In the process of using logs, people often face five misunderstandings. Overcoming these misunderstandings can not only greatly enhance the value of safety facilities, but also resolve potential risks in a timely manner.
In response to emerging security threats, many enterprises deploy multiple security appliances. These devices generate a large amount of log information. To leverage this information, many enterprises also deploy log collection and analysis programs. Even so, many users still feel that security devices are not doing what they expected. This happens often because of five misconceptions people make in log analysis .
don't view logs
A trivial mistake many users make is not looking at the logs. While it is important to collect and store logs, a timely response can only be achieved by reviewing the logs frequently to understand what is happening in the network environment. Once a security appliance is deployed and logs are collected, users need to continuously monitor it for possible security incidents.
Some users review logs only after a major event, and while these users gain the benefits of post-mortem analysis, they fail to gain the benefits of pre-event prevention. Proactively reviewing logs helps users better realize the value of security facilities, understand when an attack will occur and take timely action.
Many users always complain that the intrusion detection system (IDS) does not work. A big reason for this is that IDSs often generate false positives, preventing people from taking action on their warnings. IDS can be used to its full potential if one can fully correlate IDS logs with other logs, such as firewall logs.
No prioritization of logs
The logs have been collected, the storage time is long enough, and the log format is unified. Where should the network administrator start? Users are advised to seek high-level summaries to view recent security incidents. This requires overcoming another bug, which is not prioritizing logging. Some network administrators study a large amount of log data without understanding the priorities, and as a result, they will give up halfway.
The first step in effective prioritization is to define a strategy. Answering the following questions will help define your strategy: "What's the biggest worry?" "Has the attack been successful?" "Has this attack happened before?" Helps users begin to prioritize strategies and ease the burden of collecting log data on a daily basis .
The log format is not uniform
Inconsistent log formats are common: some are based on Simple Network Management Protocol, others are based on Unix systems. The lack of a unified log format results in companies requiring different specialists for log analysis, as not all managers familiar with the Unix log format can understand Windows event logging, and vice versa. Most network administrators are usually only familiar with a few systems. Converting the log information generated by the device into a unified format is helpful for network administrators to perform correlation analysis and make decisions.
Log storage time is too short
Many users think they have all the logs they need for monitoring and investigation, only to find out after a security incident that the corresponding log information has been deleted. Security incidents are often discovered long after an attack or abuse has occurred. If there is a shortage of fees, it is recommended that users divide the retained logs into two parts: short-term online storage and long-term offline storage. Storing old log information on tape can not only save the cost of offline storage, but also save it for a long time for future analysis.
Find only known bad information
Even the most advanced and security-conscious users sometimes fall into cyber traps. This network trap is very insidious and can seriously reduce the value of log analysis. This can happen if the user is only viewing information that is known to be bad.
The switch is very effective at finding bad information that has been defined in the log files. However, in order to fully realize the value of log data, deep mining of logs is required. Users can find useful information in log files, including attacked and infected systems, new attacks, insider abuse, and intellectual property theft, without pre-thinking the bad information they need. How can you improve the chances of spotting a potential attack? This requires the help of data mining methods, which can enable users to quickly find abnormal information in log data.