Monitoring and SEIM

Another security aspect is the Log Monitoring part and is a mandate by the regulatory; all financial institutions should have the Log monitoring and SIEM system in place.

In very simple terms Log-monitoring is nothing but capturing data about events happening in any system, basically any change happening in any system in the Environment, it can be Application, it can be DB, a network device, a security device, it can be just any IT system. These changes happening on the systems are needed to be recorded and captured for different purposes. To understand why it has to be captured let me create a scene where I can explain the need of Log monitoring.

We already went through the different security products which need to be employed in the environment such as Firewalls, IPS, Web gateways, Reverse Proxy, etc. but what if any security measure fails or multiple of them fails, when I say fail, I don’t mean product or security appliance failure, I mean failure in terms of the hacker compromising these devices and is able to hack his way in. In such cases if the attack has happened then there should be a mechanism by which the IT department should come to know that there is an attack happening and should be able to trace from where it’s happening and accordingly block the attack. Here the need for Log monitoring comes into picture I will explain how. Imagine a firewall is compromised by a hacker and the hacker has created another admin account in the firewall so that he cannot be traced. If we have a central log management system and we are capturing all the logs/changes done in all systems then it would be definitely capturing the changes made on the firewall, the change where a new account was created and the change where the new ID created has logged-in and made any unauthorized configurations; all this would be captured in the centralized Logging system and the Information security team can view these logs and figure out that there is a problem and there is an unauthorized account created which is making unauthorized changes. Probably the next steps would be to verify the entire firewall and policies for all malicious accounts and unauthorized policies.

To reiterate, every system in the enterprise from Servers to network devices in the datacenter has a mechanism by which it generates the logs of "each and every event" happening in itself, these logs can be pointed to a centralized Log monitoring system, viewing these logs, the information security team can trace what unauthorized changes have been done on the system, so the administrators need to be aware that if they make any unauthorized change in the system they can be caught as whatever change they make it would be recorded against their names

Note: These Log monitoring servers are also called Syslog servers and the protocol used by the endpoints to connect to Syslog server is called Syslog (System Logging Protocol)

The story so far is good to listen but let me give you a shocker, a single system (Server / appliance) generates thousands of logs per day then how can one find out a particular log which we feel is a threat or a breach, this is where the SIEM (Security Information and Event Management) system comes into picture, A SIEM is another solution which can read / parse all the logs from a Syslog server and based on predefined policies, based on certain events it would raise an alert and send it to the Information Security team, in this way the team may not need to login into the Log monitoring system or SIEM regularly, if any breach happens they would be automatically notified, note in this example I am talking about 2 different systems a Log server and SIEM server, log server is basically a dumping ground for all the Logs in your organization and SIEM is responsible for reading the logs and sending alerts to the respective vigilance team, but there are products in the market which can have the functionality of Syslog as well as SIEM in the same Solution, Some popular Syslog solutions are "Manage Engine Syslog", Solarwinds Syslog. Some popular SIEM solutions are DNIF, Solarwinds msp, Sumo Logic.

Few points to remember.

• Log Monitoring (Syslog server) is a dump of all the logs in your environment.

• SIEM is a Security log analytics system which can analyse the logs and generate alerts or provide reports.

• Having a Syslog and SIEM in an Organization is a regulatory requirement.

• Almost any equipment running in the datacenter would generate logs which would be captured by the Syslog server.