Central Logging And 5651 Solutions
> What is Act No. 5651? Act No. 5651 is a law enacted for struggling with Internet Crimes on 4 May 2007. This law was expanded with the regulations published in October 2007 and November 2007 and with these regulations Service Providers and all organizations forced to record logs in order to track and find the criminal against cases of Internet crimes.
> Who is covered by Act No. 5651? Act No. 5651 covers the below providers as a result of applied modifications. 1. Access Provider: Natural or legal person providing access opportunities to Internet for the users subscribed to it and for the Internet bulk usage providers.
2. Host Provider: Natural or legal person providing and operating systems hosting service and content in Internet environment.
3. Content Provider: Natural or legal person generating, modifying and providing all kinds of data and information provided on Internet to the users.
4. Internet Bulk Usage Provider: Natural or legal person providing Internet usage to people at certain places and for a certain period of time.
5. Commercial Internet Bulk Usage Provider: Natural or legal person providing Internet bulk usage in Internet rooms or similar public places for a charge and providing games that improves information and skills installed on computers.
These providers cover the below entities: Content Providers; All organizations providing telecommunication services. Host Providers; all Hosting companies providing HTTP, SMTP and FTP services and applications open to Internet. Content Providers; all organizations providing services in Internet environment. Internet Bulk Usage Providers; all organizations providing Internet service to in-house staff. Commercial Internet Bulk Usage Providers; all organizations providing Internet services for a charge.
> Which Logs Should We Record in the Scope of Act No 5651? In the scope of Act No. 5651, activity logs of all servers and users of the company having an Internet connection and communicating information over the Internet for the purpose of detection of the person who attacks; DHCP server logs to detect the in-house person enabling the connection; other activity logs to detect people.
> Why Should We Record Logs? To perform information security management and clarify any issue, records must be stored. This process must be performed in a central system based on unassailability principle to eliminate the issues to be emerged in the future. Purpose of log recording is not only to detect the events but also to generate important reports and to obtain serious results about the observation of the system and operating. For this purpose, log recording is a necessity in most of the standards managing the regular operation of systems and reporting. (Obligations such as PCI, SOX, COBIT, 27001, etc.)
> What Logs Should We Record? In general logs of firewall applications, e-mail servers, file servers, critical servers, domain server, database servers, application servers, user web traffic information and servers and applications open to outside must be recorded.
> What is Event Management? Establishing and managing the mechanism that detects an issue in a certain period of time as a result of associating the logs obtained from different resources and log IDs of records collected are defined in general. Event Management solution that is called SIEM - Security Information and Event Management or SEM – Security Event Management is aimed to establish the system that will provide collection and examination of records centrally.
> What are the considerations to pay attention in Event Management? Since records are collected centrally logs must be transmitted to the central system at the moment of log generation, fully and without interrupting the unassailability rules. The second consideration is the amount of records and period which they will be stored. Another consideration is the period which the logs will be stored actively, meaning they can be reachable in the system, and the period which the logs will be exposed only when required. Standards apply different enforcements, but the general usage is log recording for 3 months and log accessibility for 1 year. This information is important to specify the disk capacity at the systems where records will be collected.
> What is the benefit of Event Management?
With the all records collected;
- Alerting when a log is created in compliance with the rule defined
- Detection of behavior fitting to associated logs
- Detection of behaviors that are independent but meaningful when associated
- Information collection intended for intelligence and attacks
- Tracking user activities
- Observation capability about security
Security Weakness Detection and Penetration Test
Security Standards and 27001 Certification Services