Reliable data is the basis for detecting, investigating and combating cyber threats. The focus here is not primarily on collecting data, but rather on the question of how visibility and action-relevant information can be gained through selection, linking and enrichment of this data.
The right selection of the relevant metrics and the information to be saved and archived is a major challenge. It is important to specifically evaluate what the need is and where the gain in information and security is greatest. Building on this analysis, two logging frameworks - elastic and Graylog - were implemented and evaluated as part of a proof-of-concept at the Baselland Cantonal Hospital. A central logging and monitoring system was then set up using elastic (open source), which offers a uniform view of the data from and about critical systems. The system is highly available and fail-safe.
The unified view offers valuable information for a SOC / security team based on Windows client and server logs as well as Exchange and Active Directory logs. In addition, there is the monitoring of the DNS infrastructure, which makes it possible, for example, to identify who has accessed malware domains. In the event of warning messages, security-related questions can be answered quickly and in a targeted manner and as a basis for the initiation of appropriate measures. In addition, instead of the DNS system log from Microsoft, packetbeat from elastic is used, which means that not only logs within the service, but also meta-information about the service itself (e.g. DNS response times) are available.