MSSI 2015-2016 @ University of Luxembourg

Abstract

In flagrante delicto or "caught in the act" is the ideal situation for every security officer, be it in the physical or in the electronic world. Why is it so utopian ?

  • Good monitoring, logging, and data capture systems (SIEM, honeynet) that can provide needed information for a catch in real-time are not often implemented or used.

  • Further and more important issues are the legal aspects, especially in Europe, where strong privacy and data protection regulations disallow monitoring of employees' activities.

  • The grab to forensic analysis tools is quasi inevitable. Computer systems are huge and complex, changing very rapidly and even on well monitored environments things can hide, alarms can be miss leading, etc.

These lectures provide an initiation for meeting challenges and establishing capbilities for these two areas: log management & digital forensics.

A fundamental problem with log management that occurs in many organizations is effectively balancing a limited quantity of log management resources with a continuous supply of log data. Log generation and storage can be complicated by several factors, including a high number of log sources; inconsistent log content, formats, and timestamps among sources; and increasingly large volumes of log data. Log management also involves protecting the confidentiality, integrity, and availability of logs. Another problem with log management is ensuring that security, system, and network administrators regularly perform effective analysis of log data.

Digital forensic techniques can be used for many purposes, such as investigating crimes and internal policy violations, reconstructing computer security incidents, troubleshooting operational problems, and recovering from accidental system damage. Practically every organization needs to have the capability to perform digital forensics. Without such a capability, an organization will have difficulty determining what events have occurred within its systems and networks, such as exposures of protected, sensitive data.

Course details and slides