listener Console also provides a comprehensive, console-based view of pertinent events in real-time.
Gives you event-based monitoring. WhatsUp Gold customers are already seeing the value in having this alongside existing system and performance monitoring.
Report on Log File Data withWhatsUp Event Analyst
Filter and report on event log data withEvent Analyst. Reports may be scheduled or run ad hoc.
WhatsUp Event Analyst filters and reports to assist with longer-term trending and activity review.
WhatsUp Event Rover on the other hand is more appropriate for hands-on viewing of a machine’s logs.
Mine Log Data withWhatsUp Event Rover
View and mine log data withEvent Rover for on-the-fly forensics.
Quickly discover important events, as they are grouped logically into related tree branches. Define “incidents” and allow Event Rover to automatically correlate certain types of issues. Plus, know that Event Rover can handle EVT/EVTX logs, regardless where it is installed.
EVTX Capability:Not Just “A Nice To Have”
A third factor is differentiating the WhatsUp log management offering in the marketplace.
With Windows Vista, Windows Server 2008, and Windows 7, the event log format changed from .EVT to .EVTX. Microsoft completely changed the structure, format, and data included in the .EVT format.
Therefore, existing log management strategies – scripted and software-based - are breaking.
Did Your Know: You cannot open a Windows Server 2008 log file on a Windows XP machine?
This is just one of the problems that networks are running into with the EVTX log format.
EVTX Capability:Not Just “A Nice To Have”
The WhatsUp Event Log Management components feature EVTX log capabilities beyond what other vendors can even claim. Our LogHealer and LogRefiner Technologies are exclusively dedicated to addressing this difficult challenge.
Be sure to check out our separate, more in-depth webinar on the challenges that the EVTX format is creating:
“Exploring the Mysteries of EVTX”
http://www.whatsupgold.com/resources/
Cost-effective, modular approach, easy to use & install –Automatically collect, store and archive log files to save time and
eliminate human errors• Remote & Agent-Based Collection of syslog and Windows Events
you don’t have to deploy an agent on each node
– Receive real-time alerts to ensure rapid response to a network outage or a security threat
– Discover potential security incidents during routine review– Automated report distribution for IT personnel, compliance or
security officers and even law enforcement agencies or upper mgmt– Central analysis platform for on-the-fly forensics across
heterogeneous Windows environment—2008, XP, Vista, Server 2003– Includes patented Log Healer Technology to handle and even repair
corrupted Microsoft EVTX event logs
WhatsUp Event Log ManagementWow Factors
Technical Demonstration
Where Do We Go Now?
Find out more about WhatsUp Event Log and Syslog Management Solutions
Visit the “Products” section at http://www.whatsupgold.com/Download our white paper: Best Practices: Event and Log Mgmt for Security and Compliance. Look for a “thank you” email from us with the download link.
Try - free 30 day evaluation!http://www.whatsupgold.com/download
Buy – Three ways to purchase www.whatsupgold.com/buy
1. WhatsUp Gold Representative2. An Ipswitch Reseller Partner of your choice3. Online via our e-commerce shop