You've heard the question, "If a tree falls in a forest and no one is around to hear it, does it make a sound?" Whether or not it does, the question as it pertains to cybersecurity and log analysis can be re-worded a bit: "If an event is created in your logs and no one is around to review it, does it create a problem?"
Well, how about if you ARE around to review it? Will you know if it's normal or an anomaly? Ultimately, the only way to know if something is normal or not is having the ability to define its context. Sure, some events are malicious, no matter what. That SSH connection out to that IP in Latvia that's on a residential network with no known good purpose... yeah, that's always bad. But what about that HTTPS connection out to China? Is all browsing to China bad? No. Some very reputable companies have web servers in China (which is another whole discussion).
Reference.com defines context as "the set of circumstances or facts that surround a particular event, situation, etc." Some of the most critical criteria for determining if an event is malicious or not when analyzing network log events, is the context in which it occurred. One way to get a better understanding of your network's behavior is to baseline it over time. If you develop your network traffic baseline, and confirm the events in that baseline are expected and authorized, then you can spend less time looking at the noise on your network, and more time looking at those events that do not fit your baseline.
With that baseline, you can then examine the context of the events. Let's take a Google search. A Google search you say? How can context identify a malicious Google search? Let's assume that you find in your logs a query to Google for "disable ATM alarm." Now, if this Google search was generated from a branch manager's PC during the time when the ATM alarm was going off during the day after a vehicle knocked it over, that's likely not malicious. But what about that same search performed from a device connected to your wireless guest network at 2 am? Yep. That's context.
As you can imagine, in our Tyler Detect log-analysis-as-a-service, we use context and baselines heavily. The big advantage to using Tyler Detect over doing it yourself is we have baselines for numerous clients and industries. We can compare the context of your network traffic to the events that occur in others networks, too. If you're doing it yourself, it's a bit tougher to answer the question "am I being targeted?"
Remember. It's always easier to hear a conversation from across the room in church, than it is in a nightclub. By filtering out the noise with a good network baseline, you will hopefully be able to hear those bad conversations from across the room.
The Key to Cyber Threat Detection - Log Analysis Guide Download
Learn how log analysis can help you protect your information assets and detect network threats. Our informative Log Analysis Guide will walk you through the basics of log analysis - why it matters, what it can tell you, and how to do it. You’ll also learn about the five important aspects of a successful log analysis process.
Image courtesy of David Castillo Dominici at FreeDigitalPhotos.net.