RCR 046: Logging and Monitoring (CISSP Domain 7)

Description:

Shon Gerber from ShonGerber.com provides you the information and knowledge you need to prepare and pass the CISSP Exam while providing the tools you need to enhance your cybersecurity career.  Shon utilizes his expansive knowledge while providing superior training from his years of training people in cybersecurity. 

In this episode, Shon will talk about the following items that are included within Domain 7 (Security Operations) of the CISSP Exam:

• CISSP / Cybersecurity Integration – Logging and Monitoring Overview
• CISSP Training –  Logging and Monitoring Activities (Domain 7)
• CISSP Exam Question – Logging and Monitoring / Data Life Cycle (Domain 7)

BTW - Get access to all my CISSP Training Courses here at:   http://www.shongerber.com/

Want to find Shon Gerber / Reduce Cyber Risk elsewhere on the internet?

LinkedIn – www.linkedin.com/in/shongerber

Facebook - https://www.facebook.com/CyberRiskReduced/

LINKS: 

• ISC2 Training Study Guide
  • https://www.isc2.org/Training/Self-Study-Resources
• Infosec Industry
  • https://resources.infosecinstitute.com/category/certifications-training/cissp/domains/security-operations/logging-and-monitoring/#gref

Transcript:

what weather do Cyrus podcast July 29th 2019 episode 46 logging and monitoring activities domain 7 welcome to the reduce cyber risk podcast where we provide you the training and tools you need to pass the cissp exam while enhancing your cybersecurity career hi my name is Sean Gerber and I'm your host for this action-packed informative podcasts each week cuz I provide the information you need to grow your cybersecurity knowledge so that you're better prepared to pass the cissp exam all right Halo stronger with reduce cyber risk how are you all doing this wonderful day it's been a beautiful day here in Kansas has been like scorching hot though about a hundred degrees it was last week so yeah it's pretty pretty toasty outside but other than that it's a wonderful summers day and I cannot complain at all we've got going on with reduce cyber risk and also another thing is that I've started up another domain it's Sean gerber.com it s h o n Gerber Gerber. Calm and that you can check that out I have all my cissp training is put there on Sean gerber.com go check it out seven times before somebody actually goes and checks it out episode where daddy talking about domain operations in this is all part of the CIA Aries that you need to be concerned about as you're dealing with logging and Mom doing with the cissp exam so in the first part of the cissp cyber security integration not where we talking about logging and monitoring overview and as far as a cissp training specifically about logging and monitoring activities is domain 7 and if you study is c squared cissp training manual you will know that that's where that falls into and then the cissp exam questions are going to be around logging and monitoring and data lifecycle domain 7 Siri integration where we talkin from a article I saw online from The infosec Institute and this is objective 7.3 conduct logging and monitoring activities the topic is logging and monitoring overview and really what it comes down to is where to get into what exactly are logs the first thing or the kind of focus on and typically people wonder what are log files well you know this is riveting stuff I hate to tell you what is a log file turn the pages it's cannot come you cannot hold back the enthusiasm about a log file and I'll really they're quite boring in quite painful so therefore we will talk about how you can ingest those log files but bottom line is there an event log something that occurs within an environment and they are typically called with a computer named they have creation deletion records they have all of those pieces that are tied to an event log that may occur now most systems and I will say most because of many older type systems are applications they may not generate much for log files at all and newer systems they do they check they generate a plethora of log files which at times can be a bit overwhelming but log files are an integral part especially as in you're dealing with the cissp exam and understanding this as a cybersecurity professional now there's different types of logs and the what are types of logs in these are authentication log audit logs and system logs are different types of logs that you will see when they each have a different thing and authentication obviously when your logging into something in life that I can't you that audit log is basically looking at the system itself and finding out if there's an audit Trail around those logs and then your system font logs are logs at or dealing with specifically with the system that's operating on it are some different use cases that you need to keep logs for and these use cases would be regulations litigation or even application debugging I mean it's many different situations where you would want log files but in the today's world especially the litigious as it is so that's a big ten dollar words education won't let me go any further than that but it's a bad thing I assume been litigation litigious yes so did use cases around litigation regulations you have to maintain law . of time and depending upon the company depending upon the regulations you may have to keep somebody's laws potentially indefinitely were you would then in turn be using products like AWS Glacier or someplace like that to store them that's a different podcast but bottom line is that you would have to keep these logs for a. Of time and regulations litigations or debugging may may want you to have some form of logs and be able to keep them for. considerations around the log files at Uni we're out they start off small and they're not very big at first but then you add one device and then another device another device and next thing you know you got log files coming out of your ears they replicate like a rabbit and so you go what am I gonna do with all these well thumbs down to log files are only as good as if you even look at them if you don't look at them what's the point you don't need them and they just take up space and they take Mason to take up processing speed however if you were to get sued due to something that would be unfortunate such as a breach and if you don't have log files and you purposely did not collect log files and it's a bad thing for you so I would not recommend