Written by Joel John Fernandes, Senior Product Marketing Analyst at ManageEngine
IT security managers lay a lot of emphasis on conducting log forensics investigations. According to the SANS 2013 Digital Forensics Survey, 57% of the respondents said that they conduct forensic investigations to “find and investigate incidents as they are occurring” and 75% of the respondents said they conduct forensic investigations to “find and investigate incidents after the fact”. Detecting the activity of hackers is never easy. Enterprises may have the best of network security solutions to detect network anomalies and threats, but critical resources still continue to get compromised.
All IT security managers have to put themselves in the shoes of Mr. Sherlock Holmes to solve cyber crime cases. They have to think and act like the cyber criminals by finding out the ways in which the criminal could have accessed the network resources.
The cyber criminal can be tracked easily by reconstructing the cyber crime scene in its entirety. Once the cyber crime scene is recreated, the IT security manager can get the criminal’s complete activity trail, which can answer the “what, who, when, where, and how” of all the security incidents that happened on the network. So the big question now is, how can IT security managers reconstruct the entire cyber crime scene?
Reconstructing the Cyber Crime Scene
The only way IT security managers can reconstruct the cyber crime scene is by performing forensics investigations on the log data generated by the IT infrastructure.
IT security managers need to conduct forensics investigations by searching and analysing their log data. All attackers leave traces, and the log data is the only thing that can help IT security mangers identify the cause of the breach.
Log data contain the digital fingerprints left by everyone who accessed the network systems, devices, and applications. By effectively analysing log data, IT security managers can pinpoint the exact log entry that caused the security breach, find the exact time at which the corresponding security event had happened, who initiated the activity, and the location from where the activity originated. These digital fingerprints help in completely recreating the crime scene.
Log data forensics analysis reports can also be used as evidence in a court of law. IT security managers should leverage the network security intelligence provided by the log data generated by their network infrastructure.
Here are two critical prerequisites for effective log forensics investigations:
1. Collect log data in a central place
All log data from network systems – e.g., Windows systems, Unix/Linux systems, applications, databases, routers, and switches – should be aggregated in a central place for effective reporting, security, and forensics analysis.
2. Archive log data for at least a year
Log data collected from all network systems must be archived for at least one year, and the stored log data should be easily accessible for forensics investigations.
To meet those prerequisites, IT security managers need to automate their log management. After all, manually collecting and archiving log data in a central place for forensics investigations is virtually impossible given the sheer volume of event records that are typically generated on a daily basis. It would simply take too much time and too many IT staff members.
Once automated, the forensics investigations process can be simplified and accelerated. IT security managers can type certain keywords or some logic related to the cyber crime and get the answer in seconds. They can easily dive into the log data and freely search across the entire network infrastructure within seconds. When they eliminate the painful process of manually searching through the logs, IT security managers are able to recreate the every facet of the cyber crime scene and crack the case.
The efficient way to perform a forensic investigation is by equipping the IT security managers with a powerful log forensics tool to investigate log data and instantly generate forensic reports, which can be used as evidence in the court of law. The log forensics tool should let IT security managers collect and archive log data in a central place, so they can reconstruct the entire crime scene with ease.
