Network Security Monitoring

Chapter 4: Security Operation Centers (SOC)

Content
In this Chapter, we will cover the following topics:
• Security management and its importance in maintaining security in the organization.
• Security Operations Center and its capabilities and operations to protect security system
against security threats.
• SOC functions performed by security analysts to gain the actual security posture of an
organization.
• SOC components: People, Process, and Technology that play an important role in
monitoring and managing different activities of SOC; it’s working process to detect and
respond to suspicious activities;
• SOC models; and SOC generations.
• Phases of SOC required for its implementation; SOC KPIs and metrics; and Network
Operations Center (NOC).
 3

Security Management & Operations

Security Management

▪ The security management system is a collection of a systematic, repetitive set of

interconnected security activities that help organizations to maintain their security posture at
an adequate level.
▪ It is an ongoing effort that focuses on both physical safety and digital security of assets.
▪ Its main purpose is to protect the organization’s assets like information, hardware, and
software from malicious activities and reduce the overall risk on the organization.
▪ It ensures confidentiality, integrity, and availability of the organization’s assets and services.
The security management system also develops and implements various documents like
policies, standards, procedures, and guidelines.
▪ Involves implementing different security practices like risk assessment, training, and security
audit.
Security activities involved in Security Management

❑ Security Infrastructure >

- Shield to your organization .

✓ It provides security to Perimeter, Network, Endpoint, and Application & Data by implementing adequate
preventive, detective, and corrective information security controls.
❑ Security Prevention -

keeps
D anout for weakness
eye .

✓ Security prevention services like vulnerability management and penetration testing ensure security in the
networks against vulnerabilities and threats. These services not only scan, test, and identify threats across
internal or external networks but also remediate or reduce their exposure.
❑ Compliance and Validation D follow the rules
-

✓ Various governance risk and compliance programs help the organization to continue its business without any
risks. Some of the examples of governance risk and compliance programs involve ISO 27001 Readiness
Assessment, Security Baseline policy document for ISMS, and so on.
❑ Security Operations
✓ These operations are performed by the Security Operation Center (SOC) through real-time security alerting,
threat analysis & intelligence, correlation, and preemptive incident reporting, detection, and response.
 -D Continuous operational practice.

prevents prioritize & respond

&

>
- detects

Security Operations
,
,
,

❑ It is the continuous operational practice for maintaining and managing a secure IT

environment through the implementation and execution of certain services and processes.
Its main purpose is to prevent, detect, prioritize, and respond to security incidents.
D 2) 3) I

❑ A well-defined security operation should be specializing in intelligence, incident

management, access control, loss control, risk management, and forensics.
A good security operation focuses on understanding threats, managing incidents, controlling access, preventing losses, managing risks, and
investigating incidents.

❑ It involves a -
predefined set of processes and services that is to be followed during the
daily security operation tasks based on the organization’s security baselines.
-
-
Security Operations Tasks

1. Security Monitoring: It involves collecting and analyzing information to identify abnormal behavior and
unusual activities in the network. Also, escalating malicious activities to incident response system for
resolution.
2. Security Incident Management: It includes detecting, managing, and monitoring security vulnerabilities in
real-time with minimal adverse impact.
3. Vulnerability Management It is a cyclical process that includes continuous monitoring, triage, and
mitigation of system vulnerabilities. It is an integral part of computer security and network security.
4. Security Device Management It involves maintaining and managing security infrastructure and devices,
as well as updating software in the organization. It helps in securing an organization's assets and
maintaining a compliance requirement for regulations.
5. Network-flow Monitoring: It detects and analyzes inflow and outflow of packets in the network and
generates alerts whenever suspicious activities arise.
S Monito ancementemention
a -

vurneaubi tt manay
-
security device
- securit
-
Security Operations Centre (SOC)

Security operations are handled and managed with the help of Security
Operation Center (SOC).
▪ It is a centralized unit that continuously monitors, manages, and analyzes ongoing activities on
the organization’s information systems such as networks, servers, endpoints, databases,
applications, and websites.
▪ Its end-goal is to maintain the continuity of an organization by determining, preventing,
detecting, and responding to intrusion events before they affect the business.
▪ It provides a single point of view through which the organization’s security and assets are
monitored, assessed, and defended. It gathers data from logs, IDS/IPS, firewalls, endpoint
devices, and network flows and facilitates incident detection, investigation, and response.
This system acts like a central hub, gathering information from different security tools like logs, firewalls, and endpoint devices. It gives a clear
picture of what's happening with the organization's security and assets, making it easier to spot and respond to any problems.

