Centralizing logs at your startup with a log management tool makes it effortless to discover events that lead to security incidents. It also makes it easy to keep track of numerous logs and quickly parse through them across multiple servers, systems, applications, and the cloud. Logs or log files, also known as event logs, audit records, or audit travels, record everything that occurs in an operating system or a network from past to present.
!This article is part of the series addressing cybersecurity for startups. The previous one shed some light on backup best practices.
Security logs help you track security-related information or events, such as the root cause of an attack and attack path, aiding in preventing future breaches. Thus, centralized logging is effective for cybersecurity for startups by helping startups organize and manage security events. With centralized logging and proper log management, the security posture of your startup may become more robust.
Benefits of Centralized Logging
Logs aid in the tracking and organizing of security events. They may contain valuable information, such as successful and unsuccessful account logon events, IP addresses, operating systems, etc. For example, logs provide indispensable intel that reveal locations, network details, whether an attacker used a Windows or Apple device, and more. Monitoring logs for suspicious activities can allow your startup’s team to identify behaviors that may lead to a security incident, giving them leeway to plug any security holes and respond ahead of time.
Your startup’s team can remain aware of incidents by creating real-time alerts in a log management tool that trigger when they meet user-defined conditions. For example, they can alert your team when there are successful password spraying attacks against Active Directory environments using Windows Event Logs in the Account Logon and Logon/Logoff Advanced Audit Policy categories. By centralizing logs, you can easily view security events and mitigate any current or potential threats, or at the very least learn from them.
Top Common Types of Logs
Various log files provide insights that can assist with identifying a security incident and how it occurred or what went wrong during a breach. Log files are viewable on log management systems or tools capable of centralizing various types of logs. Creating logs appropriate for your startup to monitor can help your team stay alert and on guard for security incidents.
Here are several types of logs that may be important for your startup to create and monitor with a log management tool.
Perimeter device logs
Perimeter devices, such as firewalls, virtual private networks (VPNs), intrusion detection systems (IDSs), and intrusion prevention systems (IPSs) do monitor and regulate traffic to and from a startup’s network. They can reveal details about incoming traffic, IP addresses of websites browsed by users, and anomalous traffic behavior like a flood of unsuccessful logon attempts in a short amount of time.
Since security misconfigurations are the leading cause of firewall breaches, monitoring firewall logs helps detect unwarranted security configuration changes. Analyzing firewall logs can also help your startup to detect a distributed denial-of-service (DDoS) attack, such as when a server receives a plethora of SYN packets in a short amount of time. Perimeter device logs are indispensable for understanding security events in the network.
Perimeter device logs are valuable for three reasons by detecting:
- Malicious traffic to or from your network
- Security misconfigurations
Endpoint logs record activities on endpoints or devices connected across the network and communicate with other devices across servers. Endpoints include desktops, laptops, smartphones, tablets, printers, and others. It’s important to note that removable disk drives (like USB sticks) are vulnerable to malware installations and data exfiltration attempts. Monitoring endpoint logs can detect malicious behavior like this. Endpoint logs also detect when users violate policies related to the installation and use of software on their workstations.
They are beneficial for monitoring:
- Activities on removable disk drives
- User activity
Application logs: This type of log is a file of events that contain information about user and system actions within applications. It can also be stored in the database. Startups may run on various applications such as web server apps, databases, and other in-house apps that perform specific functions. Application logs may contain errors, when an operation has been executed, and warnings like low disk space. They even reveal successful logon, logon failure events, and more, which could also be valuable for users and only administrators or the incident handling team.
They are beneficial for startups by:
- Troubleshooting and correcting issues related to an application’s performance or security
- Monitoring activities like requests and queries, unauthorized file access, and data manipulation
Server logs: Server logs contain all activities of a specific server within a certain timeframe. They provide detailed insights into how, when, and by who accessed your startup’s website or application. Server logs are essential to monitor because they contain information not found anywhere, such as server errors, user access records, and more data.
Server logs can be access logs, agent logs, referrer logs, and error logs.
These logs can reveal information about HTML files and graphic images requested from your server, the number of visitors on your website and their origins (e.g., .com, .gov, .io), which web clients made requests on your server. They may also include the URL a visitor was on before browsing your website and information about a server’s failed requests (e.g., when someone attempts to access a nonexistent file on your server).
