Logging and Threat Management

As part of the ongoing, division-wide effort to make information system security a priority, the BSD Information Security Office (ISO) has created a Logging and Threat Detection program designed to better protect and monitor BSD systems and servers that contain sensitive information (e.g., PHI, PII, SOX, HIPAA, etc.).

By collecting and retaining system logs, our Threat Detection engine can monitor your critical systems and provide continuous monitoring, correlation, and behavioral anomaly detection with the objective of deterring, responding to, and recovering from threats.

Enrollment in the BSD Logging and Threat Detection is as simple as forwarding your server logs to our on campus Syslog collector at:

Hostname: syslog.cri.uchicago.edu

Port: 514

If you need help configuring system log forwarding, please see the following guides:

For more information about the BSD Logging and Threat Detection program, please contact our office at security@bsd.uchicago.edu.

 

 

Frequently Asked Questions

Q: Is this program right for my department?

A: The BSD ISO Logging and Threat Detection program is designed to create actionable alerts on credible threats to your department’s sensitive systems. While the threat management program is designed to detect possible avenues of attack, the Security Event and Log Management program is designed to detect and alert on suspicious behavior while they are happening.

Q: What is required of my department in order to participate?

A: In order to participate in the Logging and Threat Detection program, the technical support contact for your systems will need to make several minor configuration changes to your Windows or Linux servers. These changes will allow you server to send its log files to the BSD’s log collector. From there, BSD Security will be able to monitor your systems for illegal logins and other threats.

Q: What happens if a problem with my system is discovered?

A: The goal of the Logging and Threat Detection program is to identify risks and help your department become more secure. If an offense is triggered, our automated Security Intelligence Platform will notify us as the event is taking place. BSD ISO will then determine the severity of the offense and inform your department’s technical contact if the problem needs immediate attention.

Q: What’s the difference between this program and the “Threat Assessment” program?

A: While the BSD ISO Threat Assessment program concentrates on finding, cataloging, and remediating server weaknesses before they can be exploited, the Logging and Threat Detection program will concentrate on finding anomalies in real-time server behavior with the goal of identifying threats as they happen.