Michael Gough, founder of MalwareArchaeology.com, presented at the Austin OWASP Chapter Meeting on 9/29, spreading the “good word” on the importance of logging. The recording of his talk is here https://vimeo.com/140831113
Even though application developers typically include logging within their apps (primarily for their own use in testing and debugging their code, there’s still a lack of understanding of logging in our community when it comes to Application Security and DevOps. With only a little more effort, application developers could include more security-relevant information to provide more useful logs to help monitor the security of the app after it is launched. With OWASP’s mission, Michael encouraged DevOps to Step Up and enable and configure their applications better for logging that will be useful to infosec practitioners later.
As for infosec practitioners, Michael advocates capturing a wide variety of logs, at least locally. Then use log management and Security Information and Event Management (SIEM) to filter out unwanted/unneeded events easily, at the client or the server. He emphasized “You gotta throw out the Good to find the Bad and the Ugly.” And, everybody in the audience seemed to agree with this: “Don’t alert on anything that isn’t actionable!”
As for retention limits – since mean time to detection (MTTD) remains around 210 days, he advocates keeping a year’s worth. As your detection and response improve, you should be able to roll logs in 90-180 days.
Michael’s Windows Logging Cheat Sheet (http://www.slideshare.net/Hackerhurricane/windows-logging-cheat-sheet-v11) is well-known as a useful tool in the community. His new tool, Log-MD, is a tool for Windows 7+ to be used for investigating endpoints that are thought to have malware. It includes discovery of malicious behavior, audit reporting and details to rememediate, including IP addresses of others who opened the malware.
It was a great turnout for the talk!