[This is a Guest Diary by Xavier Mertens] Handling log files is not a new topic. For a long time, people should know that taking care of your logs is a must have. They are very valuable when you need to investigate an incident. But, if collecting events and storing them for later processing is one point, events must be properly generated to be able to investigate suspicious activities! Let's take by example a firewall... Logging all the accepted traffic is one step but what's really important is to log all the rejected traffic. Most of the modern security devices (IDS, firewalls, web application firewalls, ...) can integrate dynamic blocklists maintained by external organizations. They are plenty of useful blocklists on the internet with IP addresses, domain names, etc... It's quite easy to add a rule on top of your security policy which says: |
Johannes 4478 Posts ISC Handler May 7th 2015 |
Thread locked Subscribe |
May 7th 2015 7 years ago |
I agree with the sentiment of knowing why an attacker was blocked as being very useful - it is always good to know why something is being done.
For whitelists that were generated at one organisation that I worked for, the comments field in the database indicated why an attacker was blocked. Depending on the type of attack, the capacity of your infrastructure, and other factors, top of list blocks may be required for those attackers that would otherwise exhaust resources of the WAF and/or Event Logging / Processing systems. Fortunately these aren't needed that often. |
Anonymous |
Quote |
May 7th 2015 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!