Methodology for correlations discovery in security logs

Record in security log should serve primarily to identify the events that indicate the potentially attacks or dangerous configurations posing a high risk of asset loss. In other words, the primary role of security log analysis is detecting an incident and generating an adequate response in order to mitigate the losses. Enormous problem that often occurs in practice lies in determining events that must be recorded in security log. Moreover, there is no general methodology that would help us with this crucial problem and therefore, security systems are often incorrectly implemented due to the lack of correct events specification. In this article, we propose our own methodology that can be utilized in order to identify the required security events. Our approach is based on theoretical risk assessments provided by NIST (National Institute of Standards and Technology) and more practical information provided by OWASP (Open Web Application Security Project). We have proven the functionality of the methodology by the practical application on the VPN (Virtual Private Network) connection utilizing the IPsec protocol during the research conducted for National Security Authority in the Czech Republic. However, this article focuses in particular on theoretical principle of the method. We believe that the methodology proposed is sufficiently universal to be utilized on various types of systems.