CCT 044: Mastering Logging, Monitoring, and AI in Cybersecurity (CISSP Domain 7)
Jun 12, 2023Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey, all this is Sean Gerber, with CISSP Cyber Training. I hope you all are having a beautiful day today. It's an awesome day here in Wichita, kansas. I just got done completing my son's wedding and it was amazing. It was a very good ceremony, it was an amazing time and I am thankful that it is now over. Now, unfortunately, i have to pick up the pieces and deal with all the rest of it that goes along with it. You know just taking everything back, putting things away, but short of that, it is awesome that it is now done. I'm just thankful. Believe me, i didn't get much sleep in the past couple of days, but I'm back at it, which is great. So today we're going to be talking about logging and monitoring activities as it relates to domain seven of the CISSP exam. Now we're going to kind of go over briefly what is logging and monitoring, and then we'll get into some of the different aspects of domain seven and then the key points around logging and monitoring. Now, when you're dealing with logging and monitoring, this is the purpose of it is to implement and manage and understand different types of logs systems, applications, security logs You're going to deal with intrusion detection and prevention systems. These are IDS, ips type systems. We're also going to talk a little bit about some of the challenges or changes that have occurred recently in these logging and monitoring pieces. We'll talk about SIM tools that you may deal with and then also Ingress and Egress monitoring, and a lot of those are tied into your IPS and IDS systems as well. And then, finally, we'll get into understanding and supporting the network administration and management, so that we're just going to kind of briefly go over some of those and then we'll dig a little bit deeper into those different aspects that you'll need to know for the CISSP exam. Now, as it relates to domain seven, there's some areas that are going to be included that you need to know, and we've talked about many of these over various podcasts that we've had. But you're going to have to understand, with domain seven, how to understand and support investigations. It's important that you have a way to deal with investigations, evidence collection, how you handle it, store it and so forth. And then another aspect of domain seven is the logging and monitoring piece, which is what we're going to talk about today and how to set up and manage these logs not necessarily how to set them up, but how you should manage them. Log data what are some identifying, some analysis. And then I'm on the list. See, i can't speak. And that word, anomalies Yes, the big $10 word, that word. We're going to talk about anomalies and what are some key pieces you need me to be aware of. With that. We'll talk about how you deploy, or the domain seven talks about how you should deploy, how you should update and dispose your resources. It talks about cryptographic resources as well as physical security and secure operations processes. Domain seven is pretty broad, has a lot of information in it. I would say, out of all of the domains, domains one and domain seven probably have the most information as it relates to your CISSP exam. But we're just going to focus today on logging and monitoring of this. So why do we deal with logging and monitoring? They're crucial components to when you're dealing with security operations And when you're back in a previous life, i was a manager of a security operations center and working with people and the systems that were tied to that. The logs were coming in and this is actually before. I mean, this was probably eight years ago now. I think it was about eight years ago. The log data that was coming in was immense and it has only exploded since then. There's been more and more applications that are being dumped into these various logging tools and, as a result, it's become one that you just there's so much information to deal with. It's important that you have a good handle on your logging and monitoring because it does help understand incidents, operational problems, policy violations. It gets into a lot of different aspects. So having logging enabled and collecting logs is an important part of any security process or program you have within your company. So, as you're studying just for the CISSP, the one great thing about this podcast is we talk about how this can help you for the CISSP exam, but we also talk about how you can utilize these tools to help you in your long term careers. Now you collect data from various sources, obviously network systems, applications, various pieces where this data does come in. I've had it come in from S3 buckets. It's various locations. You'll get it. Now. The downside of having all this information is you are typically charged for the amount of logs that you store, keep, maintain, and so therefore, this can get very expensive very quickly. So you need to be a little bit judicious about what logs you wish to store for the long term. Now, depending upon the business that you are in or the area that operations that you operate out of, you may be required to store these logs for an extended period of time. So therefore you need to kind of plan for that. As you're related to working with your senior leadership, but it does, it's important for you to have these. These do provide the logs will provide you an insight into what has happened in your