Logs Matter!

  • Press

Larry Bensky
March 29, 2021 127 views

Individual working on multiple security systems

The pandemic has reshaped how we work and more importantly where we work. With home offices becoming the new norm, it is imperative we take a look at how we can keep our information safe, secure, and impenetrable from malicious attacks. This is where the role of logs comes into play. Logs are records of events that happen on your computer, either by a person or by a running process. They help you track what happened and troubleshoot problems. 

Why are logs so important?  They can reveal a plethora of information from the data logged in any system, particularly a router or firewall.  Observing these router or firewall logs is essential to find out what your network has been doing all day. The log data can provide information on how many times a site connection was established and how many bytes were transmitted or received to a site/IP address. You can assemble the data to summarize by input, output or in any other format you would like.

For example, if you have a home automation system or a DIY alarm, you may notice lots of connections and data being sent and received from a particular IP address. You could then drill down and see what times it is sending/receiving data and if those times correspond to a daily/noticeable event. Another good check is reviewing what servers the applications are communicating with, where they are in the world, and how many times a network connection is established. You can even find out what ports are being used. This activity may reveal what countries are involved with storing your data, which you may choose to take act on.  With most enterprise firewalls you can geo-block. This means you can block select countries from accessing your network and also block your network from communicating with chosen countries. Standard home routers may not allow the geo-block option, but many do let IP range blocks to be more tedious. Ultimately, it is possible to defend your home network with a little bit of work.

Another example of analyzing logs from your router or firewall will reveal how much bandwidth is being utilized by each resource. For instance, you see a device that is always on but not used – that may be a sign of a hacked device. Or it may be a rogue application. In any event, router and firewall logs can be very revealing about your networks’ inner workings. An essential example is analyzing your Wi-Fi logs and verifying which devices are connected.  You may end up finding a rogue device. It is always good to know your network data communications and what devices are connected at all times.

Now that we have established how important the log data is, you may be wondering how you turn the data into information. There are many options, with Splunk and Elastic Search (ELK Stack) as two of the top choices. You could write your log analyzer tailored to your specific needs. Additionally, there are some firewalls that provide reporting features as well.

Here are some tips for handling your log data:

  • Store the logs in a safe place to prevent tampering.
  • Decide what logs you will assemble with established time periods.  (Hint: Start small at first).
  • Establish roles if there are multiple people; decide who will gather the logs, who will analyze, and who will disseminate the information.
  • For businesses that collect logs; the logs will have to be retained for a period of time along with the reports.
  • Have a plan of action for when a log reveals suspicious activity. 

Considering most people (if not all) are working from home, interrogating the logs of your home office network has never been more important than the present time. There are two examples of graphs below that can be used to determine the health and well-being of a home office.  

While no system or analysis is perfect, it is better to have some understanding of what your network is doing than not knowing anything at all. We must all play our part in securing our information and ensuring there are no data leaks. Remember the adage, “The best defense is a good offense” and stay safe!

More Stories

  • DaaS (DevOps as a Service) – Part 1

    Joshua Seidel
    August 11, 2021

    IaC is a key DevOps practice and is used concurrently with continuous delivery. This blog covers the top three tools, Terraform, CloudFormation, and Ansible that fall under IaC for AWS.

  • Looking for the Ts for A teams

    Looking for the Ts for A teams

    Murali M
    September 24, 2020

  • Shedding Light on DarkSide

    David Knife
    May 21, 2021

    Ransomware is a type of malware that infects the victim's computer and attempts to have them pay a “ransom” to use it again. DarkSide is a type of ransomware attack that was first seen in 2020. Once it infects a network, it exfiltrates unencrypted data.