Logs are on the systems, why do I need this?
Because Digital Forensics & Incident Response is expensive -- likely the highest billable rate among most IT/security practices.
Why? Because it is a very skilled, but meticulous and time-consuming activity and my team has done our fair share of it. Most often, the bulk of the time is spent collecting often volatile evidence from countless systems in hopes that enough of the attacker activity is still traceable. The best evidence sources are often the ones least available at the time of the investigation -- logs. Why? Because they roll over, or get deleted, etc.
If I walked into an organization that had centralized logging, I could probably cut the IR effort in half because a huge amount of the data I need is there ready to be queried. This allows me to perform deeper forensic analysis only on systems that exhibited noteworthy activity.
Think of it like this -- imagine you walked into a room containing 100 small padlocked boxes, and 20 of those boxes contained Rubik's Cubes. Even if you knew the combination to the padlocks and were a world champion Rubik's Cube solver, imagine how much longer it would take you to solve
those 20 Rubik's Cubes knowing that you had to open every single padlocked box to find out if a cube was inside or not. That's what its like doing a large IR with no logs to start from. With centralized logging in place, there will still be Rubik's Cubes to solve, but you'll have a much better idea of which
padlocked boxes to open first -- saving time and money, but most importantly expediting eradication and remediation.
Centralizing endpoint, network, cloud & SaaS logging is the very first step in migrating to a state of readiness for the inevitable. If your organization uses computers to conduct business, this applies to you.
Great - So What Next?
Choose a Log Aggregation Platform
The best part is that you have several options to choose from, so I'll outline a few with pros/cons.
1. Windows Event Forwarding
Pros:
- Free
- Requires nothing new, just space on an existing server in your environment
Cons:
- Only applies to Windows endpoint logs
- Requires all logging endpoints to be on the same network as the log destination (not across internet)
- Logs are stored, but not queryable in the same manner as a proper log aggregation platform
- Limited detection capabilities without additional software
References:
- https://social.technet.microsoft.com/wiki/contents/articles/33895.windows-event-forwarding-survival-guide.aspx
- https://learn.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem
- https://web.archive.org/web/20171212201838/https://channel9.msdn.com/Events/Ignite/Australia-2015/INF327
2. Graylog Open Source
Pros:
- Free
- Supports virtually any log source
- Powerful query capabilities
- Well-documented deployment
- Ability to manage endpoint log shippers with Sidecar
- Multiple built-in enrichment plugins (GeoIP, threat intel lookups, etc)
- Basic detection can be accomplished with pipeline rules
Cons:
- Some more powerful features (SIEM engine) only available in paid enterprise license
References:
- https://github.com/Graylog2/graylog2-server
- https://www.youtube.com/watch?v=0IUQbY2lAsE&list=PLBnq5id2_TNZkEQgRuDhf1bk8Yj36Nij0
- https://blog.reconinfosec.com/detecting-threats-with-graylog-pipelines
- https://blog.reconinfosec.com/detecting-threats-with-graylog-pipelines-part-2
- https://blog.reconinfosec.com/detecting-threats-with-graylog-pipelines-part-3
3. OpenSearch + OpenSearch Dashboards + Logstash
Pros:
- Free
- Supports virtually any log source
- Powerful query capabilities
- Many plugins exist for adding advanced functionality, such as SIEM engine (ElastAlert, etc)
Cons:
- Manage your own endpoint log shippers (no sidecar feature)
- Somewhat harder to deploy/maintain than Graylog
References:
Enable & Ship Logs that Matter Most
Once you've chosen a log aggregation platform, next you need to ensure you are generating and shipping the most valuable telemetry. Unfortunately, this is often not the default configuration.
Enable Windows Audit Policy Best Practices
For Windows domains, one of the easiest ways to increase the value of your logs it to follow Microsoft's own guidance on Audit Policy Recommendations. This enables most of the events that would be needed in order to monitor Active Directory for signs of compromise.
Deploy Sysmon
You can and should consider going a bit further by deploying the free and very powerful Sysmon (System Monitor) agent maintained by Microsoft Sysinternals. Sysmon provides EDR quality telemetry and costs nothing to use. Sysmon alone can help answer so many of the questions that incident responders have when trying to follow adversaries through an environment. Bonus - Sysmon now supports Linux. When deploying Sysmon, you'll want to provide a well-tuned configuration which you can find several online, but one of our favorites is Olaf Hartong's modular configuration.
Optimize Your Log Shipper
If you choose a platform like Graylog or OpenSearch, you'll soon be familiar with the Beats agents. The Recon team has shared our previous Winlogbeats configuration which will help you optimize your log volume while still shipping higher value events.
Looking for More than Logging?
Maybe you have already accomplished this basic step and are looking to elevate, or simply don't have time. You might be looking for an easier option to improve your posture by going beyond simple logging. Recon InfoSec Managed Detection & Response covers not only log aggregation for your entire environment with 365 day retention, but more importantly, real-time threat detection and response capability. Our EDR agent coupled with our Artemis XDR Platform provide your team the visibility and control you've always wanted with the comfort of knowing our SOC is watching and responding 24x7x365.
Want to know more? Reach out today.