network. They'll also include unauthorized access or activities, and then also how to properly configure or aggregate these aspects of these logs is an important part of each part of this domain. So you need to understand how do you configure them, how do you aggregate them. When I say configure them, i don't mean that you are physically going in and configuring these systems. However, you need to know from the, your SIM, which is your security incident incident event management tool. You need to be able to know what logs are actually coming into this system and then how would you aggregate them out. So, as an example, if you have an application log and in this application log it's keeping track of when Sean logs into this system, that would be a piece you'd want to to maintain. However, if it does every time it's doing a poll on a table, on a database, do you want to log that? Now, depending upon the table, maybe that's the case you want. If this table has all of your most sensitive information, maybe you want to log every table, call on that specific database. But then again, if it's just all kinds of stuff I mean, i'm not even using a good analogy on that regard but if there's all kinds of data that could potentially be happening, do you really want that log to be coming from that individual table? Maybe, maybe not, because the problem is you add up one database and another database and another, and another and another. You now are in a situation where you have so many logs one it's hard to differentiate between what they are and two, you're now just storing data for the sake of storing data. So you need to really consider what logs you do keep. You also need to understand that when you're monitoring these systems there's a continuous observation of these systems and these networks is important because you're looking for anomalies See, i got that word sort of right that time You're looking for anomalies in your related pile policy violations. And what does that mean? That means, okay, say, for instance, you have a USB policy that does not allow anybody to use USBs unless they're on an exceptions group. Well, if you don't keep track of who tried to log in, then you don't know what it was. You're just showing that there wasn't a policy violation around your USB sticks, but you don't know who it was because you didn't keep track of their username. So those are aspects you're going to need to consider. What part of these logs do you want to continue to keep for long term storage? You also can when you're dealing with effective monitoring. It can help detect threats in real time, allowing for quicker response and mitigation. It's really nice to have these quick or these logs that can be dumped into a sim and then let the sim turn around and let you know if there's been a problem. So it's important part that you understand that as well. The real time monitoring is, especially in today's world, is a huge factor and it's something that you really want to consider When you're dealing with we'll talk a little bit more about intrusion detection and monitoring systems. You want to pump those logs into your logging and monitoring system. So you have these tools, you have maybe you have a honeypot, you have an intrusion detection system, you have your host based intrusion detection system, you have your antivirus systems. All of these logs you would you really would want them to be pushed into your sim to help allow you to make quicker decisions in the event that there is a event or an incident that did occur. So, when we're dealing with logs, what is the role of logging in security operations? So, again, logs are designed to record events that are happening within an operating system, software or messaging type system, and what they do is they provide a time-stamped track of the system activities and they have various details in them to include the nature of the operation, who is the initiator, what are the involved resources and whether the operation succeeded or failed. So it's important that you have those logs because it's a way of tracking. Now, if you look at your phone as an example, when you send a text message, it's nice to know that the text message was sent. It's also nice to know that, potentially, it was received and or read, depending upon what type of phone you use or what type of IM type system you use. So it's nice to give you that that known thing that occurred and therefore you could then can take actions upon it or not, right You may decide. I don't need to take actions because I know that it was delivered, i know that it was read, and then, if they don't respond, what do you do? Well, typically at that point you start asking more questions. But it does. It provides a way that you know exactly when that system or when that that log or that activity did occur. Now, the importance of logs are a couple of different things. There's four main items that will deal with the importance around logs. One is accountability. They do help you identify who did it, what they did at the time that they did it, and it's really important as it relates to cybersecurity when you're dealing with investigations around security incidents and then also a way to help prevent them had numerous times when an event will occur And I've gone back to look at the logs now I've had both situations here You go back and look at the logs to see when did this event happen? This event happened at, let's just say, on June 1st at 12.01 am. So if you know that this happened at 12.01 am, that would