6 Steps to Greater Cyber Security Alerting & Logging

Cyber security alerting and logging are critical elements of any organisation’s IT security solution, becoming the vigilant eyes and ears needed to detect and recover from security events. It also allows your team to ensure that all devices and users accessing your systems comply with your organisation’s security policies.

Most corporate security incidents begin from a single compromised user device. From there, attackers strengthen their access by using additional techniques such as account impersonation, credential theft, or exploiting outdated software versions to compromise other devices.

Effective security monitoring requires reliable logging of events and real-time alerting when specific actions occur. This article discusses the importance of logging and alerting, the software tools that aid in these actions, and how this enhances your centralised management system.

What is the difference between alerting and logging? 

Alerting sends real-time alert messages that arrive as Simple Network Management Protocol (SNMP) traps from devices managed by a central management solution.

An SNMP trap is a type of SNMP Protocol Data Unit (PDU) that acts as an unrequested message, notifying the network management system about a security event that requires attention. The message appears immediately on the management dashboard.

Logging is the collection of all entries contained in a device(s) log that an admin can view locally or through the central management solution as System Logging Protocol (Syslog) messages. These are extremely valuable for security breach investigations that require historical logs.

Logs are also essential when identifying operational trends, establishing baselines, and supporting internal audits. Sometimes, effective logging is the main reason a security incident has a low impact rather than a more damaging one. IT security can react before a severe data breach occurs when they detect it early.

What Is SIEM?

Security Information and Event Management (SIEM) provides organisations with next-generation security detection, analytics, and response. This solution delivers real-time analysis of security alerts generated by network hardware and applications.

A SIEM solution matches events against defined rules and analytics engines by indexing events to detect advanced threats using globally gathered intelligence of the latest spyware, malware and ransomware iterations.

Your IT security teams can use these insights to track records of activities within their IT environment, focusing on event correlation, data analysis, reporting, aggregation, and log management. SIEM software has several benefits, including:

• Consolidation of multiple data points
• Custom dashboards and alert workflow management
• Integration with other products

Cyber Security Alerting & Logging (In 6 Steps)

The following six steps are essential to improving your corporate network security by maximising the benefits of security alerting and logging.

STEP 01: Understand ISO 27001 Compliance: 

ISO/IEC 27001:2013, also known as ISO 27001, is the international standard for information security. It establishes the specification for an Information Security Management System (ISMS). ISO 27001 takes a best-practice approach that helps organisations manage their information security by addressing people, processes, and technology. 

ISO 27001 certifications are recognised globally and indicate that your ISMS operates with information security best practices. Part of ISO 27000’s information security standards is ISO 27001, a framework that aids organisations in establishing, implementing, operating, monitoring, reviewing, maintaining, and continually improving an ISMS.

STEP 02: Define Your Overall Alerting and Logging Policy

If it doesn’t already, your organisation should have a defined strategy for alerting and monitoring. Your strategy should be based on business needs and risk assessment data regarding securing business services and assets. The strategy should include regular device monitoring and logging events such as the following:

• Authentication and access to devices and services
• User activity and permissions changes
• Monitoring and logging of network communications to critical applications and services
• Malware, phishing and ransomware vulnerabilities
• Your organisation should also determine how to best collect and analyse your log data. Such analysis will enable your security team to detect and respond to security events. It also allows them to automate the majority of detection and remediation actions.

As your policies evolve, they will include additional ways to learn from security incidents. Your security team can refine alerting and logging to monitor your network better. Alerting is defined by severity levels. For instance, when an interface goes down, that takes a higher priority than when an admin exits the global configuration. Using Cisco as a model, there are eight alert levels that IT security teams can use to set up and view real-time alerts:

• 0. Emergency
• 1. Alert
• 2. Critical
• 3. Error
• 4. Warning
• 5. Notice
• 6. Informational
• 7. Debug

With this model, the lower the alert number, the more important the message is. Emergency (0), Alert (1) and Critical (2) can indicate a security issue or that something such as a device running out of memory, a process has crashed, or an interface has gone down.

STEP 03: Define Specific Devices and Services That Should Alert

Device alerting and logging to a centralised management solution should include all devices accessing the network, including endpoint devices such as mobile phones, laptops and tablets that are more often targeted by cybercriminals. Be sure the following devices are included in your alerting and logging policies:

• Bring Your Own Device (BYOD)
• Business-critical applications
• Cloud Services
• Desktops
• Firewalls
• Internet of Things (IoT) devices
• Intrusion Prevention System (IPS) devices
• Intrusion Detection System (IDS) devices
• Laptops
• Mobile phones
• Routers
• Servers
• Switches
• Tablets

STEP 04: Define Security Events That Should be Alerted and Logged

Your security team must decide which security-related event types should be logged and at which alerting level. Many logs can be generated for events, processes, and applications (including successes and failures). Part of your event log monitoring and audit plan will include which events you want to configure to better detect these issues.

Some of the typical events include the following:

Access privilege changes
Antivirus and malware events
Attempt to install a service or application
Failed login attempts
Firewall events
Local user account creation
Locked user accounts
Scheduled tasks
Services stopped, started, or disabled
Software update events
Time changes

STEP 05: Choose a Centralised Management Solution

A centralised network management software (NMS) solution allows for the early detection of network issues such as down devices or poor WAN performance. These alerts and logs report directly to the system and provide the automation and analytics needed to manage the system with ease.

A modern NMS solution can also aggregate all your security alerts into a ‘single pane of glass’, providing your security team with a centralised point for all potential security-related issues.

While there are many vendors of NMS, SolarWinds is a prime example of affordable and robust IT infrastructure management software. Solar Winds Security Event Manager (pictured above) monitors and manages the security of any IT environment, whether it operates on-premises, in the cloud, or in a hybrid model.

Some of SolarWinds security features include the following:

• Access Rights Management – Manage and audit access rights across the entire IT infrastructure.
• Security Event Management – Improve security posture and demonstrate compliance using a ready-to-use, affordable event management and security solution.
• Server Configuration Monitoring – Detect and compare configuration changes to network databases, servers, and applications.
• Patch Management – Patch management software efficiently addresses software vulnerabilities.

STEP 06: Testing of Real-Time Alerting and Historical Logging

Once your IT security team has configured all devices per the alerting and monitoring policies, they should conduct regular tests to ensure that those configurations are alerting correctly and that the alerts are reporting to the centralised management solution.

Likewise, IT security should check if Syslog logging is functioning correctly to ensure all devices on the network are logging to your centralised NMS. If they are not, you won’t be able to troubleshoot past security events and compliance guidelines properly.

A complete security logging and alerting audit service for your network. We can work alongside your IT Security team to take the pressure off so they can concentrate on critical day-to-day operations while we check all devices on your network are correctly reporting.

Conclusion

In conclusion, monitoring, logging, and alerting are vital for IT security teams to identify activity patterns and security root causes on their network. When a security incident occurs, properly logged, real-time alert information is crucial to determine the source and the extent of the breach.

Regular logging is also required to better understand security incidents during an active investigation as well as the post-mortem analysis of the event.

From anti-malware, anti-phishing, SEO poisoning, and 2FA to SASE and cloud-based air-gap immutable backup storage. A security solution to suit your requirement and budget. If you would like to discuss your network security requirements in more detail with one of our cyber security professionals, please don’t hesitate to get in touch.

source:

https://securuscomms.co.uk/cyber-security-alerting-and-logging/