Source EC Council
SOC Responsibilities

1. Proactively identifying suspicious activities in the network and system.

2. Performing vulnerability management to identify which activities are vulnerable to the
network.
3. Getting aware of hardware and software assets working in the network.
4. Performing log management that facilitates forensics at the time of security breaches.
5. Evaluating policies and procedures required for business operations.
6. Checking whether the organization has appropriate internal controls and processes to
provide proper services to the clients.

Source EC Council
SOC Capabilities

1. Preventing Capability refers to stopping an attack from getting successful. To prevent the
attack, SOC uses fine-tuning and maintenance tools. It also directs the Incident
Response Team to perform security monitoring. detects risks and identify their harmful
impact on the organization to design a well-defined solution.
2. Detection Capability: It refers to monitoring a system or network to identify suspicious
activities and security breaches. To fulfill this purpose, SOC collects, analyzes, and
correlates security events, as well as triggers alerts when suspicious activity arises.
3. Responding Capability: It refers to analyzing and handling documented alerts and
security incidents instantly with security teams.
4. Reporting Capability: SOC offers various reports and dashboards, which keeps you
updated about the various assets and their security events, level of compliance, and
alarms generated.

Source EC Council
SOC Operations or Processes

Preparation, planning and prevention

detailed list
1. Asset inventory: A SOC needs to maintain an exhaustive inventory of everything that needs to be protected,
inside or outside the data center (for example applications, databases, servers, cloud services, endpoints, etc.).

2. Routine maintenance and preparation: To maximize the effectiveness of security tools and measures in place,
the SOC performs preventive maintenance such as applying software patches and upgrades, and continually
updating firewalls, allow list and blocklists, and security policies and procedures.

3. Incident response planning: The SOC is responsible for developing the organization's incident response plan,
which defines activities, roles and responsibilities in the event of a threat or incident, and the metrics by which the
success of any incident response will be measured.

4. Regular testing: The SOC team performs vulnerability assessments—comprehensive assessments that identify
each resource's vulnerability to potential or emerging threats and the associate costs.

5. Staying current: The SOC stays up to date on the latest security solutions and technologies, and on the
latest threat intelligence—news and information about cyberattacks and the hackers who perpetrate them,
gathered from social media, industry sources and the dark web.
Source IBM
SOC Operations or Processes …Cont.
Monitoring, detection and response
1. Continuous, around-the-clock security monitoring: The SOC monitors the entire extended IT infrastructure—applications, servers,
system software, computing devices, cloud workloads, the network—24/7/365 for signs of known exploits and for any suspicious activity.
2. Log management: Log management—the collection and analysis of log data generated by every network event—is an important subset
of monitoring. While most IT departments collect log data, it's the analysis that establishes normal or baseline activity and reveals
anomalies that indicate suspicious activity
>
-
differentiate real threats from false positive & sort them by severity)/
3. Threat detection: The SOC team sorts the signals from the noise—the indications of actual cyberthreats and hacker uses from the false
positives—and then triages the threats by severity. Modern SIEM solutions include artificial intelligence (AI) that automates these
processes and which 'learns' from the data to get better at spotting suspicious activity over time.
4. Incident response: In response to a threat or actual incident, the SOC moves to limit the damage. Actions can include:
✓ Root cause investigation,
✓ Shutting down compromised endpoints or disconnecting them from the network.
✓ Isolating compromised areas of the network or rerouting network traffic.
✓ Pausing or stopping compromised applications or processes.
✓ Deleting damaged or infected files.
✓ Running antivirus or anti-malware software.
✓ Decommissioning passwords for internal and external users.

Source IBM
SOC Operations or Processes…Cont.
Recovery, refinement and compliance
Puts an end to

1. Recovery and remediation: Once an incident is contained, the SOC eradicates the threat, then works to
recover the impacted assets to their state before the incident (for example wiping, restoring and
reconnecting disks, user devices and other endpoints; restoring network traffic; restarting applications and
processes).

2. Post-mortem and refinement: To prevent a recurrence, the SOC uses any new intelligence gained from
the incident to better address vulnerabilities, update processes and policies, choose new cybersecurity tools
or revise the incident response plan.
3. Compliance management: It's the SOC's job to ensure all applications, systems and security tools and
processes comply with data privacy.

