This topic will introduce organisational and industry requirements for threat data logging and strategies for processing. You will also gain hands-on skills to collect logs from network devices in a simulated networking environment.
In this topic, you will learn about:
- data log requirements
- strategies for processing data
- collecting information from network devices
- using NetFlow in Cisco Packet Tracer.
Let us begin.
Establishing data log requirements
Establishing data log requirements is crucial for effective threat data analysis. Clear log guidelines ensure comprehensive data collection and enable the identification of potential security threats. Properly formatted logs provide a detailed chronological record of system activities, aiding in forensic investigations and threat detection. Analysing logs helps cybersecurity professionals recognise abnormal patterns, detect unauthorised access, and respond promptly to mitigate potential risks. Without well-defined data log requirements, the analysis process becomes challenging, hindering the ability to identify, assess, and address security threats in a timely manner, leaving systems vulnerable to potential breaches and compromising overall cybersecurity resilience.
The following two data breach examples demonstrate what data needs to be collected to conduct effective threat data analysis and emphasise the importance of having the proper logging and monitoring controls in organisational systems.
Data breach example 1
Data breach example 2
Knowledge Check
Complete the following activity to check your knowledge and understanding of the key concepts of this topic. You may repeat this activity as often as you like. Use the arrows to move between the different activities.
Security monitoring and logging failures
It is important to remember that without sufficient logging and monitoring, breaches cannot be detected.
The following video emphasises some of the common failures concerning security monitoring and logging that cyber security analysts should be aware of.
What is sufficient logging?
Sufficient security logging involves capturing comprehensive records of system and network activities, including user actions, access attempts, and potential security incidents. It ensures timely detection, analysis, and response to security threats, aiding in forensic investigations and proactive risk management.
Discuss and confirm log requirements
Once all logging requirements are documented or noted, this needs to be discussed and confirmed with the required personnel in an organisation.
Discussing and confirming threat data log requirements with relevant personnel and stakeholders is essential for aligning security strategies with organisational needs. Collaborating ensures that the collected data meets both security and operational objectives. Involving key stakeholders, such as IT administrators and compliance officers, helps tailor log requirements to regulatory standards and specific organisational risks. This proactive communication fosters a shared understanding of security goals, promoting a unified threat detection and response approach. Ultimately, engaging with personnel ensures that the data logs generated align with organisational priorities, enhancing the effectiveness of threat analysis and bolstering overall cybersecurity resilience.
Active monitoring and alerting
Active monitoring and alerting in cybersecurity involve real-time scrutiny of network activities for abnormal behaviour or potential threats. Automated systems generate alerts when suspicious patterns are detected, enabling rapid response to mitigate risks. This proactive approach enhances the ability to identify and thwart cyber threats before they cause significant damage.
Requirements for detecting incidents
Detecting cyber threat incidents requires robust monitoring tools, intrusion detection systems, and log analysis capabilities. Real-time analysis of network traffic, system logs, and user activities helps identify anomalies. Additionally, threat intelligence integration and continuous updates to security protocols enhance the ability to detect and respond to evolving cyber threats promptly.
The following video outlines what is involved when detecting incidents.
Monitoring and managing log files
The following video discusses the types of log files that can be collected from various sources in an organisation's network. It also discusses the compliance requirements when collecting and storing log files.
Explore
Cyber security monitoring guide | crest-approved.org
A Complete Logging Guide | graylog.org
Six SIEM Log types you need to analyse and why? | manageengine.com
Knowledge Check
Complete the following activity to check your knowledge and understanding of the key concepts of this topic. You may repeat this activity as often as you like. Use the arrows to move between the different activities.
Logging from single security devices
Single security devices include devices such as firewalls, intrusion detection systems (IDS), and antivirus software, that focus on specific threat vectors.
Logging from a single security involves recording events specific to that device, aiding in localised analysis.
Router logs
Logging from routers involves recording events and activities occurring on the network, such as connection attempts, routing changes, or security incidents. These logs are crucial for monitoring network health, troubleshooting issues, and identifying potential security threats. Analysing router logs enhances overall network management and security.
Firewall logs
Firewall logging captures and records network traffic data passing through a firewall. These logs include information about allowed or denied connections, source and destination IP addresses, and port numbers. Analysing firewall logs helps detect and respond to unauthorised access, potential threats, and security incidents, contributing to robust network security.
Explore
Refer to information from the device manufacturers (e.g. Cisco) on how to interpret log messages from devices such as routers and firewalls:
Log servers
Log servers centralise and store logs from various network devices, applications, and security tools. They facilitate efficient analysis, correlation, and storage of threat data, aiding in detecting patterns and anomalies. Log servers play a vital role in incident response, compliance, and overall cybersecurity by providing a consolidated view of diverse log sources.
Logging network flows
Logging network flows involves recording data about communication sessions between devices, including source and destination IP addresses, ports, and duration. Analysing flow logs aids in detecting abnormal patterns, identifying potential threats, and enhancing network security. This data is valuable for incident response, forensic analysis, and proactive threat mitigation.
The following video explains how network packet data can be captured and analysed to identify network protocol header information.
Collecting reported events
User access logs
The following video outlines how authentication, authorisation and accounting systems work and what information will be captured in logs collected from these systems.
Access Control Systems
The following video introduces the basic industry terms and definitions used in access control systems.
Practice
Read through the Guidelines for System Monitoring | Cyber.gov.au find out the types of event logs that should be retained to facilitate system monitoring, hunting and cyber security incident response activities.
Using NetFlow in Cisco Packet Tracer
In Cisco Packet Tracer, NetFlow is a network monitoring feature that enables the collection and analysis of IP traffic data. It provides insights into network traffic patterns, helping troubleshoot issues, optimise performance, and enhance security by identifying and mitigating anomalies in the flow of data within the simulated network environment.
Challenge activity
The following video outlines a challenge activity. Complete the activity using the Cisco packet tracer file provided by the video resources.
Download the exercise files by accessing this video Challenge: Using NetFlow in Packet Tracer in LinkedIn Learning
Solution
How did you go?
Congratulations on completing the topic Gather threat data . You should now understand what is involved when establishing data log requirements, collecting security device logs and hands-on skills for using the network simulation software Cisco Packet Tracer.
In this topic, you learnt about:
- data log requirements
- strategies for processing data
- collecting information from network devices
- using NetFlow in Cisco Packet Tracer.
Assessments
Now that you have learnt the basic knowledge and skills for this module, you are ready to complete the following assessment event.
Assessment 3 (Portfolio)
