The first question asked during the incident response process,
“What is going on?” is a critical question that requires information about past activity on systems and networks. An incident response process usually begins because someone observed an unusual symptom, such as network congestion, systems rebooting, or a defaced website. Incident responders normally turn first to records of recent activity, known as the audit trail, to explain the observed symptoms.
Audit trails consist of the log entries made by a variety of systems
and devices during their normal course of activity. These
log records often come from firewalls, intrusion prevention
systems, Security Information and Event Management (SIEM)
systems, and network devices.
FIREWALL LOGS
Firewalls serve as the border checkpoints of your network,
controlling the types of traffic that are allowed to enter and
leave your secured perimeters. This provides them with a
unique perspective where they may observe, and log, every
attempted and successful network connection that crosses
the border.
The logs created by firewall devices provide important information
to incident responders attempting to reconstruct a
security event. Connection records provide insight into the
inbound and outbound connections that may carry traffic
related to the incident.
When relying on firewall logs for your audit trail, be sure that
you configure the firewall to log all traffic, whether permitted
or denied. Many firewall configurations only log traffic that is
denied because it violates the firewall policy.
INTRUSION PREVENTION SYSTEMS
Intrusion prevention system (IPS) technology plays an important
role in protecting networks and systems against malicious
activity. Network IPS devices monitor all traffic crossing
a network segment, searching for signatures of malicious
activity. Host-based IPS software may also run on individual
systems, screening the traffic that reaches the system before
allowing the system to act on it.
When an IPS identifies suspect traffic, it creates a log event
recording the activity and, if configured to do so, will block
the traffic from entering the network or system. Records from
both host and network types of IPS technology are valuable
components of the audit trail because they create a record of
suspect activity that may be useful to analysts responding to
security incidents.
LOG MANAGEMENT AND SIEM
Many enterprises now rely on log management systems to collect
and correlate the abundant sources of security information
in their environments. These systems collect information
from various operating systems, applications, and devices and
store it for later analysis.
Some systems, known as SIEM systems, have advanced capabilities
that include performing correlation of events from
multiple sources. SIEMs contain logic that allows them to
identify potential security incidents in progress and notify
incident responders to take appropriate action.
Remember that log managers only capture and analyze the
audit trail information that is sent to them. You must take
steps to ensure that systems throughout your network are
properly configured to send relevant log entries to the
centralized collection point.
NETWORK TRAFFIC
Incident response often requires knowing the types of traffic
that occurred on a network during the incident. This may
include summarized details of network connections contained
within NetFlow records or the packet payload contents
obtained from a full packet capture. The remainder of this
chapter covers the role of NetFlow in incident response.
Although full packet capture can provide important information
about the actual contents of network traffic, it is impractical to
capture full packets on an ongoing basis.
I discuss the reasons behind this difficulty in Chapter 5. Full packet capture often
comes into play after analysts detect an incident. If the incident
is still in progress as the response effort begins, security professionals
may deploy full packet capture on a just-in-time basis to
capture and analyze incident-related traffic.
The tradeoff between NetFlow information and full packet
capture is one between the richness of the content and the
disk space required to retain the information. Furthermore,
the cost to deploy full packet capture throughout the network
can be cost prohibitive and expensive to store. Moreover,
capturing packet-level data introduces a host of privacy
concerns for the organization, which require additional
governance and risk management measures.
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
30,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM