Modern organizations are under a constant threat of cyberattacks, unauthorized data access, and identity theft. A simple network monitoring system alone cannot provide enough security for their vast and complex IT infrastructure, customers, and employees. Organizations constantly improve their security posture through:
- continuous cybersecurity risk assessment
- tracking security metrics
- implementing state-of-the-art cybersecurity solutions
- employee and customer education, and
- advancing security policies and incident response plans.
Organizations with massive IT infrastructure, devices, applications, endpoints, and services have been using Security Information and Event Management (SIEM) solutions. As explained in our previous post, SIEM systems are a great addition to any organization’s security arsenal. They offer the ability to access log data and monitor them for troubleshooting, security, and performance analysis. SIEM solutions help you leverage event and endpoint logs across your IT environment and monitor and analyze them to improve your security stance. This article will discuss event and endpoint logs, their importance, and how you can leverage them for better security.
What is logging?
Logging is the activity of adding information or incidents to a systematic record. We collect and record various information representing a specific event, activity, error condition, general status, or fault in the form of logs. Although initially invented for troubleshooting, logging now has several other applications. Log data is handy for optimizing system performance and helping system and security administrators monitor everything occurring within a system. Moreover, logs contain security-relevant information that helps you quickly detect malicious activity, untoward information leaks, or unauthorized access to business-critical systems and data. Due to the sheer amount of data they provide, logs are now the primary data source for system observability.
Why is logging important?
As mentioned above, logs contain factual and comprehensive information about the inner workings of a system. Thorough log data analysis can quickly identify actual or potentially malicious activity or changes within an environment. Providing your development teams and system and security administrators an IT environment without sufficient logging is like leading them blindfolded into a landmine. Without comprehensive logging, your teams would not only be unaware of threats to your system, but they’d also be unable to respond to it. Your system would be an easy target for intruders, costing you data, money, and additional effort to re-secure your system.
Additionally, logging is crucial for compliance. If you’re in a line of business that requires you to comply with federal, privacy, or other regulatory requirements, audit logs will provide a lot of support. Regulations such as SOC 2 require you to maintain detailed audit trails for more extended periods. A good log management or SIEM system can easily help you stay compliant.
What are event logs?
Event logs are log files that record events on a system, such as logins, errors, issues, or usage. They provide a centralized method for applications, devices, and operating systems to record important events occurring within software and hardware. An event log usually contains events recorded from multiple sources. Complex and distributed IT environments usually produce event logs in TBs, if not more. Their sheer volume may make it seem daunting to analyze them all and derive any real value from them. However, analyzing event logs thoroughly and correlating them across data sources can provide a lot of security-relevant information that can help improve your IT security. An excellent SIEM or log management solution can help you aggregate, centralize, correlate, analyze, and visualize your disparate event logs to help you identify malicious activity, detect loopholes in your system, and prevent unwanted attacks.
What are endpoint logs?
Endpoints are remote computing devices that communicate with the network it connects with. Few examples of endpoints include desktops, laptops, mobile phones, servers, and edge devices. All endpoints also generate logs related to access, operations, events, and errors. The endpoints within an IT environment are often easy targets for cyber attackers. With the workforces being more mobile and accessing internal resources from endpoints located off-premises, a breach at any endpoint can give attackers easy access to the system it connects to. Therefore, monitoring and analyzing logs generated by endpoints are equally essential to maintain the security of an IT environment.
Leveraging endpoint logs for security
A great starting point for endpoint logging is the operating system the endpoint runs. Logging for security in endpoint devices differs across operating systems. The following sections cover endpoint logs generated by popular operating systems that you can leverage to improve your IT environment’s security.
Windows
Windows operating systems contain an event logging protocol that enables software and hardware components to log events that occur within them. An administrator can access and inspect these logs directly using the Windows Event Viewer. Windows supports logging events such as application installation, initial start-up operation, security management, and operational problems or errors. Since these events are relevant to security, you should aggregate and monitor these logs in detail. Windows also generate logs specific to security-related events as they occur within the system. Windows security logs also include predefined security-related events that administrators can leverage using audit policies.
Linux
Linux operating systems record a timeline of events that occur within the kernel, server, and applications. Logs that Linux OSs record can be categorized and found at the following locations.
- General system activity: /var/log/syslog
- Authentication and authorization: /var/log/auth.log
- Kernel activity: /var/log/kern.log
- Failed login attempts: /var/log/faillog
- Mail server logs: /var/log/maillog
- Cron logs: /var/log/cron
Along with the above, Linux also records and store logs for package managers, Xorg, Apache, MySQL, and boot processes. Logs from these processes are all store in their own subdirectories within the /var/log directory. Logs from all of these processes could have a lot of significance for overall system security.
iOS
In contrast to Linux and Windows, iOS does not record application or system-level events by default apart from application crash reports. However, iOS 10.0 and above include a logging API that allows specific applications to log events and keep them centralized. You can use the console app of the log command-line tool to view the log messages. Since iOS does not allow remote access to device logs, you can leverage various third-party solutions for remote collection and aggregation of iOS logs. These tools will enable you to connect with iOS devices and applications and support the collection of console, file, and device logs.
Android
On the other hand, Android provides a dedicated platform to access system, event, and application logs. You can also use this platform to access logs from programming language classes. However, it would help if you exercise caution when using Android logs to improve security. Android logs can potentially contain sensitive and personally identifiable information, posing a data privacy threat to your users. Android logs can contain Bluetooth addresses, maps sources and destinations, SSIDs, and WLAN MAC addresses in plain text, which you could leak to other applications. If you plan on storing or transmitting Android logs, ensure that your log management or SIEM tool can either obfuscate or filter out PII.
Where else should you look?
Apart from those listed above, several other sources within an IT environment generate logs that are relevant to security. Depending on your appetite for risk and whether you use them within your IT environment, you should also look at event logs from:
- Security devices such as VPN, firewalls, intrusion detection systems, and intrusion prevention systems
- Web servers such as Apache, Tomcat, Web Sphere, NGINX, and IIS.
- Authentication servers such as Active Directory, LDAP, or SSO servers
- Hypervisors
- Containers
Conclusion
As long as maximum security for your IT environment is concerned, a well-rounded monitoring and analysis system for log data is paramount. With modern IT environments becoming increasingly complex, vast, and distributed, it is now crucial to prioritize where to look. Event and endpoint logs generated across your environment can provide insights you’d generally overlook using traditional monitoring systems. These logs’ visibility to events and inner workings across your system would give you a more enriched dataset, thus making your system more secure.