Audit logs / SIEM explained

When a large company grows and has more and more departments, many events take place within the infrastructure. In addition, when you use software, it is also sometimes useful to have a record of what is going on. Especially when a problem occurs. This is where logs come in handy. Thanks to the logs, you will be able to monitor the functioning of your systems, in order to be sure that they are working properly. Moreover, in case of computer attacks, the logs can be used to understand what is happening or what has happened. Logs offer a lot of valuable information. Moreover, some tools can be used to process all this information in the best possible way, for example SIEM (Security Information and Event Management). It will help you process all this data. Indeed, the logs can be very heavy to manage. 

Audit Logs to Monitor Your Activity

Audit logs are very useful for companies. Whether you have a large infrastructure or a lot of SaaS software, setting up a log audit can be interesting. Especially in a context where more and more services, machines and employees are added to your infrastructure. We notice that for some companies, the implementation of a log management is considered as a secondary task. However, managing logs from the beginning of your projects or activity is very important. Indeed, logs are chronological records of what happens within your infrastructure. They can concern several elements, be it an operation, a procedure, an event, or even a device. They are particularly useful to ensure that everything is working properly on your system and that no unexpected events occur. Indeed, every IT element can create logs, whether it is a desktop computer, a firewall, a SaaS service… These logs will, for example, concern a user’s connection to a device, an incoming connection to a network device, etc. All these events are elements that will be listed in your logs. Of course, not every device or service returns the same logs. However, most of the time, the items in the logs will at least list the person or object that performed the action, the action itself, and finally, whether or not the action was successful.

Let’s take for example the connection of a user to a workstation.

We can see in the logs:

WHO/WHAT: The name/id of a user and the name/id of a workstation

ACTION: Attempt to connect to a session

RESPONSE: “Success” if the connection is successful, “Failure” if the connection is unsuccessful (wrong password…)

It is possible to add many more details on the logs, but these three fields are the most important.

All this information will allow you to detect anomalies or attacks, for example, which is very practical. An anomaly can be quickly detected and you will be able to know the source via the log files. 

If you notice that a user has tried to log into their session hundreds of times without success in a very short period of time, you may want to consider a potential “brute force” attack.

Moreover, in the case of an attack, the logs can be used as evidence if you file a complaint or if your company is required by the ANSSI, to communicate information about it.

Most of the time, logs are simply a text file. They contain information about the different events that have taken place in your system. This information is arranged in chronological order to keep the data consistent. Having a good formatting of the logs is necessary to be able to process them correctly. Indeed, it can be complicated to read them and it is necessary to make them as readable as possible.

The logs allow you to trace all the events that have occurred on the system. They are mainly used by administrators or auditors to check that your system has the expected behavior. Moreover, they are very useful in case of an attack or a malfunction. However, having to manage all this data yourself can be extremely time consuming and tedious. Indeed, the log files can quickly become large and this makes the task complex for a human. Reading them in real time is even more complex. This is why there are solutions to manage your logs more easily. This is the case of SIEM, for example.

SIEM, for Automated Log Management

Log management becomes more and more complex as you evolve and if you have thousands of users, it quickly becomes impossible to find the information you need. Imagine finding an incident when all your employees arrive. You will quickly find yourself with thousands of lines of logs to check, which is impossible to do. This is where SIEM comes in, which is the fusion of two tools, SEM (Security Event Management) and SIM (Security Information Management). The SIEM software will allow you to gather and collect all the log files of your infrastructure. Whether it is your applications, your system or any other device such as your firewall, an SIEM software will be able to collect everything, whether it is from an application or service in the Cloud or locally. 

Via the recovered logs, it will now be possible to perform searches on specific events. It will also be possible to group certain events by type. For example, grouping all the events of users who made a mistake with their passwords during the last three hours. The SIEM makes it possible to identify, analyze and group events that have taken place. One can then imagine grouping the elements of severity or importance. But some SIEM software can do even better since some of them allow sending alerts when log events seem abnormal. Some of them can also create graphs or generate reports. Thanks to SIEMs, it is now possible to study logs in an optimal way. Responding to threats becomes much easier and they are detected much faster. 

Implementing logs provides better visibility and security. Using an SIEM provides even better visibility and therefore enhanced security. Finally, there are other solutions that allow you to strengthen your security even further: SOAR.

SOAR for immediate response to threats.

Another very interesting solution can be integrated into certain SIEMs: SOAR (Security Orchestration, Automation and Response). The SOAR will indeed allow you to protect your system from threats. It will automatically respond to what the SIEM considers dangerous. Thus, the response will be fast and even if the measures taken are minimal, it will limit the impact that the attack could have. For example, if a user enters the wrong password several times in a row, the SOAR will block access to their account. This is to counter a brute force attack, for example. The same applies if they log from an unauthorized location, etc. This is the type of preventive protection that SOAR can launch automatically. This adds significant security to your system since the response will be almost immediate.

ISO 27001 and logs

The annex of ISO 27001 includes 4 main points concerning log management. 

1. Event logging

ISO 27001 specifies that log generation and management must be implemented. These logs must be kept for a certain period of time and must be audited.

In addition, it is recommended when possible to include the following elements in the logs. 

1. User IDs;
2. System Activity;
3. Dates, times and details of key events, such as login and logout;
4. Identification of the system or location of the device if possible;
5. Records of successful and unsuccessful attempts to access the system;
6. Successful and unsuccessful data records and other resource access attempts;
7. System Configuration Changes;
8. Use of privileges;
9. Application and use of systems;
10. Files accessed and types of access;
11. Network addresses and protocols;
12. Management System Warnings;
13. Protection mechanisms such as antivirus and intrusion detection systems are activated and deactivated as needed;
14. Transaction records made in applications by users.

1. Log protection

It is also specified in ISO 27001 that the logs must be protected. The first thing an attacker will try to do when entering a system will be to alter or delete the logs to remove their trace.

Therefore, it is necessary not to grant log deletion or modification rights to any user. Then it is necessary to prevent the alteration of log messages and finally to make sure that the logs can be stored (no deletion or loss of logs due to a maximum storage reached).

1. Logs for Administrators and Operators

Administrators or users with elevated privileges should not be given preferential treatment regarding logs. All users, regardless of their privileges, should be subject to event logging.

1. Synchronization of the Clock

Finally, all services and all machines must be synchronized to have the same dates and times. If this is not the case, the log management will be greatly degraded and will not allow a quick resolution of problems.

Many SIEM Solutions Are Available on the Market

Among SIEM solutions, some are more popular than others. For example, these come to mind:

• DataDog Cloud SIEM
• Splunk Enterprise Security
• Solar Winds Security Event Manager
• Sentinel (only compatible with Azure)
• LogPoint

These solutions are just a few examples among many others!

SIEM and Log Audits for Better Visibility and Security

The SIEM offers better visibility on your infrastructure and better security. At the same time, it saves time and workforce. Your teams will be able to free up time to do other tasks. The automation of monitoring and protection tasks can be handled by SIEM and SOAR. Whether you’re a SaaS, a small business or a large corporation, event logging is an important task that should be considered early. In addition, some companies require that before working with SaaS or other companies, they have an effective log management policy. Therefore, having an SIEM in place can be very useful and interesting for your expansion. Moreover, having a log management will allow you to unlock certifications like ISO 27001, for example. 

So ready to learn more about Audit Log/SIEM? We tell you more at Cryptr.