7.2 Conduct logging and monitoring activities

  • Intrusion detection and prevention
  • Security Information and Event Management (SIEM)
  • Continuous monitoring
  • Egress monitoring
  • Log management
  • Threat intelligence
  • User and Entity Behavior Analytics (UEBA)

What is an incident?  It is an event that affects the organization’s confidentiality, integrity, or availability of its assets.  It could be an event that interrupts or reduces the quality of the IT service.

A security incident is one that was caused by a hacker or a malicious user.  It could be any event that compromised computer security.

We should be clear to define what activities constitute an incident in our organization.  Then we know how to detect and respond to them.

Some Preventive Measures

  • Keep systems up to date

    • That means we should patch the systems and correct any bugs

  • Remove unnecessary services

    • Remove any services that we don’t need

    • Close any ports that are not in use

    • If a service isn’t running or a port is not open, then it can’t be used for an attack

  • Use an Intrusion Detection System

  • Use up-to-date antimalware

  • Use firewalls

  • Implement configuration and system management

Understanding Attacks

There are many types of attacks, previously discussed.  We should understand what each one does so that we know the warning signs.

  • Botnets

  • DoS, DDoS

  • SYN Flood Attack

  • Smurf Attacks

    • The hacker forges the “from” portion of a ping echo message so that it appears to have come from another system (not his own).  The device whose address appears in the “from” portion will receive all the replies to the ping request.

  • Ping Flood

    • The hacker overwhelms a system by sending it many ping requests.

  • Ping of Death

    • A ping packet is 56 bytes.  An IP packet can be as large as 65,535 bytes.  Many systems are designed to handle packets of up to 65,535 bytes and no larger.

    • The hacker sends the victim ping packets that are fragmented.  The total size is larger than 65,535 bytes.

    • The victim’s computer accepts the ping packets without realizing the total size.

    • When the victim’s computer puts the ping packets back together, the total size is larger than 65,535 bytes and a buffer overflow results.  The victim’s computer crashes.

  • Teardrop

  • Land Attack (Layer 4 Denial of Service)

  • Zero Day Exploit

    • Attacker learns of vulnerability before the vendor does and exploits it

    • Vendor learns of vulnerability

    • Vendor releases patch

  • Malicious Code

  • Man-in-the-Middle

  • Sabotage

    • A rogue employee intentionally destroys our system

  • Espionage

Intrusion Detection and Prevention Systems

There are many ways to protect against attacks. We must implement a layered security approach.

SIEM stands for Security Information and Event Management.  It can be a dedicated appliance, or it can be a software application.  Many SIEM systems are cloud-based and share threat & intelligence data with multiple customers.

Most network devices generate and store security data.  For example, a router may detect traffic from an unauthorized location or a server may detect, and log failed login attempts.

An SIEM aggregates this security data from multiple locations including routers, switches, servers, IP Phones, network storage appliances, video recorders.  This is known as log collection.

The SIEM may convert the logs and data into a common format.  This is known as log aggregation.  The SIEM allows a security administrator to view all security events in one place (and in one format) instead of having to log in to multiple devices and extract logs.

The SIEM can also allow a network administrator to correlate events across multiple devices.  For example, if a hacker gains unauthorized access to a network through the router and then fails to log in a file server multiple times, both events can be correlated as coming from the same source IP address and occurring at the same time.

The SIEM can automatically send alerts to a network administrator either via SMS or e-mail.  The SIEM can be set to trigger alerts when specific events occur.

If network devices are in different time zones, the SIEM can automatically adjust the log times to the time zone of the security administrator.  The SIEM can also remove duplicate events from the log.

Some examples of logged data

  • Failed log in attempt on a server or router

  • Firewall refuses traffic from a specific IP address

  • IP address is engaged in port sniffing

Some features of the SIEM

  • Packet Capture.  The SIEM might be able to capture actual packets of data if the network has port mirroring or a packet sniffing device installed.

    Being able to analyse the contents of a packet is helpful because it allows us to see the source and destination of the data as well as the actual potentially malicious content. 

    It is more than just a log.  It is the equivalent of seeing security camera footage versus being alerted that an intrusion alarm went off.

  • User Behavior Analysis.  An advanced SIEM can use something called User and Entity Behavior Analytics to better detect threats through machine learning.  The analytics asks the following questions

    • Is the user behaving the way a typical user at this organization behaves?

    • Is the user behaving the way a typical user in this role behaves?

    • Is the user behaving the way this user typically behaves?

    • Is the user behaving the way that they did in the past or has something changed?

Some examples of abnormal behavior

  • User has accessed more files than usual today.