probably make you think, hmm, why did that happen at such a crazy time in the middle of the night, people weren't working, why would that happen at 12.01? So that it allows you to start asking potentially more questions. However, it also had been times when I've gone to logs and listened to the logs or not listened. Well, i looked at the logs to see when it was the date timestamp of these logs And guess what? It was not configured on the system to have a good date timestamp. So what happens to those logs? They're worthless. You just can't really use them. Now, when you're dealing with forensics analysis, again, that's important to understand that if those logs are there and they give you a good time date stamp of when something occurred, you potentially could then start digging deeper to find out where were these people at, how did they get in? Where did they pivot from? from this point, but in the second example, if you don't have a good date timestamp, you really in a situation. You don't have a whole lot. You know somebody came into the system, but if you don't have enough information, it's really hard to be actionable by any stretch of the imagination. So it's important that all of the ability of these logs they build upon each other, the importance around it. Now, also, another aspect is compliance. There are many industry regulations that do require logging. Now I've had it in the case of dealing with the EPA and the United States. This is the Environmental Protection Agency. If you have logs, they expect to see that you have maintained these logs for a period of time. So if you go back and your logs are no longer there and if there's ever a question around what may have occurred with this agency, then you know that these you need to go look at these logs. Well, if the logs are in error, well, that causes a bit of a problem. So it's important that you do check the logs, especially on these more critical systems, to make sure that the logs are being stored and that they're actually working the way you anticipate them to be working. These logs also are valuable as it relates to troubleshooting. I've had multiple recent incidents where an application that's important around security had issues. Well, when it had the issues, how do I go and determine what actually occurred? It's these system logs. You go, pull these logs up to figure out, okay, what happened, how do I make changes to it, and so on and so forth. So again, it's really important that you have them for accountability, forensics analysis, compliance and then also system troubleshooting. So what kind of logs are there available to you? We kind of briefly talked on some of them, but you have systems logs, application logs and security logs. So I'm going to go briefly into what is a system log. Now, these logs record activities performed by this system, specifically around startup, shutdown, configuration changes or even potential system errors. So those are what are going on within that system itself And they provide the process about processes, operations and the functions, and they're primarily used for troubleshooting system problems and performance issues. I've had this system happen multiple times where you've had a system crash and you go back through and look at the logs to find out why is it crashing. Or, in the case of maybe seeing this with security tools, they're taking up, consuming large amounts of CPU, so why are they doing that? So sometimes you have to go and look at those various logs to ensure that the application is running correctly so it's not consuming those cycles on your CPU And if it is, why is it doing that? Now, when we're focused on application logs, these logs record events related to software applications, such as a transaction log or a database application. I mentioned this earlier in the podcast. You're looking at table calls and therefore you go. Well, is this table calling information, asking or requesting information from this database? This would be typically what we'd call an application log. These are running on the systems and these logs are provided based on the specific application that's going on. One example could be you have detailed HTTP requests, receives, responses, errors encountered, data processed. All of those pieces would be tied to the specific application And another one would be logger or user logger, login attempts, modifications to the application configurations. You'll see this a lot when you're dealing with we've had SharePoint issues, so you have an individual who's utilizing Microsoft SharePoint and they log in. They end up making a mistake and you go back and look at the logs and see what occurred And therefore you can determine how to fix the application because of this situation. That did happen. So that's a typical application log. Now, when we focus on security logs, these are tied specifically around security implications, such as login attempts. These would be success or failed login attempts, changes in user privileges and so forth. So, as an example, i've got folks that manage our ERP environment and they have their specific goal is to and task is to manage, monitor and manage security around people accessing these systems. So you have a folks that do that. They are the ones that are watching. Are there changes in privileges? Are there changes in user activities? Those are done specifically through security logs, now that you could have various components or applications dedicated specifically to security app solutions. Or you could