Server logs are essential because they help you:
- Determine the root cause of an issue on a server
- Provide valuable insights to help you detect any potential security threats that is aimed at your server
Proxy logs: Proxy logs contain information about usage statistics and the browsing behavior of endpoint users since all web requests and responses pass through the proxy server. Proxy servers play a significant role in your startup’s network by providing a gateway between users and the internet, which saves bandwidth, regulates access, and provides privacy. They can also help monitor the length of packets exchanged through the server, which can provide more details. For example, a user repeatedly sending or receiving packets of the same length within a given interval of time might indicate a software update, or uncover malware exchanging signals with control servers. Proxy logs are beneficial for monitoring baseline user behavior.
Different Log Formats
When logs get forwarded to a centralized logging solution such as a log management tool, they are stored and transmitted in different formats. These formats may be CSV, JSON, Key Value Pair, and Common Event Format.
A CSV (comma-separated values) file is a plain-text file that separates information with commas. They are often found in spreadsheets and databases, and are importable to a storage database. They are easy to convert to other file types since they are not hierarchical or object-oriented.
Key Value Pair
A key-value pair consists of a key and a value mapped to it. The key is a constant, and the value is variable across different entries. This formatting involves grouping together similar sets of data under a common key. Furthermore, if you run a query for a specific key, all of the data under that specific key can be extracted.
Common Event Format
A CEF (Common Event Format) is a log management format that uses the syslog message format promoting interoperability by making it simpler to collect and store log data from various endpoints and applications. It is the most widely used logging format supported by many vendors and software platforms. It consists of a CEF header and a CEF extension that contains log data in key-value pairs.
Centralized Log Management
Centralized log management consists of continuously gathering, storing, processing, synthesizing and analyzing data from disparate programs and applications into one central, accessible location. Having all collected logs in one log management system (LMS) makes log management much easier, and it is also a very convenient way of sharing log data with your startup’s team. In addition, it provides assurance of the integrity of logs. For example, attackers sometimes modify logs to clear the traces of their attacks. The purpose of centralized log management is to protect against attackers who attempt to modify logs, including optimizing system performance, identifying technical issues, improving management of resources, strengthening security, and improving compliance.
A log management system (LMS) is a software solution or tool that gathers, sorts and stores log data and event logs from various sources in one centralized location to provide valuable insights. For example, it can bring together log data from applications, services, hosts, and additional sources. The great benefit of this is it can rapidly save your team time from manually going through countless logs during a security incident and rushing to pinpoint the root cause of an attack and attack path. Furthermore, it reduces the gap of time spent perusing through endless logs that can make your team fatigued, allowing them to focus on what matters most – quickly detect suspicious activity and focus on taking the appropriate actions.
Top 10 Log Management Solutions
A log management system (LMS) primarily collects data and centralizes logs into one place. It is the appropriate choice for a startup. An LMS differs from a Security Information Event Management (SIEM) because a SIEM has additional security features, such as real-time threat analysis, and are typically used to manage security for a large or diverse IT infrastructure. Choosing the appropriate LMS for your startup is essential for monitoring and keeping track of potential security incidents.
Here is a list of the top 10 popular log management solutions.
- Sumo Logic
- Mezmo (formerly LogDNA)
Here are 10 open-source log collectors you can also use:
Logging Best Practices
Log data can contain a plethora of information, which can be overwhelming for you and your team to handle. Knowing the best practices for logging can help you and your team appropriately manage logs in the best possible way.
Here are the seven best practices for event log monitoring, aggregation, and management.
- Don’t log all available data: Make sure to log valuable data that makes sense for your startup. Do not log everything your application generates. Only log valuable data that are essential, such as perimeter device logs, application logs, and server logs, to monitor suspicious activities for security purposes, or troubleshooting, for example. Limit yourself to logging data only for critical paths or actions you want to monitor. Another reason why you do not want to log all available data is because it will be exhausting to go through numerous data making it difficult to prioritize what must be focused on. Additionally, costs of storing huge logs may increase quickly as your startup grows.
