Versions Compared

Old Version 7

changes.mady.by.user Richard Goerwitz

Saved on

compared with

New Version 8

changes.mady.by.user Richard Goerwitz

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

2017 was a watershed year for cybersecurity.  In the wake of highly publicized breaches like the Equifax hack, new vulnerabilities like Spectre and Meltdown, and widespread ransomware attacks, Many many Carleton users are wondering have asked what all ITS is doing, --in particular what monitoring and logging we are doing, to keep how we stay aware of what is happening on our network and keep users as safe as we reasonably can.

...

Individual machines (Linux servers, Windows servers, and Windows desktops) also log what they are doing, locally.  Those logs are .  There are, for one thing, antivirus and local firewall logs.  There are also general system logs.  These latter logs are written not only to local disk, but also forwarded to a central syslog server, then on to a central repository (Splunk).  Every time a Windows machine executes a program, it is also recorded separately, along with the policy that applies to it (AppLocker).  ITS knows nothing about what the programs are really doing, and .  But we do use this information only the basic information provided in logs to detect malware-related infestations, and also to perform forensics after when and if hostile activity is discovered.  These logs are

Log data forwarded to Splunk is particularly useful in detecting campus-wide events, and for looking back to see what happened, even if attackers have erased log files logs on the machine(s) they attacked .  The logs to cover their tracks.  Forwarded log data also allow us to infer what “normal” behavior is and construct alerts when something abnormal is detected, like a login from a staff member in France, and a login from that same person a few minutes later in China.  The number of people who can perform this work sort of analysis and set up alerts is very limited (a few core systems staff and the IT security officer), and most of the “work” actually takes the form of automated alerts that show only enough detail for ITS once set up, the alerts only fire when an anomaly is detected.  When that happens, ITS's analysis process only brings in what detail is needed in order for us to take appropriate action, like informing a user that their account is being abused and locking that account verifying that the anomaly is in fact due to compromise, informing users as needed, and locking applicable accounts temporarily to prevent anything worse from happening.

...