Q

How to check for attack data on network logs without SIMs

If you don't have a lot of time, but you also don't have a SIM, how can you regularly check for attack data in network logs? Network security expert Mike Chapple gives best practices.

What are some best practices that can help me regularly check for attack data in network logs without using a SIMs product and without spending an eternity staring at log data?

Network logs are a treasure trove of security data. It's true that security information and event management (SIM or SIEM) systems provide an easy and effective way to analyze logs, but they also come with a price tag. Fortunately, there are ways you can detect network attacks without purchasing a SIM. Here are some examples:

  • Use an intrusion detection system. IDSes provide the most reliable, time-tested way to search for signs of intrusion on an enterprise network. If the organization doesn't have the budget to purchase a commercial IDS, consider using a free product like Snort.
  • Mine network logs. As you point out, it's impossible to spend an eternity staring at log data. You'll go cross-eyed before you make any sense of it. However, scripts can be written to do the heavy lifting. This approach will require knowledge of a programming language as well as a good idea of what types of events are of interest to you. For example, you might write a Perl script that searches the network logs for signs of an unauthorized IP address appearing on a restricted network.
  • Watch for anomalies. You can also use software (home-brewed or commercial) that learns the patterns of normal behavior on your network and alerts you to deviations. For an example of this approach, read my paper Authentication Anomaly Detection: A Case Study on a Virtual Private Network.

If your budget can swing it, I'd strongly recommend the purchase of a commercial SIM product, as it will save hours of work, but it is indeed possible to cobble together a similar solution with tools such as those described above.

For more information:

This was first published in March 2009

Dig deeper on Monitoring Network Traffic and Network Forensics

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close