doing it so therefore you need to start off and start off small but the logs need to be in a situation before it and moved on that's a possibility they also the storage can become a serious challenge as a relates to keeping your log files you don't know these things build up as they build up they store for a long. Of time now if you have to keep them for a long. You now go from being gigabytes to terabytes keep these log now these logs typically flat files are not very big what did you get lots of systems reporting in they will grow some knotty life cycle of keeping these should also be considered how long do you want to keep your logs for you want to keep for 90 days 6 months 1 month 1 week 2 days I don't know if you decide not regulations May dictate what you should and shouldn't do around That Pet Place but at the end of the day you need to consider how long do you keep that data in your environment now you're dealing log management you must develop a solid monitoring strategy and this is where it comes into play where you have a Sumter auto robot type thing is Splunk or a some sort of sim what should be your security incident event management system that would be all these things would get dumped into and it would help monitor this I also need to consider human machine automation what do you want to give to the computer what do you want to have humans look at I need to find that from a strategy standpoint what works best for you doesn't need to be logged you got to ask yourself do you really need to log it well in some cases of banking situation you may need to log almost everything but another plate made in other cases you probably don't need to it it's just additional ways to really what it comes down to I need to start a small we talked about that but build value within your organization there some devices that you can monitor which would be your intrusion prevention intrusion detection switches all the things were routing goes through some of traffic now again comes down to your environment comes down to your occupation whether I how much you should record order should not record with logs anomalies that is the key behind of all of this can you do a log review you need to find critically the systems to be monitored I eat property systems they would be the ones the first ones to look at the personal data those systems you'd want to keep logs up you want to keep logs of the Raspberry Pi that checking out of the people entering and exiting a building probably not that's just one piece of information you probably don't need but she needs to find the criticality of these systems that you want to be monitored you determine a process to handle issues incident response process do you have one is there an automated situations are events that you can pick off and have this thing just go for you in in the flu that there is an issue and you may need a tiered approach when your hand is advancing to how do you want to handle a situation where you been breached would be a tear oh my gosh going to tear vs. computer it doesn't work real well and Scott ransomware so you have to determine which one works best for you and your organization they also need to consider frequency we talked about this as well do you want 90 days 60 days a hundred days 1 days I was at one that's a good one to decide what frequency how often do you want to collect these you want to collect them daily hourly monthly minute-by-minute minute Lee that's not a real word but it works for me so you determine how frequency how frequently you want to collect them where do you want to store these do you have a four-door that forwards on your log do you have a a syslog server that you basically aggregate to collect all your logs what is the bandwidth of the connection for your logs you may have a situation where that you have bandwidth constrained and therefore these logs just take up extra space that you do not want them to do body systems critical non-critical are they scripted or Emmanuel collection what do you how did you work that is it set up that they automatically post at a certain. Of time to a certain location it depending upon how you have things set up you can have apis set up so that it would have one application with talk to their applications pitched the logs to a certain location send location three times that's pretty cool you get actually 10-point extra for saying the same word times in one sentence you know that's not really good English. Don't don't listen to what I just said operating systems applications tools external access third party connections all of those things need to be considered what are going to keep logs on now as a personal example I've got a situation where I've got third parties coming into our environment I want to watch those logs now do I want to watch the ticket meter that allows people in and out of an environment you know like the gate yeah I got to watch those you never know what could be coming in through third-party connection so you just got to make sure that you keep all of that does your deal with log analysis you need to consider again we talked about the daily life of it and there's various phases of your data lifecycle is your collection examination your storage your archiving and your deletion those are basically five aspect the five phases of cycle of generation dealing with data lifecycle collection examination storage archiving and deletion various choir requirements that you need to consider in each of these phases are you dealing with gdpr which is your general data privacy regulation you deal with HIPAA which is your health insurance portability accountability act that 10 time socks like the Red Sox play some of that comes out to do you have requirements that Focus you in the space that requires you to have a certain amount of collection how much do you examine it where do you store it is it encrypted also need to be made to address each of these so it's important that you have it set up that you have election examination storage archiving and deletion said that a lot so I'm saying is I'm trying to hint at fact that you probably know those but that's probably good to know, just good to know but bottom line is that you need to have policies that focus on those so because it won't help you make your environment much more secure all right that's all I have for the cissp integration was roll into the trading video of a 7.3 conductor logging and monitoring