    • User is accessing files in directories that he normally does not access

    • User is accessing files in the marketing directory, but the user works in the accounting department.  Other users in the accounting department don’t normally access files in the marketing directory.


Once we see some abnormal behavior, we can investigate further to determine whether the behavior is legitimate or whether there is an attack.  Either way, we tell the SIEM the result so that it can learn better.

Sentiment Analysis.  Building on the user behavior analysis, the SIEM can also use sentiment analysis.  Sentiment analysis gathers data from multiple sources to understand human emotions and attitudes.

Logging and Monitoring

Logging means we are recording data

  • We might record the data in a database or in a log file

  • There are different formats for log files

  • Logs tell us details about things that happen on our systems (who logged in, what settings were changed, what errors occurred, etc.)

  • Logs might be detailed, or they might be sparse

  • Log Types

    • Security Logs – record access to system resources and files.  We want to keep track of each file that a user accesses and when.

    • System Logs – record system events that includes when different services start or stop.

    • Application Logs – an application log records data for a specific application.  The author of the application can decide what data to store in the log.

    • Firewall Logs – records events about traffic that enters, leaves, or attempts to enter or leave the firewall.  The firewall logs should record source and destination IP addresses and ports.

    • Proxy Logs – record what sites users visit

    • Change Logs – record changes to the system.  We might maintain change logs automatically or manually.

  • We need to protect all log data so that they cannot be modified.  A hacker could do something bad and then erase the logs to cover up.

  • Only specific people should have access to the logs.  They should only have access when required to perform their jobs.

  • We might take all log data and copy it to a central system that keeps track of data across multiple devices.

  • We might delete logs that are not required

Monitoring means watching the data

  • Audit Trails – an audit trail happens when we have recorded data in a log file.  We can go back and reconstruct events. We need audit trails to prove that something happened or didn’t happen.  We can also use it to detect errors.

  • A person will be less likely to do something bad if they know that they are being watched.

  • The audit trail tells us who did what.  In order for it to work correctly, we need to have a system that strongly identifies each user.

  • The log must have an accurate time stamp.  If the time on the system is wrong, then the time on the log file would also be wrong.

  • Monitoring must be continuous – that means that we always keep track of data

  • Log analysis – detailed monitoring to detect trends in the logs.  Manually reviewing logs can take a long time and will not be thorough.  It is better that we review the logs via a program.

  • A SIEM can be used to keep track of the logs for real-time analysis of events.  We might install an agent of the SIEM on each device that we want to monitor.  The agent then reports back to the SIEM.  We should configure the SIEM to alert us about issues that we want to know about.

  • We might use a monitoring tool to keep track of the inventory of equipment.

  • We might also use it to keep track of unauthorized software being installed.

  • Sampling – sampling is when we extract data from the logs.  We might not have enough time to review every log, but if we collect data at random, we can analyse it for trends.  If we see something unusual, we know where to look for further information.  The samples might not be accurate, so we must develop a good sampling procedure.

  • Clipping – this is sampling that is not statistical.  We might set a threshold for each type of event and then create a notification when it is exceeded.  For example, if we have a clipping level of three for failed logins, then the system can alert us when a user exceeds three failed logins.  We don’t want to see an alert for a single fake login.  Clipping is not accurate for the entire system, but it can help us see specific events.

  • Keystroke Monitoring – we can log the keystrokes typed by each user.  The legality of this can be debated.  Users should be notified that their keystrokes are being logged.  We might also use a video recorder or take screenshots at regular intervals.

  • Traffic Analysis and Trend Analysis – we can monitor packet flow over a network connection to determine the source and type of traffic. 

  • Egress Monitoring – we can monitor traffic to see when data is leaving the organization and attempt to stop it.  It might be difficult to monitor data that is encrypted before it leaves the network.

  • Data Loss Prevention – attempts to block data exfiltration.  We might give each type of data a classification and then scan for keywords for any data that is leaving.  DLPs can scan for patterns or keywords.  Many threats will encrypt the data before sending it out to avoid detection by a DLP.

    • Network-Based DLP – scans all data leaving the network.

    • Endpoint-Based DLP – scans files on a system like a computer or printer.  This can prevent users from copying data to a USB drive or printing data that they should not print.  When installed on an endpoint, we can examine data before it is encrypted.

    • Steganography – we might hide a data inside each document each time it is opened.  The hidden data tells us who opened the document or who printed it.  If the document is leaked, we can later trace it back to the source.

Watermarking – we might watermark a document so that anybody who obtains a copy will know that it is proprietary.  The watermark does not prevent leaks, but it can deter them.  A DLP system can detect an electronic watermark.