just take various logs off of even the application and the system logs to kind of help blend together and make a security log. Now, typical applications that may provide you a security log would be your firewalls, your AV intrusion detection systems. Those would be ones that would potentially provide you the information you need around security. So, again, three types of logs system, application and security. Now, when you're dealing with some aspects around effective log management, there are three pieces to keep in mind for this. This comes into log collection, log storage and log analysis. So what exactly are those? These are? log collection is the process of gathering logs from various sources. Like I mentioned earlier, these sources could be the application, they could be the system itself. They could be an S3 bucket that's sitting out in AWS or the same type of version that's within Azure. There are various ways you can gather this information from. Again, they can be very large and challenging process, especially in distributed environments where you have numerous logs from numerous applications. This can be a big challenge. I talked about the cloud. That can really cause a lot of issues, and it's not so much the logs that are created, it's where do you store them. It's the aspect of do you send them to a centralized location? Do you store them locally? What do you do Now? those storage period again, like mentioned before, may depend on the organization's policy and compliance requirements, and it's crucial to have these logs again in a situation where you have a process to avoid tampering or unauthorized access of these logs during storage. So you need to have that plan as well. You need to have a plan around analyzing them from a standpoint of anomalies or signs of malicious activity. One piece around the looking for anomalies is did somebody log in to your system? Did someone tamper with the logs, make modifications to the logs? And if they did, that's a great indicator that you probably have somebody in your system, because one thing that we looked for as a telltale sign of hackers was did you go in and make changes to the logs? We typically wouldn't do that. So from a hacking standpoint, if you knew that, if you went in and automatically started making changes to logs in a way and you weren't consistent with those changes, it would highlight that you did modify them. Therefore, you didn't typically go in and look at them. Just basically, you would like. Well, you know what. There's so many logs being generated. Odds are high my my activities will be lost in the shuffle. So it's important that if you do see activity on your logs, something different. You ask a lot of real-time questions, but I would tell you, if you have a really good or skilled hacker, they probably won't mess with them. They'll probably just leave them alone because they figure you won't find them. One aspect around the also logs. When you're dealing with continuous monitoring, these, this monitoring, can continue and give you constant awareness of the security posture of your company. So what do I mean by that? if the logs are going into a central repository and you're just storing them, that's not giving you a continuous monitoring capability. However, if they're going to a central repository and your sim is going and polling those logs, looking for anomalies, then at that point that's giving you some level of continuous monitoring, i guess. So I briefly talked a little bit about the periodic monitoring where typical aspect is logs will go into a central spot and they may get looked at daily, weekly, monthly or maybe once a year, or they may not even get looked at at all unless there's actually a threat that's occurring. I've seen that happen time and again where the logs are being collected but nobody is actually looking at them And so when they're not looking at them, well it's pretty hard to be actionable on them immediately. But in most cases it's like video cameras. If you go to a location and you see video cameras everywhere, most of these companies are not utilizing video cameras in a 24 by 7 instant access situation. Most companies have that, have video cameras, are just recording the information. So for after the fact and going and talking to the police department. So what are some? or I kind of got to go over some of the importance and challenges of real time monitoring. So the importance of it it does it allows for critical, detecting and mitigating threats immediately within your environment, especially if you have the continuous monitoring in place, and it does allow you to quickly respond to threats, minimizing damage and reducing the risk to your organization. So those are some really good, important factors. It's again, it's crucial for detecting ongoing attacks that may be occurring within your environment And when it comes to response So let's look at it from a malware standpoint. If you can respond quickly to malicious attacks, that is a huge thing because it can allow you to really mitigate or deal with the risk in a timely manner. Now there's some components to real time monitoring. They obviously have sensors, analysis engines, and then you have dashboards. Now, the sensors these are entities that observe, collect data about the activities on the systems, and we talked about that. The sensors could be the application themselves, or they could even be just a normal security sensor that you have out there. We talked about the engines, the sims, that would go