Source IBM
SOC Workflow.

1. Collection Security logs are collected and forwarded to the SIEM.

Processes
2. Ingestion: SIEM ingests log data, threat information, indicators of compromise, and asset
inventory for machine-based correlation and anomalous activity detection.
3. Validation SOC analysts identify the indicators of compromise, triage alerts, and validate
incidents.
4. Reporting Validated incidents are submitted to the incident response teams through a ticketing
system.
5. Response SOC team reviews incidents and performs incident response activities.
6. Documentation At last, incidents are documented for business audit purposes.

Source IBM
SOC Workflow.

Source IBM
SOC Component
Components of SOC: People, Processes, and Technology

A SOC requires cooperation and communication among people, processes, and technologies to collect, sort, and
investigate security events. Respond quickly
security experts ,) internal or outsourced) Main role : communicate solutions
w/ security teams ,
develop security ,
A
>
-
.

to security
▪ People are the security talent who are responsible for executing the functions. They may be security incidents
.

operators, analysts, or pen testers, and may be internal or outsourced. Their main objective is to communicate
with the security teams and build the vigilance solution to the organization. They are also responsible for
responding to the security incidents immediately. to
>
- planned methods for security Monitoring & management Link people
-
& technology ,
aiming to detect & respond suspicious
activitie
▪ Processes should be planned specifically for security monitoring and administration. They should act like a
connection between people and technology. Their main motive is to track and identify suspicious incidents as
well as provide remediation against them.
>
- tools that enhances the SOC's capabilities main goal - collect , store correlate
,
& report.
▪ Technology amplifies the capabilities of SOC by facilitating automatic incident analysis and response, threat
detection and prevention, event triage, and so on. Their main objectives are to collect, store, correlate, and
report on security incidents.

Source IBM
 - SOC analyst -> Incident Responder
People -D SOC manager - Threat Hunter
.

▪ Responsibilities of SOC Analyst:

✓ Maintains email address and distribution lists, answers SOC phone lines, and updates required
documentation.
✓ Performs security research and gathers information about identified threats and vulnerabilities.
✓ Documents initial investigation results and forwards it to a level-2 analyst for final investigation.
▪ Responsibilities of Incident Responder
✓ Analyzes networks and systems for threats.
✓ Detects security risks and vulnerabilities and suggest appropriate responses to them.
✓ Conducts malware analysis and reverse engineering.
✓ Prepares risk assessment reports for management, administrators, and end-users.
✓ Communicates with other threat analysis for defining correct security plans.

Source EC Council
People

▪ Responsibilities of Threat Hunter

1. Proactively detects and neutralizes those advanced security incidents that automated security solutions are not
able to find.
2. Collects various information about identified potential threats, like their behavior, goals, and methods.
3. Analyzes the collected information and provides appropriate countermeasures.

▪ Responsibilities of SOC Manager

1. Tracks security operations.
2. Examines policy compliances and regulatory compliances.
3. Manages team members and communicates with other departments to minimize risks.
4. Documents and defines a security incident response plan.
5. Audits security policies and controls regularly.
6. Evaluates and implements new tools and technology. o Keeps track on security tools and technologies.

Source EC Council
Technology

▪ Multidimensional and multilevel technology should participate in an efficient manner to protect the systems,
programs, and solutions from unauthorized access for a longer period of time.
▪ It may include SIEM solutions, Intrusion Detection System (IDS), Intrusion Prevention System (IPS), Firewall,
Database Activity Monitoring (DAM), Dashboard, Ticket System, and Automated Assessment tools.
B
▪ The technology component of SOC comprises technical capabilities forDmonitoring system logs, detecting
B ⑪ 5
security incidents, performing investigations, analyzing network traffic, and monitoring threat intelligence
inputs. It supports and increases the capabilities of SOC.

Source EC Council
Types of SOC Models

Source Varonis
SOC Models

1. Internal SOC:
▪ Description: The organization builds and maintains its own SOC with a dedicated security team. This team is responsible for
all aspects of security operations, including monitoring, incident detection, analysis, response, and remediation.
▪ Benefits: Offers the highest level of control and customization over security operations. Security personnel have deep
understanding of the organization's specific IT infrastructure and security posture.
▪ Drawbacks: Requires significant investment in personnel, technology, and infrastructure. Maintaining 24/7 operations.
▪ Example: A large financial institution with a complex IT environment and a high tolerance for risk might choose to invest in an
internal SOC to maintain complete control over its security posture.