- Don’t log sensitive data: It is critical to make sure you don’t log sensitive data, such as Personally Identifiable Information (PII), which is any information that reveals the identity of an individual. That includes names, social security number (SSN), date of birth, usernames and passwords, medical record numbers, API keys, credit card information, etc. Logging sensitive data puts users at risk and allows employees or cybercriminals who gained access to the network to steal that sensitive data.
- Don’t log different data formats: Create one standard format to define what data your team logs. Sticking to one type of format makes the searchability of your event log data easier to find and is very helpful for small teams. It’ll also be easier to configure a log aggregation tool.
- Don’t create log data silos: Don’t store data away in its own data storage solution or a “data silo” where other teams cannot access them. Make sure that other teams can find logs. To avoid this, use a log aggregation tool to centralize your event log data. It will allow other teams to access your event log data via a single interface.
- Explore log tagging to enrich log data: Log tagging is a straightforward strategy where you can automatically tag different types of log data. It quickly filters log data during the analysis stage.
- Set smart alerts: A log monitoring tool should allow you to do proactive monitoring by letting you set alerts to detect security incidents before they occur. This can be achieved by implementing SIEM on top of your log management solution. In addition, you can reduce incident response time by integrating your log monitoring tool with a communication tool like Slack. Then it can alert your team when a particular alert is triggered. You want to avoid sending emails when alerts are triggered because it might take hours before they notice them. Alerts should be carefully created to trigger as few false-positives as possible.
- Use log rotation to manage log volume: Consider using a log rotation tool for long-term storage of your log data because event log data volume can grow at an accelerated rate. A log rotation tool can help you compress and archive your log data. It also aids you in collecting long-term metrics about your application’s performance or error rate so you can know if its quality has degraded or not. It also helps you comply with regulations regarding log data for audit and compliance reasons.
Minimize the Scope of Logging
Logging all available data is counterproductive for your startup. It is best to minimize the scope of logging so that when you search for event logs, you will not get lost in a sea of irrelevant log items. When you know which logs you will want to examine for your startup, you can create a logging plan which logs information as it occurs, preferably in a location that will prevent modification of the logs, which can help provide evidence when a security incident happens.
Logging allows you to log information as it occurs.
Protecting Sensitive Data in Logs
Sensitive data or Personally Identifiable Information (PII) that can help identify a person, such as an email address, name, birthday, SSN, IP address, and usernames and passwords, can end up on log files. Recording sensitive data can create issues, whether on the legal or privacy side of things. The best way that a startup can handle this is by categorizing what data must be secured, and develop a Data Classification Policy to categorize data according to its sensitivity.
Here are three types of data categorization:
- Restricted: This category houses the most sensitive information and might pose a severe threat if exposed. Only those with a need-to-know basis should have access.
- Confidential or Private: This information is moderately sensitive. If breached, it poses a moderate risk to the firm. The firm or department that owns the data controls access.
- Public: These contain non-sensitive information, which, if obtained, would pose little or no harm to the firm.
Transmit log data via encrypted channels
Logs should be transmitted to a centralized location using encrypted channels only without exceptions. Transmitting unencrypted logs is not worth it, even if it is faster speed wise because unencrypted logs can be exposed to threats. A startup should implement a successful encryption strategy utilizing strong encryption and handling keys effectively.
Filter sensitive information
The ability for your startup to search for and filter out/redact/obfuscate sensitive data from their logs is critical. You and your team should effortlessly filter and redact sensitive data before it leaves your network for data protection, security obligations, and compliance.
Anonymize log fields with sensitive data
Always check for sensitive data fields in logs and anonymize them before sending them to remote storage. You can also implement hashing, encryption or eliminate sensitive data fields.
Centralizing logs at your startup with a log management solution is a convenient way of monitoring logs and tracking events that may lead to security incidents. There are various logs to select from and use, and determining which ones are appropriate for monitoring at your startup is very important. More than several log management systems are available for the centralization of logs into one location, which is convenient for teams who need to share log data. Protecting sensitive data in logs before they are transmitted to a centralized data storage solution is critical to avoid exposing them to threats. Following best practices for logging can aid in making logging a pragmatic and beneficial way of boosting cybersecurity for startups.
!The next article will show the difference between ethical hackers and cybercriminals. It will also shed some light on a penetration testing and vulnerability disclosure policy.
Let’s talk about securing your startup
Book a chat with a cybersecurity expert
Is this article helpful to you? Share it with your friends.