and collect this data and then look for patterns. And then the other part that is a really important piece from a logging and monitoring point of view is the various dashboards that go with this. Now, these are the user interfaces that display the information that's being collected. Logs are not, in most cases, human readable. What does that mean? So you'll deal with this when you're dealing with compliance and such as GDPR and other various privacy requests. Is the data in the logs human readable? Which basically means, is it in a format that I can go through and see? step one happened here. Step two happened here. Time stamp three happened here, and I can follow it just looking at it. Most logs are, you can kind of read them, but in reality, they were designed for machines to read them, not humans, and so you need to understand this. Nice to have a dashboard that will provide that information for you to be able to see it. So we talked about the different types of monitoring. There's network, there's system, there's application monitoring and then there's user behavior monitoring. So those are the four types of monitoring that's set up for real time. So when you're dealing with network monitoring, this deals with network traffic, detection of anomalies and then potential intrusion detection. Your system monitoring deals with activities, performance and resource usage of the specific system. Application monitoring deals with performance and usage of, and looking for anomalies on, the systems. And then user behavior monitoring is a different one. This is where you're trying to watch to see what are the users doing on these systems? Could they be ones that are? is it seem like this user is acting inappropriately? So I've seen it with user based systems. Did the person try to go in and modify the kernel? Did the person try to go in and connect to servers that this person shouldn't connect to? user behavior? behavior monitoring can be a very valuable tool when you're looking at various monitoring pieces. Now, when you're dealing with challenges around monitoring, there's a few obviously talked about data overload, too much information It's hard to understand it False positives Okay, guess what? you will find false positives as relates to your logs. It's going to tell you all kinds of things And you're going to like I like to use the analogy you're going to chase lots of rabbits that don't exist. It also it's way for them to. The challenges of around is evading detection. Again, sophisticated attackers can often evade detection by using various techniques And they can blend in with traffic. You may not see them, especially as it relates to the non human readable types of logs. Privacy concerns we've talked about those in detail and then also keeping up with change, because of all the change that occurs in the security space. This is just a never ending, constant thing that you have to deal with. So when we're dealing with another aspect around security, your intrusion detection and prevention systems, this is your IDS and IPS environments. So let's talk about intrusion detection. What are those? So you have basically three types of intrusion detection systems. You have your basic IDS and this monitors network traffic, looks for malicious activity and or policy violations within your environment. So policy violations could be. The fact is that you have systems that are not allowed to connect to the internet And now you see that this thing's connected to the internet and information has been downloaded to that's that computer that would potentially be a policy violation. Now it will generate alerts when it detects something that is potentially suspicious or if it is a policy type of. Now there's two types of IDES, as we talked about. There's network intrusion detection and then there's host intrusion detection, so nids and hids. I will also say intrusion detection systems are going a little bit the way of the dodo bird. They're kind of going away, but it depends on the size of the organization you're dealing with. They still are relied upon pretty strongly. But you're looking now in this space more for a combination type system which would be like a firewall that has an IPS and IDES built into it. Now, network intrusion detection again, they're looking for monitoring network traffic, looking for activities or policy violations. Host intrusion detection these monitor a single host for suspicious activity. So do you have this on an individual device like your workstation, or is this on a specific server, looking for something that would be inappropriate or unusual? The next aspect is an IPS. An IPS is an intrusion prevention system. It's the same in many cases as an IDES, but it does go one step further, and what it does is it will actively go and then try to mitigate potential threats. Now my experience with the IPS is a little bit problematic. Again, an IDES will tell you there's a problem and IPS will then take actions to shut that down. The problem is, if you do have any sort of logging and monitoring piece that maybe gets some false positives, your IPS could actually go out and start shutting things down on legitimate traffic. So this is what we call an internal denial of service, and a lot of times this happens with IPSs, especially if you do not have them configured well. Now you can add IPSs to your network, your host or your wireless environments. It just really depends upon how you have them set up and what your main risk you're trying to mitigate. So, network