2. Virtual SOC (vSOC): - limited control

▪ Description: The organization outsources some or all of its SOC functions to a managed security service provider (MSSP)
who operates the SOC remotely. The MSSP provides the technology, expertise, and staffing to monitor the organization's
security posture.
▪ Benefits: More cost-effective than an internal SOC, as the organization doesn't need to invest in building and maintaining its
own infrastructure.
▪ Drawbacks: Less control over security operations compared to an internal SOC. The organization relies on the MSSP's
expertise and may have limited visibility into their processes.
▪ Example: A medium-sized company with a growing IT environment might choose a vSOC to gain access to advanced security
expertise without the high cost of an internal SOC.
SOC Models…Cont

3. Co-Managed SOC: > more control the USOC

- .

▪ Description: A hybrid model where the organization and an MSSP share responsibility for SOC operations. The organization
might have a dedicated security team focused on specific tasks, while the MSSP handles other aspects like log management,
threat detection, and initial incident response.
▪ Benefits: Offers a balance between control and cost-effectiveness.
▪ Drawbacks: Requires good communication and collaboration between the internal security team and the MSSP to ensure
smooth operation.
▪ Example: A retail company with a security-conscious culture might choose a co-managed SOC to benefit from the MSSP's
expertise while keeping some security tasks in-house for their security team.

4. Global SOC:
▪ Description: A large, centralized SOC operation designed to manage security for a multinational organization with
geographically dispersed locations. This model often involves multiple SOC locations spread across different regions.
▪ Benefits: Provides consistent and centralized security management across all locations.
▪ Drawbacks: Requires significant investment in infrastructure and personnel to manage a geographically dispersed SOC. Time
zone differences might create challenges for real-time incident response.
▪ Example: A large multinational corporation with offices worldwide might choose a global SOC to ensure consistent security
posture across all locations and leverage economies of scale.
 SOC Models…Cont.

#3. Outsourced External SOC: managed

service
securia
t
yo ▪ Description: The organization outsources all SOC functions to an MSSP. The MSSP is responsible for
all aspects of security operations, including monitoring, incident detection, analysis, response, and
remediation.
▪ Benefits: Most cost-effective option as the organization doesn't need to invest in any personnel,
technology, or infrastructure.
▪ Drawbacks: Least control over security operations. The organization relies entirely on the MSSP's
expertise and may have limited visibility into their processes and decision-making.
▪ Example: A small startup with limited IT resources might choose an outsourced external SOC to gain
access to essential security monitoring and response capabilities without the overhead of building their
own SOC.
SOC Implementation Phases

1. Planning: The first step is to set organization's goals and objectives, as the security management
requirements and determine the capabilities that need to be analyzed.
2. Designing and Building the SOC. The designing and building phases of SOC are interrelated to each
other, and here the important part is to select the best technology to implement efficient SOC.

3. Operating the SOC: After designing and building the SOC, the next step is to operate the SOC. This
phase is also called the “go live” phase. Before moving to operating phase, a new SOC should overcome
some important challenges like:
4. Reviewing and Reporting the SOC: After making the SOC go live, the last stage is to review the SOC to
identify the areas of improvement and to check whether it is operating accordingly.
SOC Key Performance Indicators (KPI)
- used to analyze the performance of an organization in various .
areas

KPIs are a series of measurements that are used to analyze the performance of an activity.
It should be SMART: Specific, Measurable, Actionable, Relevant, Timely.
✓ Specific means it should evaluate the attribute of the system directly; it should not depend upon the measurements of
other systems as well as the integration of different systems.
✓ Measurable means, KPI's should provide accurate and complete information.
✓ Actionable means it should provide information which is easy to review on which appropriate action can be taken.
✓ Relevant means it should be able to provide relevant data from the collected information.
✓ Timely means it should provide information at the requirement.
SOC KPIs….Cont.

▪ Client Satisfaction It means time taken to answer the client's question and satisfy him. It should be
done quickly, and for this, your system should be properly automated.
▪ Transfer Rate: These are incidents that are not handled properly by the first incident responder and
are transferred to another incident responder. The transfer rate should be as minimum as possible.
▪ Operations Audit: It is a scheduled or unannounced deep dive performed by the security team to
validate the efficiency and effectiveness of the organization.
▪ System Availability and Accessibility: It means measuring the up-time reliability of the critical
system, subsystem, or process.
▪ Incident response time: This metric measures the time taken by the SOC team to respond to a
detected security incident. It helps in determining the effectiveness of the incident response
processes and ensuring timely mitigation of threats.
SOC KPIs….Cont.

