Effective network security audit trail management

Modern organizations face an increasingly difficult task of protecting their information system networks from intruders. Network protection must also be balanced against accessibility and convenience for authorized users. Network monitoring tools are often employed to identify potential security problems. These tools generate considerable amounts of data relating to network traffic and security logs. Technologies such as Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS) are employed to assist information systems and network security personnel in identifying and stopping network intrusions. However, while utilities such as IDS and IPS are helpful in collecting and sorting through the volume of data that is generated from internal logging, human management of this information is important in effectively monitoring network traffic and detecting incidents. The process by which network security audit trails are managed varies considerably among organizations, and there does not exist currently a set of well- researched best practices for IS network security managers to follow. This thesis analyzed the current industry practices and management policies used in audit trail management, and provided an overview of management practices and policies believed to be effective for network protection. The research formulated several conjectures regarding factors that may lead to faster malware detection times, and described a research plan and a survey instrument to test these conjectures. The effectiveness of the audit trail was measured by elapsed time from an adverse event occurring to its discovery in the audit trail, with shorter elapsed times indicating greater effectiveness. Given the differing natures of adverse events that could be discovered, the scope of the research plan was limited to the discovery of malware on computing devices in a company's network. The pilot study uncovered certain issues that future researchers may encounter, such as difficulty in finding qualified respondents and unclear or ambiguous survey questions. Suggestions for improving the survey's questions and response count are provided, based on the original issues the study encountered. Although the pilot study did not provide much new data to base recommendations on, this thesis used data from existing literature to provide general recommendations, which included ensuring analysts are familiar with the network environment via training programs and organizational knowledge sharing, and consulting with IDS/IPS vendors and specialists during the system installation.