This is Part 14 of a 'How-To' effort to compile a list of tools (free and commercial) that can help IT administrators comply with what was formerly known as the "SANS Top 20 Security Controls". It is now known as the Center for Internet Security (CIS) Security Controls. A summary of the previous posts is here:
- Part 1 - we looked at Inventory of Authorized and Unauthorized Devices.
- Part 2 - we looked at Inventory of Authorized and Unauthorized Software.
- Part 3 - we looked at Secure Configurations.
- Part 4 - we looked at Continuous Vulnerability Assessment and Remediation.
- Part 5 - we looked at Malware Defenses.
- Part 6 - we looked at Application Security.
- Part 7 - we looked at Wireless Access Control.
- Part 8/9 – we looked at Data Recovery and Security Training.
- Part 10/11 - we looked at Secure Configurations for Network Devices such as Firewalls, Routers, and Switches and Limitation and Control of Network Ports, Protocols and Services.
- Part 12 - we looked at Controlled Use of Administrative Privileges
- Part 13 - we looked at Boundary Defense
Now we are taking on Maintenance, Monitoring and Analysis of Audit Logs.
14-1 - Include at least two synchronized time sources (i.e., Network Time Protocol - NTP) from which all servers and network equipment retrieve time information on a regular basis so that timestamps in logs are consistent, and are set to UTC (Coordinate Universal Time).
- GPO - I usually point my Domain Controllers at pool.ntp.org servers, and all my clients, servers, time clocks, conference phones, cameras, switches, routers, etc... to my domain controllers (Don't forget Hypervisors!)
- Linux - google search for your distro!
14-2 - Validate audit log settings for each hardware device and the software installed on it, ensuring that logs include a date, timestamp, source addresses, destination addresses, and various other useful elements of each packet and/or transaction. Systems should record logs in a standardized format such as syslog entries or those outlined by the Common Event Expression initiative. If systems cannot generate logs in a standardized format, log normalization tools can be deployed to convert logs into such a format.
I found free all-in-one log collection/normalization/and analyzing tools to be severely gimped and lacking. What works well for Windows, doesn't work will for Linux, and vice versa. It doesn't work for me to have 2 systems in place - therefore, I cannot recommend any good free tools for this.
- Tenable Log Correlation Engine - A leader in Security, Tenable makes a great tool that collect, normalizes, analyzes, and alerts for almost any log out there.
- EventLog Analyzer - Ties in with ManageEngines other wide array of IT tools. They do offer a free version for upto 5 devices
- AlienVault USM - With everything else that it does, it also has log correlation!
14-3 - Ensure that all systems that store logs have adequate storage space for the logs generated on a regular basis, so that log files will not fill up between log rotation intervals. The logs must be archived and digitally signed on a periodic basis.
More common sense than anything: You wanna log all the things? You gonna need space!
14-4 - Develop a log retention policy to make sure that the logs are kept for a sufficient period of time. Organizations are often compromised for several months without detection. The logs must be kept for a longer period of time than it takes an organization to detect an attack so they can accurately determine what occurred.
The above logging tools all come with log rotation and retention settings.
14-5 - Have security personnel and/or system administrators run biweekly reports that identify anomalies in logs.
Don't expect your SIEM/Log correlation system to find everything. Manual work is needed too.
14-6 - Configure network boundary devices, including firewalls, network-based IPS, and inbound and outbound proxies, to verbosely log all traffic (both allowed and blocked) arriving at the device.
This is more of a best practice than a tool.
14-7 - For all servers, ensure that logs are written to write-only devices or to dedicated logging servers running on separate machines from the hosts generating the event logs, lowering the chance that an attacker can manipulate logs stored locally on compromised machines.
- Microsoft Event Collector - Forward all or certain events to a collector.
- nxlog - Compatible with Windows and Linux.
All the tools in the above section within this control perform this function.
14-8 - Deploy a SIEM (Security Incident and Event Management) or log analytic tools for log aggregation and consolidation from multiple machines and for log correlation and analysis. Using the SIEM tool, system administrators and security personnel should devise profiles of common events from given systems so that they can tune detection to focus on unusual activity, avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with insignificant alerts.
Ah, finally. SIEM. The solution to all of life’s problems, right? Right? Right?
Once again, I will point you to the Gartner Quadrant for SIEM 2015.
14-9 - Monitor for service creation events and enable process tracking logs. On Windows systems, many attackers use PsExec functionality to spread from system to system.
I will direct you to HIDS in section 3-8.
14-10 - Ensure that the log collection system does not lose events during peak activity, and that the system detects and alerts if event loss occurs (such as when volume exceeds the capacity of a log collection system). This includes ensuring that the log collection system can accommodate intermittent or restricted-bandwidth connectivity through the use of handshaking / flow control.
There are really no tools I can recommend for this.