▪ False positive rate: This metric measures the percentage of false alarms generated by the security tools and
systems. A high false positive rate may result in inefficiency and resource wastage in the SOC, while a low false
positive rate indicates effective threat detection systems.

▪ Mean time to detect (MTTD): This metric measures the average time taken by the SOC team to identify
potential security threats. A low MTTD is crucial to minimize the damage caused by security breaches.

▪ Mean time to resolve (MTTR): This metric measures the average time taken by the SOC team to resolve or
mitigate security incidents. A lower MTTR is indicative of a faster and more efficient incident resolution process.

▪ Percentage of incidents resolved: This metric measures the percentage of security incidents that were resolved
or mitigated by the SOC team. It helps in assessing the overall effectiveness of the incident response process.

▪ First contact resolution rate: This metric measures the percentage of incidents that are resolved in the first
contact by the SOC team, without requiring a lengthy investigation. A high first contact resolution rate indicates
an efficient SOC.

▪ Incident classification accuracy : This metric measures the accuracy of incident classification done by the SOC
team. Accurate classification helps in prioritizing incidents and allocating resources effectively.
SOC KPIs….Cont.

▪ Compliance score: This metric measures the level of adherence to various security standards,
regulations, and policies by the organization. It helps in determining if the SOC is effectively contributing
to the overall security posture of the organization.
▪ Security tool effectiveness: This metric measures the effectiveness and efficiency of the security tools
and technologies deployed in the SOC. It helps in identifying areas where investments in tooling or
improvements in security processes need to be made.

▪ Some efficiency measures:

✓ Number of security events inputted into SOC
✓ Number of data points gathered and analyzed
✓ Types of data collected and assessed
✓ Number of Incidents/events
 SOC Vs NOC

▪ SOC (Security Operations Center) and NOC (Network Operations Center) are not replacements for each other.
They are complementary functions within an organization's IT department, each with distinct goals:
▪ NOC Major Responsibilities:
✓ 24/7 Network, Hardware & Software Health and Optimization
✓ Monitors network activity for performance issues, outages, and potential problems. Troubleshoots network connectivity problems.
✓ Performs routine maintenance tasks to ensure network efficiency.
✓ Manages network capacity and scaling.
✓ Responds to user inquiries related to network connectivity.
✓ Proactive & Consistent Monitoring
✓ Updates & Patch Management

▪ SOC Major Responsibilities:

✓ 24/7 Network Real-Time Vulnerability Endpoint Monitoring
✓ Comprehensive Investigations: Understanding how and why a breach occurred can prevent future attacks. Monitors security events and
logs for suspicious activity. Security Policies & Processes: Ensure all requirements are updated and compliant with the latest regulations.
✓ Detects and analyzes potential security threats. Responds to security incidents by containing threats and minimizing damage.
✓ Implements and maintains security measures like firewalls and intrusion detection systems.
SOC Vs NOC: Major differences (Team and Focus)

▪ Different team Skillsets: The skillsets required for NOC and SOC personnel differ. NOC
technicians need expertise in network troubleshooting and performance optimization, while
SOC analysts need a strong understanding of cybersecurity threats and incident response
procedures.
▪ Different objective and Attention: Each function requires a dedicated focus. Merging them
could dilute the effectiveness of both teams in managing their core responsibilities.
SOC Vs NOC: Collaboration

▪ Both NOC and SOC benefit from having shared visibility into the network. This allows them to
correlate network events with security incidents and identify potential threats more effectively.
▪ The NOC can alert the SOC of suspicious network activity, and the SOC can provide the NOC
with insights to improve network security posture.
SOC Vs NOC: Collaboration

▪ Both NOC and SOC benefit from having shared visibility into the network. This allows them to
correlate network events with security incidents and identify potential threats more effectively.
▪ The NOC can alert the SOC of suspicious network activity, and the SOC can provide the NOC
with insights to improve network security posture.

▪ In conclusion, both NOC and SOC are essential for a robust IT infrastructure. The NOC
keeps the network running smoothly, while the SOC safeguards it from cyberattacks
Log vs Event vs Log Incident

▪ Logs are the collection of information/data on events generating in the form of audit trail by the
various components of information system such as network, applications, operating system
(OS), service, etc.

