Listen to this Post
In a recent ransomware incident involving an insurance company, the police requested detailed firewall logs to aid their investigation. However, the company responded that their firewall log cache only retains data for 2-3 days, and since the incident occurred over the weekend, the logs were no longer accessible. This highlights a critical gap in their incident response preparedness.
Firewall logs are essential for reconstructing cyberattacks, identifying the attack vector, and understanding the scope of the compromise. Without adequate log retention, organizations risk losing valuable forensic evidence, which can hinder investigations and delay recovery efforts.
You Should Know:
1. Log Retention Best Practices:
- Ensure firewall logs are retained for at least 30-90 days, depending on regulatory requirements and organizational policies.
- Use centralized log management solutions like SIEM (Security Information and Event Management) to store and analyze logs efficiently.
2. Firewall Log Configuration:
- Enable logging for all traffic, including allowed and denied connections.
- Regularly review and adjust logging settings to capture critical events without overwhelming storage.
3. Linux Commands for Log Management:
- Use `journalctl` to view and manage system logs:
journalctl -u firewalld
- Rotate logs using `logrotate` to prevent disk space issues:
sudo logrotate /etc/logrotate.conf
4. Windows Commands for Log Management:
- Use PowerShell to query firewall logs:
Get-NetFirewallRule | Format-Table Name, Enabled
- Export logs for analysis:
Export-Csv -Path "C:\firewall_logs.csv" -InputObject (Get-NetFirewallRule)
5. SIEM Integration:
- Integrate firewall logs with SIEM tools like Splunk or ELK Stack for real-time monitoring and analysis.
- Example Splunk query for firewall logs:
index=firewall_logs | stats count by src_ip dest_ip action
6. Backup and Storage:
- Regularly back up logs to a secure, offsite location.
- Use cloud storage solutions like AWS S3 or Azure Blob Storage for scalable log retention.
What Undercode Say:
Firewall log retention is a cornerstone of effective cybersecurity incident response. Organizations must prioritize log management to ensure they have the necessary data to investigate and mitigate cyber incidents. By implementing best practices, leveraging SIEM tools, and regularly reviewing log configurations, businesses can enhance their security posture and reduce the risk of data loss during attacks. Remember, preparation is key—don’t wait for an incident to realize the importance of logs.
For further reading on log management best practices, visit:
– NIST Guidelines on Log Management
– Splunk Firewall Log Monitoring Guide
References:
Reported By: Stephan Berger – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