based, host based or even wireless based. Now the AI, the artificial intelligence or machine learning, is starting to take a hold in the cybersecurity world and one of those pieces is around IDES and IPSs and they're incorporating this in a much broader scale. I anticipate you'll see more of this in the future, but just know that AI and ML are becoming a more ubiquitous with what is occurring in the cybersecurity space. So again, yes, i used a $10 word there, i just kind of slid it in. You guys didn't even know I did that, but I see a lot of new activity coming out of AI and ML. So, when you're dealing with best practices around logging and monitoring this is kind of the last area we're going to kind of talk about is you want to ensure the logs are reliable and protected from tampering. Again, you want to ensure of this or at least, if they are tampered with, you get some level of knowledge around that, because you can't really use them for an investigation or evidence if they have the ability to be tampered with, and that's one of the things that the prosecution will say we have these logs, we're going after somebody. The defense side will say well, you didn't properly protect these logs, so how can I ensure that these logs weren't tampered with? So you're going to need to make sure you understand that. You also need to understand that they could be a target by attackers and therefore it's important for you to put some level of protections around them, the best you possibly can, and these controls could be encryption. They could be regular monitoring of them, of the logs themselves. Also, you want to ensure them by having a good backup strategy around the logs. You want to regularly review the logs, looking at the activity that may occur. So, again, you can come back and manage that incident if there is one, and then also understand that highlight that there are any potential issues. You have those under control. So it's important that you do go back and look at these on a routine basis. Don't just set them and forget them. Put them in place and not do anything with them is usually not the best option. An automated monitoring process would be ideal where you have them going into a SIM because, like we mentioned before, typically these logs are not human, readable and they're not real easy to decipher or understand. You want to integrate these within other security operations systems that you may have. So you basically want to use the entire web of security tools. You have to include your SIM, your IPS, your IDS, your firewalls. You want to have all of those interconnected. Would be a ideal situation. That does not mean you're going to be able to do that, but maybe if you can do it step by step, one little time, one system at a time, it will go a long way. One example is if you have a PAM, which is your password management tool, and that password account management tool is where people store passwords. Well, if you have logs set up so that if I go into this PAM and I start pulling out passwords, is it going to log, is it going to alert? That's that's one that you could typically want to put and be monitoring routinely. Some additional other best practices you want to consider is complete visibility by collecting logs from a little systems. Use a standardized log format. If you can use a standard format for your logs one, it makes it easier for the human after the event occurs. It also makes it easier for your SIM to understand them. Keep your systems up to date to ensure they recognize and handle latest threats. I would also make sure that your logs that if they're ever turned off, you get an alert. That way, if, for some reason, a hacker just goes in and just turns them off And that's one thing we've done in the past is I wouldn't actually go in and modify and modify the logs, but I might turn them off, and the reason I would turn them off is that could be given as you know what. They just rebooted and the logs never turned back on. That that's a possibility. So you want to make sure you keep you have any sort of logging and monitoring around the logs themselves And are they being potentially manipulated? Test your login monitoring system to ensure they're working correctly. Train your team Again. These are all really valuable tools that you need to consider as it relates to dealing with security incidents. Okay, that's all I have for today. I want to let you guys know also. Go to my website at CISP cyber training. I have a blueprint that I think you're going to really like, and this blueprint is going to walk you through how you should self study for the CISP and what you should do to be able to pass the test the first time. It's an awesome blueprint. It got to get you through there step by step by step by step. It's awesome, love it, and I've had a lot of really great feedback around that tool and that product. Alright, if you have any questions at all, please feel free to reach out to me anytime. I'm happy to answer any questions you may have. But this today we talked about domain seven of logging and monitoring was riveting, i know, and you guys all stayed awake. You all were awake And as you're driving to and from going wherever you're going, alright, have a great day and we'll catch you on the flip side, see ya.
CISSP Cyber Training Academy Program!
Are you an ambitious Cybersecurity or IT professional who wants to take your career to a whole new level by achieving the CISSP Certification?
Let CISSP Cyber Training help you pass the CISSP Test the first time!