▪ Log serves as an indication that something may have gone wrong and helps the SOC analysts
in analyzing and detecting the issues. Separately, transaction logs or firewall logs or intrusion
prevention system (IPS)/intrusion detection system (IDS) logs do not represent any fault.

▪ Logs simply store records about something that has occurred, for example, deletion of record
from the database. When logs from different devices are collected, correlated, and analyzed by
Security Incident and Event Management systems, something meaningful will be generated.
SEM
&
Log Types

▪ Security logging concentrates on identifying and responding to security-related activities such as

threats, viruses, malware, data loss, etc. It records logs about user login, unauthorized access to the
resources, etc.
▪ Operational logging concentrates on system-processing activities. It informs the system
administrators regarding failures and potentially actionable conditions.

▪ Compliance logging is a part of security logging, as regulations are developed to enhance the
security of systems and data.
▪ Application debug logging is logging that is beneficial to application/system developers, not system
administrators. It concentrates on recording debugging logs that are analyzed by the application
developer to detect the issues. This type of logging can be disabled and enabled in a production
system based on the requirement.

parte
Events

▪ Event An event is an observed change in the day-to-day operations of a system, network, process,
workflow, or person, includes potential security risk.
▪ Event examples include: user signed into the system, router Access Control Lists were updated,
firewall policy was pushed, CPU utilization exceeded 99%, updating a database, etc.
▪ Security events are events that may affect the security of the system or network and indicate that
there may be a violation of security policy or failing of any security safeguard.
▪ A security event is any occurrence within an organization's IT infrastructure that might indicate a potential
security risk. It can be a positive event (e.g., successful login attempt) or a negative event (e.g., failed login
attempt). Security events happen frequently, and not all of them translate into actual security breaches.

▪ These events are stored as logs and act as an input to the Security Operations Center
Events are observed changes in system, network, process, workflow, or person operations, potentially involving security risks.
Examples include user logins, firewall policy updates, and CPU usage spikes. Security events specifically impact system or network
security, possibly indicating policy violations or security safeguard failures. They can be positive (e.g., successful logins) or
negative (e.g., failed logins), but not all lead to breaches. These events are logged and fed into the Security Operations Center for
analysis.
Events example

▪ Server Shutdown/Reboot or Windows Abnormal Shutdown

➢ Description: This event is generated when the system restarts or shuts down unexpectedly.
It means that the system cannot predict when the system is going to shut down, for
example, when the reset button is pushed by a user or when he unplugs the power cord.
➢ Consequences: Misuse of this event can result in a denial of service.
Incident

▪ A security incident is a single or a sequence of unexpected or undesired security events

that can affect the security of an organization.
▪ It can be generated intentionally or unintentionally. It can be anything, violation of
security policies, acceptable use policies, or standard security practices.
▪ A security incident is a confirmed event that negatively impacts the security posture of an
organization. It disrupts or compromises the confidentiality, integrity, or availability of
information or IT systems. Security incidents are a subset of security events, and they
require a more serious response effort
Incident examples

✓ Intentionally and unintentionally disclosure of sensitive information to an unauthorized user

✓ Illegitimate sharing of sensitive information with an external cloud storage service
✓ Denial of service or other attacks on system or network
✓ Inappropriate or unauthorized use or access
✓ Hacker activity: Unauthorized storage, Unauthorized, Packet flooding
Log Advantages

▪ System monitoring Logs provide detailed information about the transactions that are
occurring across the environment.
▪ Troubleshooting You can utilize different information and messages available in log files to
troubleshoot a problem. However, these log files are not enough to troubleshoot network
problems.
▪ Logs play an important role in forensics and analysis process. It is a permanent source of
record that cannot be altered through the normal course of actions.
▪ Incident response activity requires proper correlation of log events across the number of
devices and assets.
▪ It also ensures compliance with laws, rules, and regulations for storing and analyzing log
data.
Log Content

✓ User identification information

✓ Date and time
✓ Type of event
✓ Success or failure indication
✓ Event origination point
✓ Description
✓ Severity
✓ Service name
✓ Protocol
✓ User
Logging Approach's

▪ Logs are stored either on the local disks or the central server, depending on the size of the
systems.
1. Local Logging is the mechanism of logging user activities in the host machine. In other words, it
is the process of writing logs into the files on local disks. If the systems have multiple hosts, then it
becomes difficult to manage logs and analyze them. The common solution to this problem is to
use centralized logging.
✓ System crash, shutdown, restart, or startup.
✓ Failed and successful modification of user credentials and access right such as account
updates, creation, and deletion
✓ Alter user access privileges in both successful and failed cases
Centralized Logging

