Skip to content

Trending tags

What is good log analysis?

Noora Hyvärinen

16.06.15 1 min. read

The actions taken by a network intruder manifest themselves in many varied ways, and forensic evidence can be littered throughout the environment. Much of that evidence is contained in the log files of various systems.

Log files can potentially be available which will reveal every phase of an attack from the initial delivery of a phishing email through to the exfiltration of sensitive data.

Consequently, log analysis frequently comes complete with its own set of problems to be solved:

  • What sources of log data are available?
  • How do you best aggregate the data?
  • How do you query the data?

Potentially useful sources of data may be: email systems, DNS servers, DHCP servers, VPN logs, Syslog data, routers, firewalls, servers and Windows Event Logs – all of which come in different formats so may not be easy to correlate. A good log analysis platform can overcome these problems and give intrusion analysts access to the data they need in order to perform their job. Having aggregated this data in a suitable analysis system, it becomes possible to see the timeline of an attack as it develops, assuming you know what to look for.

The best intrusion analysts know the mindset of the attacker and know his methods; this helps them to hunt the attacker down. Knowledge of how the attacker will develop his compromise and target his objectives, and the manner in which that will yield certain evidence in log files, is fundamental to uncovering new threats in your environment.

Noora Hyvärinen

16.06.15 1 min. read

Categories

Related posts

Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.