Java Reference
In-Depth Information
by administrators or applications and if there is any sign of possible downtime for the particular
server, an alert is raised, which is proactively investigated and subsequently ixed. However, in a
typical enterprise scenario, there are hundreds of systems deployed in the organization, and each
one of these systems generates logs for speciic activities relating to the systems. he log iles for
all these systems typically run into several gigabytes of information very frequently. Moreover,
managing these logs and proactively responding to any anomalous activity became a signiicant
challenge
.
Log management
is a concept that advocates the management of large volumes of diverse
system logs (from various systems) through methods such as collection, centralized storage and
aggregation, correlation, and analysis. Although we have discussed the utility of logging for trou-
bleshooting and ascertaining the status of systems in the network, we believe that logging is an
invaluable resource for security as well. Hence, we are covering logging and log management as a
major facet of a comprehensive security practice for Web applications. Log management as a prac-
tice is not unlike any other practice of IT infrastructure management. he organization needs to
have a clearly deined set of policies and procedures, setting the expectations from a log manage-
ment activity. For instance, if the organization's goals are primarily geared toward security, then
the log management process needs to be geared toward providing detailed security information to
the organization through the logs generated by the applications.
Collection and aggregation are also important aspects of log management.
Collection
essen-
tially means the collation of logs from a speciic system in a given environment.
Aggregation
is the
process/activity of combining logs collected from several systems in a particular environment. he
organization must aim at a centralized logging system, which collects and aggregates the logs from
all systems in the environment. his will ensure that the logs may be protected more efectively
and will also ensure that the logs are available for analysis whenever necessary.
9.1.2 Logging for Security—The Need of the Hour
Logging has been extensively used for troubleshooting and ascertaining a certain system's status.
However, over the years, logs have been used extensively for security and for purposes of regulation
and compliance. Security is one of the prime motivations behind logging, as system logs provide
invaluable information about a breach or a possible breach of security through the logs of a par-
ticular system. For instance, if an organization suspects a malware attack against its systems, it can
review the irewall logs to check for traic that may have been allowed. Subsequently the intrusion
prevention system (IPS) logs may be reviewed to test whether the traic has been allowed by the
IPS or dropped by the system. Later, logs of the antivirus solution and the system can be checked
to verify whether there was an outbreak of the particular malware in the organization's network.
Another example to check for a web based malware attack is by viewing the “User-Agent” string
headers in HTTP requests. If it contains a variety of User-agent strings that do not necessarily
correspond to known browser, then it is indicative of a malware outbreak
Logs generally act as a detective control for a security practice. For instance, when the orga-
nization wants to investigate a data breach, the irst source (and possibly the only source) may be
in the form of the system logs. he logs are examined to detect the source and cause of the data
breach. Logging also serves as a preventive control in some instances. For example, if an attacker
has transmitted malware into the network and, as a result, the irewall logs show signatures match-
ing traic from the malware then quick action by an appropriate team can prevent the malware
from spreading and wreaking havoc over the organization's network.
Search WWH ::
Custom Search