again how you can get all this at Sean Gerber as s h o n e s on and I know my parents I love them I love them to death but the Sean gerber.com and you can check out what I've got there at the for my cissp training some pretty awesome stuff and all of that training is going to be on that site and these are just some of the main key parts that I pull up as well as my podcast and the cissp exam questions are there as well all of that out you got to be able to get all this training for you you can get at a really good price and the best part about it is you get me yeah that's that's exact thinking right yet. But bottom line is I have years of experience as a chief information security officer I've done almost all the different roles you can do as a hacker and from all the way in to deal with Security operation so I can help you so just check me out at Shawn gerber.com and it's it's awesome it's awesome we can do this together together we can do this have you passed cissp test I'm here to what's the first time cuz I failed it the first time that cost me a lot of money alright so we're getting a 7.3 conducted logging and monitoring activities there's some key aspects around logging and monitoring you to keep up how long is Right Live security logs their system location logs Aldi's have a lot now back to the fact that if you have older applications they sometimes don't have much for logs and someone may not have any luck so that's something to consider as you're looking to dump all of this stuff into your security operations center or the tool that do Tool Du Jour that they may be using almost everything though does have some form of log again some can be useful do the roundest those you do need to consider protecting the log data that you collect one for a couple reasons well if you got a situation coming up where someone gets hacked first thing they do is they go to the logs what the laws have been manipulated then people will not trust the log so then there for the end up throwing out that as evidence within or they will then turn around and use it as a very more circumstantial evidence that isn't really worth a whole lot because they maybe they feel like they're tainted so the point of it is you need to protect these logs from attack or so they don't get access to them so they don't manipulate them that's a key Point around that you also need to look at where do you want to store these things and what kind of repository earlier is that do you have a security incident event management system Asim could be cyber-ark the ark site could be other situation could have a homegrown system that you use but basically managers and Co lights events that occur within your environment you also probably too forward and this four-door will then collect logs from certain locations in forward them on to another location of basically for them out of the Sim this will depend a lot on the size and complexity of your organization keeping logs we talked about that 30 60 90 days is the typical amount that people usually do I've seen it as high as six months I have seen and heard of people that keep it indefinitely especially as a relates to Legal hole and we've talked about that and different part of the cissp but bottom line is you may have court Communications that involve that company that litigation you may be required to hold on to this information under a legal hold status which basically means you can't get rid of stuff you can't delete it and if you did delete it that would be really really really bad so don't delete it but bottom line is that you may have to keep your alarms for an indefinite. Of time now I do know this destroy them when not being used okay bottom line don't be a hoarder just don't do it it's not fun it's expensive and you lose a lot of friends over it so just just don't do it yeah you also kind of think you're a hoarder I mean I don't know I don't know a lot of Hoarders but I would think so because maybe you heard so much stuff that you don't take a shower cuz you can't take a shower cuz it's in your shower is not used various risk for keeping logs too long there are various risks if you keep too long you now open yourself up to litigation saying the event through our legal hold and you kept all the records at go back 18 gazillion years and they are now set up and say hey by the way do you have those locked oh yes we do we have planned them to go back 18 billion years did wrong so therefore you will go to jail have a nice don't pass go just go straight to jail how to deal with security information and event management do you need to consider the automated or configurable product a Sim they are basically have them set up a rule set their established to alert a flag on suspicious activity so we got lots of suspicious activity going on then you probably don't be probably want a Sim to verify and collated collated range in price depending on bells and whistles you put they can be very very expensive or they can be very very not quite as expensive they're still expensive there's a lot of money but you can't get by with some that are small as much of your small business that they're you can get by with some little bit less expensive typical deployment around these is it there's usually an agent or their agent list so I can't give you both ends of the spectrum the Ageless ones will take loss directly from the system and building just those are send those directly to the SIM is the software to collect and send the logs this and they make collect them into a certain point and then they'll ship him off to the Sim agents are deployed to systems being monitored and that's where they get they get shipped off to and they can provide additional functionality with the device so if you basically have an agent on this system is allowing you to have insight into that device what can give you additional functionality around that example of be crowdstrike Crosstrek has a great agent works on the systems and it can provide multiple levels of protection as well as log sources as needed now since they're usually quite configurable depending upon the one that you use they are they can be very easy to just pull out a boxing match a big button they work or they may take a lot of configurations to make them release just hum cylinders you're going to need someone to help configure them however some are better than others at just remodel box and just sticking to your environment and let him run correlation