SPARK
With expandable text option.
SysLog Best Practice:
Bad, Better, and the Best.
In this case a new IT team member has configured the firewall in a haste to catch up a sudden go live, orgets to enable Security profiles for all the allow-traffic policies as his priority at that moment to ensure seamless traffic flow. Standard security profiles include anti-virus, anti-malware, Vulnerability checks, URL Restrictions etc. Things ran smoothly in the business for the next 6 months, and everyone was under the perception that all is well. Suddenly an incident rattled the business as usual which was mapped to a cyber attack. The legal team assigned the task of investigation to a third party, whose first step is to seek access to the log files of all the firewalls for the previous 6 months till the point of time of the incident. The IT team gave all the log files of the other devices which maintained logs except the one which let them down as logging was not enabled. The root cause could not be established satisfactorily with evidence, and this is a bad precedent.
In another case a Sr. IT team member, enables
Syslog server profile and configured syslog server and enables some Log settings out of 6, forgets to enable rest. The business IT operations run smoothly from the next 3 quarters and an incident seems to be suspected cyber attack. The legal team assigns the investigation to a third party and they gain access to all the log files for each firewall. The investigators analyze all the logs and discover that a particular firewall has logs that did not consider certain parameters and hence they arrived at the vulnerability that’s the root cause. They provide remediation roadmap and curative recovery measures to contain the loss in a reactive approach post the incident. This is a better yet mediocre precedent.
In another case a seasoned IT team member, enables Syslog server profile and configured syslog server and enables some Log settings out of 6, forgets to enable rest. Fortunately the business has subscribed to SPARK(Security Profiling, Assessment
Remediation Kit) and runs scans on firewall syslog configurations whenever there is a change. SPARK analyzes the configuration and ensures syslog is enabled and correctly configured or not, that is, if all the ideally recommended parameters are considered or not. It generates a report that clearly precisely identifies which parameters of the syslog haven’t been considered. Additionally, SPARK generates a score which in this case will not be as impressive and high as the case where all the parameters are considered inside syslog configuration. This is a just-in-time ulnerability detection and a remediation recommendation that helps the business to avert risks and related issues emanating from that root cause. Thus preventing downtime, disruption of operations, without denting the image of the business among customers and investors.
This is the best precedent averting the risks from maturing into serious issues.