▪ Centralized logging is a mechanism of storing the logs generated by the network devices in a
central server. In other words, it is the process of collecting and aggregating logs in one central
location. It works in four parts: logs collection, transport, store, and analyze.
✓ Addition/Deletion of network devices
✓ Changes implemented to network settings
✓ Changes to the user access to the network
✓ Failed and successful user access to the network initiated to/from the computer
Linux Logs

▪ Linux logs are the record of the activity or event in Linux OS.
▪ It includes messages about everything, system, kernel, package managers, boot
processes, Xorg, Apache, and MySQL.
▪ Most of the Linux logs are located at /var/log directory and subdirectory in plain ASCII text
format.
▪ Many of them are produced by the system log daemon (syslogd) on behalf of the system
and application, whereas some applications produce logs directly into /var/log directory.
▪ Linux OS generates four different categories of log files: application logs, event logs,
service logs, and system logs.
Linux Logs: Directory examples

/var/log/messages or /var/log/syslog
▪ This log file contains general messages and system-related stuff. It stores all informational and noncritical
messages across the global system such as system error messages, system startups, and shutdowns, change
in the network configuration, etc.

/var/log/auth.log or /var/log/secure
▪ This log file contains authentication logs, including both successful and unsuccessful user login attempts, and
authentication techniques.

/var/log/kern.log
▪ This file stores information that is logged kernel. This file is helpful in solving kernel-related errors and warnings
and hardware and connectivity problems
Linux Logs: Directory examples

/var/log/cron.log
▪ This file contains information about all Crond-related messages (cron jobs). For example, when the cron
daemon begins the cron job, all related information about successful or failed execution is logged on to this file

/var/log/qmail/
▪ It is a directory that stores information related to qmail logs. This directory is helpful if you want to track all
emails sent through a qmail system, or you require the list of every message transmitted by the server

/var/log/httpd/
▪ It is a directory that stores information related to the apache web server. Apache web server stores information
in two log files: access_log and error_log.
Linux Logs: Directory examples

/var/log/boot.log
▪ This file stores all information related to system booting.

/var/log/mysqld.log

▪ This file stores all debug, failure, and success messages about [mysqld] and [mysqld_safe] daemon.

/var/log/yum.log
▪ All information related to installation of a package using yum command is stored in this file. This file is useful if
you want to check whether a package is installed correctly or not, and also supports in identifying and solving
problems of software
Linux Logs: Samples from (var/log)

▪ sshd[12345]: pam_unix(sshd:session): session opened for user johndoe by (uid=0) [remote ip

192.168.1.100]
▪ sshd[54321]: Failed password for invalid user root from 10.0.0.1 port 53555 ssh2
Description:
✓ sshd[12345]: pam_unix(sshd:session): session opened for user johndoe by (uid=0) [remote ip 192.168.1.100]: This
indicates a successful SSH login for user "johndoe" from the IP address 192.168.1.100. "sshd" refers to the SSH daemon,
"pam_unix" is a part of the Pluggable Authentication Modules (PAM) used for authentication, "(uid=0)" signifies the user
logged in with root privileges, and the bracketed information shows the remote IP address.

✓ sshd[54321]: Failed password for invalid user root from 10.0.0.1 port 53555 ssh2: This records a failed login attempt
for a non-existent user "root" from the IP address 10.0.0.1. The port used was 53555, which is not the standard SSH port
(22), suggesting a potential port scanning attempt.
Linux Logs: Samples from (var/log)

▪ sshd[7890]: Accepted public key for user alice from 172.16.0.2 port 22 ssh2
▪ CRON <user owning cron job>: (pam_unix:session): session opened for user root by (uid=0).
Description:
✓ sshd[7890]: Accepted public key for user alice from 172.16.0.2 port 22 ssh2: This indicates a
successful SSH login for user "alice" using a public key for authentication. The login originated
from IP address 172.16.0.2, and the standard SSH port (22) was used.

✓ CRON <user owning cron job>: (pam_unix:session): session opened for user root by
(uid=0): This log entry is related to a cron job execution. The specific user who owns the cron job
is mentioned, followed by details similar to a user login, indicating the system created a temporary
session to run the cron job with root privileges.