engines in machine learning was also be incorporating The Sims with a lot of the aspects of learning that's coming down that path and you can also incorporate these into other device management system such as SCCM to Microsoft product used to manage devices continuous monitoring monitoring need to convert the purpose around continuous monitoring is to provide an audit Trail it's also what we call investigation father and I didn't know what father was and I probably am just totally butchering this but father is the old peasants from the old days that would be marched along to go in front of the the British Redcoats and you would basically just go walking to your death I think that's what they call Father that's its own investigation Potter stuff what's wrong but sounds good without the logs you basically it basically have nothing other than the incidents you got to have a logs I mean you can get some clean some information if you hadn't hasn't been too many cases it's just days old and the logs will give you that trail that paper trail virtual paper trail to be able to help you with any of that there's an issue as a key piece that you need to have a network time protocol capability and TP and these are synchronize and it's basically tells you what's the time that it occurred if you don't have an ntp server this telling you it's sinking your time with in your environment typically you can do this just to the internet but if you have that a large Enterprise you may need that in your Enterprise to make everything sing you got to have that for timestamps if you don't have that that makes it extremely challenging to prove your case you can go out and Chase to bring bring Justice if somebody does breach your environment and also does promote could use monitoring does promote accountability and lets people know hey yep just go ahead. Just do it cross the light oh you did okay now I'm going to beat you know that that's they promote some level of accountability learning techniques is continuous monitoring provide the data for adequate investigations and log amount world again we talked about before be quite substantial enlarged you do need to invest in some level of automated tools to search these volumes Vlogs because otherwise your puny little brain as much as wonderful as it is will have a hard time scouring through gobs and gobs of log files eating some key aspects around this is monitoring traffic leaving your network hence egress Ingress is coming in egress is going out so there's some key aspects of the traffic that's leaving your network is important because a lot of times you might not know what's actually coming in your environment but man it all has to go out through the internet in most cases so it's better to watch obviously was coming in but more importantly a what's leaving cuz you're the one who's leaving that that you needed assume that your internal network has been compromised by some form shaper matter and this happens all the time and network will get compromised you won't know the bad guys in the environment for many many months if not years and so you have to make the assumption that it is compromised the attacker wants data to leave it wants to get rid of it wants to be able to send it to wherever it wants to go it does not want to leave it in your environment so it's got to ship it out some way USB sticks and it didn't work so well physical axis well if you're in country X Halfway Around the Globe it's kind of hard to get physical access to the server so therefore yeah they got a ship it out through the internet tools to assist in stopping this loss yet web proxies and these are basically rules configure to stop traffic to unknown destination HD loss prevention which is basically network-based or endpoint base and it can be set up so that you cannot use USB you can't type in specific keyword restrict you from doing certain aspects mainly comes down to if you want to go and watch the hairless cats that are on the internet it will stop you from looking at the hairless cats on the internet sonography is basically embedding messages within a message file and it's extremely hard to discover but Isabel yes it is quite possible but you got to know what you're looking for cuz yeah it's hidden inside a picture if you don't know that then ye going to fight it sdlp this is software that affect all the different body types dark... Jpg excetera excetera and there's different companies that provide it but as your has one's called as your IP that is a file-based DLP solution that will help you from getting rid of it right that's all I have for the cissp aspic this is really into the cissp exam questions question number one as a relates the login monitoring what are some of the key purposes behind capturing logs provide a provides an adult laws for illegal actions and promotes accountability provides an audit Trail keeps employees concern promotes dependability compliance attract employees keep employees concern which is even better and promote accountability or d none of the above which one is it Trail yes allows for legal actions yes and promote accountability yes yes yes what you want to do if you want to make sure you have an audit Trail got to be able to find a bill to go back to those breadcrumbs you got to have some level of legal action in the event that you could use those logs and you got to make sure that people are aware of what you're doing so that every accountability involved next question when considering the data lifecycle what are the phases / Cycles out of the Moon that means that the data is generated a collection inspection storage archiving deletion remember I mentioned this to make pay attention because Gathering examination storage archiving deletion C collection examination backups archiving and deletion and sing at reindeer collection examination storage archiving deletion what is it A B C or D collection examination storage archiving and deletion those are the key considerations when looking at data lifecycle that's all I've got today for a new cyber-risk thanks for checking me out and listening to my podcast going to go check out Shawn s h o n Gerber like the baby food or night or toilet whichever you prefer at Sean gerber.com that's again Sean gerber.com to get your cissp training and get something you can pass the cissp exam the first time not like me like Google the first time all right have a great day we'll catch up the flipside see you