Logs are on the systems, why do I need this?
Because Digital Forensics & Incident Response is expensive -- likely the highest billable rate among most IT/security practices.
Why? Because it is a very skilled, but meticulous and time-consuming activity and my team has done our fair share of it. Most often, the bulk of the time is spent collecting often volatile evidence from countless systems in hopes that enough of the attacker activity is still traceable. The best evidence sources are often the ones least available at the time of the investigation -- logs. Why? Because they roll over, or get deleted, etc.
If I walked into an organization that had centralized logging, I could probably cut the IR effort in half because a huge amount of the data I need is there ready to be queried. This allows me to perform deeper forensic analysis only on systems that exhibited noteworthy activity.
Think of it like this -- imagine you walked into a room containing 100 small padlocked boxes, and 20 of those boxes contained Rubik's Cubes. Even if you knew the combination to the padlocks and were a world champion Rubik's Cube solver, imagine how much longer it would take you to solve
those 20 Rubik's Cubes knowing that you had to open every single padlocked box to find out if a cube was inside or not. That's what its like doing a large IR with no logs to start from. With centralized logging in place, there will still be Rubik's Cubes to solve, but you'll have a much better idea of which
padlocked boxes to open first -- saving time and money, but most importantly expediting eradication and remediation.
Centralizing endpoint, network, cloud & SaaS logging is the very first step in migrating to a state of readiness for the inevitable. If your organization uses computers to conduct business, this applies to you.
Great - So What Next?
Choose a Log Aggregation Platform
The best part is that you have several options to choose from, so I'll outline a few with pros/cons.
1. Windows Event Forwarding
Pros:
- Free
- Requires nothing new, just space on an existing server in your environment
Cons:
- Only applies to Windows endpoint logs
- Requires all logging endpoints to be on the same network as the log destination (not across internet)
- Logs are stored, but not queryable in the same manner as a proper log aggregation platform
- Limited detection capabilities without additional software
References:
2. Graylog Open Source
Pros:
- Free
- Supports virtually any log source
- Powerful query capabilities
- Well-documented deployment
- Ability to manage endpoint log shippers with Sidecar
- Multiple built-in enrichment plugins (GeoIP, threat intel lookups, etc)
- Basic detection can be accomplished with pipeline rules
Cons:
- Some more powerful features (SIEM engine) only available in paid enterprise license
References:
3. OpenSearch + OpenSearch Dashboards + Logstash
Pros:
- Free
- Supports virtually any log source
- Powerful query capabilities
- Many plugins exist for adding advanced functionality, such as SIEM engine (ElastAlert, etc)
Cons:
- Manage your own endpoint log shippers (no sidecar feature)
- Somewhat harder to deploy/maintain than Graylog
References:
Enable & Ship Logs that Matter Most
Once you've chosen a log aggregation platform, next you need to ensure you are generating and shipping the most valuable telemetry. Unfortunately, this is often not the default configuration.