How do you use logs to identify and analyze incident indicators and root causes?

Security monitoring and logging are essential practices for incident handling, as they help you detect, investigate, and respond to security incidents. Logs are records of events and activities that occur on your systems, networks, and applications, and they can provide valuable clues about the source, scope, and impact of an incident. In this article, you will learn how to use logs to identify and analyze incident indicators and root causes, and how to improve your logging capabilities and policies.

1 What are incident indicators and root causes?

An incident indicator is any sign or evidence that suggests a security incident has occurred or is in progress. For example, an indicator could be a suspicious network connection, a malware infection, a user account compromise, or a data breach. A root cause is the underlying factor or vulnerability that enabled the incident to happen. For example, a root cause could be a misconfigured firewall, a weak password, a phishing email, or a software bug. Identifying and analyzing incident indicators and root causes can help you contain, eradicate, and recover from an incident, as well as prevent or mitigate future incidents.

Add your perspective

Robert Helin

Marine Veteran and Security leader with 14+ years in risk management, compliance, and team leadership. Skilled in implementing and aligning security strategy with business goals and driving regulatory compliance.
Report contribution
The first indicator of any sort of incident is a deviation from the norm. Keeping this in mind, a good baseline of activity for every level of your environment needs to be established. To expand on the given examples, a "suspicious" network connection could be something as benign as a new webserver stood up for your supplier, but combine a new connection with a new timeframe, or new protocol usage, and now you have the beginnings of an incident worthy of further investigation. If your analysts do not have a solid baseline, there will be incidents that slip through the cracks. This is a project that begs for good log-keeping because, as we will see, logs are the lifeblood of incident identification.

Like

2 How to use logs to identify incident indicators?

Logs can be a useful tool for identifying incident indicators by providing information about events and activities that occurred on your systems, networks, and applications before, during, and after an incident. For example, logs can show who accessed your systems, what actions were performed, where the connections or requests came from and where they went to, and how your systems performed. To use logs to identify incident indicators, you need to collect and store logs from various sources such as operating systems, firewalls, routers, etc. Additionally, you need to correlate logs from different sources to get a comprehensive view of the incident and its impact. Log analysis tools or security information and event management (SIEM) systems can help with this process.

Add your perspective

Jonah Cummings

“. . .is this thing on?”
Report contribution
Use two-factor authentication to weed out false positives. If two independent systems both log the same event using different tools, it is likely that you are seeing a real incident.

Like

3 How to use logs to analyze root causes?

Logs can also help you analyze root causes by providing information about the factors or vulnerabilities that contributed to the incident. For instance, logs can demonstrate if your systems were patched and updated with the latest security fixes, if your users followed best practices for password management and data protection, if your security tools detected and blocked any malicious activity, or if your incident response plan was effective. To use logs to analyze root causes, you must review and compare logs from before, during, and after the incident in order to identify any gaps, inconsistencies, or anomalies that could explain how the incident happened and how it could have been prevented or mitigated. Additionally, root cause analysis tools or techniques such as fishbone diagrams, 5 whys, or fault tree analysis can be utilized to assist in this process.

Add your perspective

4 How to improve your logging capabilities and policies?

To maximize your logs for incident handling, you need to upgrade your logging capabilities and policies. Start by defining your logging objectives and requirements, such as what types of logs you need, how long you need to retain them, and how you will use them for incident handling. Then, configure your systems, networks, and applications to generate and capture accurate logs that meet your objectives. Additionally, implement a centralized log management system that can collect, store, and analyze logs from various sources. Establish a log retention policy that specifies how long you will keep your logs, where you will store them, how you will protect them, and how you will dispose of them. Moreover, review and audit your logs regularly to ensure they are complete, reliable, and secure. Logging plays an essential role in incident handling as it can help detect incident indicators and root causes. With the tips provided in this article, you can improve your logging capabilities and policies to boost your security posture and resilience.

Add your perspective

Cristian Ruvalcaba, CISSP, CCSP, MFA

Senior Cyber Security Technical Specialist at IBM | Cybersecurity Leader | Advisor and Mentor | Incident Response and Security Awareness Advocate | Technical and Security Evangelist |Writer/Author
Report contribution
While it is important to have a clear mission statement, or something to that effect, when defining a logging policy, it is also important to consider any regulation or compliance requirements that may exist for a given organization's business. While there are clear retention requirements set in some regulation and compliance definitions, an organization may need longer retention for internal purposes, or inversely, a lower retention requirement. If the retention requirement is lower, consider that there will likely be a need for multiple retention buckets, including one or more for those relating to regulation.

Like

How do you use logs to identify and analyze incident indicators and root causes?

1

2

3

4

1 What are incident indicators and root causes?

2 How to use logs to identify incident indicators?

3 How to use logs to analyze root causes?

4 How to improve your logging capabilities and policies?

Incident Handling

Rate this article

Thanks for your feedback

More articles on Incident Handling

More relevant reading