Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

 

Friday, February 24, 2017

 
  New Resources
Security Logging Service
Travel Tips for Data Security
Free Security/Privacy Training Resources
Penn+Box
Two-step verification
Combating Malware
SafeDNS
Phishing Archive
Cloud Computing and Data Outsourcing
Best Practices for Applications with Confidential University Data
 
  Security "Greatest Hits"
Managing Passwords
E-mail Harassment & Forgery
Hoaxes, frauds & scams
Spam
Phishing
Wireless Networking
Encryption
 
  Best Practices
Standards
Secure desktop computing
Secure servers
Secure data deletion
Securing printers
Tips for safe computing
Computing policies
 
  More in-depth information for
Local support providers
System administrators
 
  Security initiatives
Critical Component compliance
Authentication & authorization
Penn Security & Privacy Assessment (SPIA)
Security Liaisons (Restricted Access)
Secure Share
Secure Space
Vulnerability Scanner
 
  Related links
Electronic privacy
PennKey
Viruses
Worms, trojans, backdoors

Security Logging Service

Security Logging Service

Service Description

Penn's critical hosts and applications are distributed across its Schools and Centers. Unfortunately, only a small portion of security problems can be proactively identified using external scans. The rest must be observed by logging and monitoring system-level events.

ISC provides the Security Logging Service to make this monitoring easier for Penn's system owners and to allow ISC Information Security to more quickly and effectively observe compromises and campus-wide threats.

ISC is offering the Security Logging Service at no charge for security-relevant data.

Benefits

You are invited to participate this Service, which is intended to:

  • Provide a secure, centralized repository for storing security-relevant logs from different sources (Windows, Linux, Apache, etc.).
  • Provide a platform from which to search, view, analyze, alert and report on security events in order to spot anomalies.
  • Provide Information Security a campus-wide view of system events, to help more effectively detect and alert on threats to campus systems and data.

By participating in the Security Logging Service, you'll be helping both your School or Center and the Penn community better understand and address the security risks affecting its systems.

How it Works

The service is based on Splunk, a powerful tool for collecting and analyzing machine data. To learn more about how Splunk can be used to understand system events, visit Splunk's website on machine data.

Your systems must first be configured to send filesystem, network, and application logs to the Security Logging Service. This is usually done through either:

  • A forwarding agent installed on your host, sending its logs to the Security Logging Service.
  • Sending syslog events to a server running a forwarding agent, which then relays them to the Service.

ISC will work with you to find the best means for getting your system logs into the Service. Once your systems are reporting logs, you will be given access to the Service, where you will be able to search your logs using the Splunk Search Processing Language as well as visualize security-relevant events associated with common platforms or applications (Windows, Linux, Apache) using several basic pre-made dashboards.

How do I join?

  1. Review the Terms of Service (below).
  2. Contact splunk-support@isc.upenn.edu with the following information:
    • The number of hosts you'd like to have submit logs.
    • The operating systems your hosts are running.
    • The filesystem, network and application logs you'd like to send to the Service.
    • The approximate daily volume of log data you anticipate sending to the Service.
  3. ISC Technology Services will contact you to discuss how logging will be implemented in your environment.
  4. Once a deployment plan has been finalized between your office and ISC, ISC Technology Services will provide instructions on how to configure your hosts to send data to the service.
  5. You and your IT staff will be given credentials to access your data.

What Events to Log

Deciding what events to log and send to the Security Logging Service will vary greatly between systems and organizations. In general, ISC Information Security recommends beginning by logging the following types of events:

  • Authentication events (e.g. log-ins).
  • Event logs that can provide visibility into anomalous behavior (e.g. error logs).

For additional and more detailed description of log sources and types, please refer to the Security Logging Guidance document.

Terms of Service

  • ISC asks that you prioritize forwarding logs from your registered Critical Components, should you have any.
  • The Security Logging Service is being provided as-is, and its searching and alerting capabilities are designed to augment, not replace, existing School/Center IT and business processes.
  • ISC will be evaluating aggregate logs from all hosts reporting to Splunk in order to identify trends and alert on possible signs of compromise or attack across campus.
  • ISC will work with log providers to better analyze the security implications of an event or series of events to the extent possible based on available resources. This will include collaborative investigation to identify and reduce false positives and/or true negatives.
  • The saved searches provided by ISC are meant to guide system owners' use of Splunk for security monitoring. System owners are encouraged to develop their own searches to better understand their systems' security and performance issues.
  • Positive results for searches compiled by ISC are not confirmation that security events have occurred, are occurring, or will occur on a given system.
  • Similarly, the absence of results for searches compiled by ISC does not mean that security events have not, are not, or will not take place on your system.
  • ISC has purchased a Splunk license permitting us to index up to 250GB of data per day. While we do not anticipate exceeding this quantity during the pilot, should this happen we will work with the IT community to ensure that all Schools/Centers have an equal opportunity to try the service.
  • ISC can make no guarantees as to the length of time your logs can be retained during the pilot. This is due to variability in (a) the number of clients signing up for the service and (b) the volume of logs each client will be forwarding to the Service.
  • ISC is offering the Service to Penn IT departments at no charge for security-relevant logs.
  • While Splunk is a powerful data analysis and visualization tool, it is currently being provided for the primary purpose of assisting with the identification of information security-related events (e.g., identification of threats or compromise to Penn networks, systems and data). Other uses of the product are not supported by ISC at this time.
  • The Security Logging Service pilot is configured to preserve logs and events for 60 days.

Privacy Statement

The purpose of the Security Logging Service is to improve Penn's ability to detect and respond to threats to its information systems. As such, a best effort should be made by all parties to limit the amount of sensitive data being sent to the Service to just that necessary for detecting emerging threats and signs of compromise.

By configuring your hosts to send system logs to the Security Logging Service, you grant ISC permission to analyze the logs for signs of anomalous, suspicious, or malicious activity. Access controls provided by the Splunk product will logically separate your data from other clients' data. Other clients of the Service will not have access to your log data.

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania