2:30 min read |
When properly implemented, Control #6 can bring an organization’s security program to a higher level of maturity. Maintaining, monitoring and analyzing audit logs helps gain visibility into the actual workings of an environment. Also, with proper implementation, the control can help detect, understand or recover from an attack.
Despite best practices, it is impossible to safeguard a network against every attack. Therefore, when a breach occurs the log data can be crucial for identifying the cause of the breach and help in collecting evidence for use. That is, if the logs were configured properly before the incident occurred.
Deficiencies in security logging and analysis allow attackers to hide their location, malicious codes and activities on victim’s machines. Without protected and complete logging records an organization is blind to the details of an attack which can go on indefinitely and cause significant damage.
To ensure readiness, and effective log maintenance, monitoring, and analysis, the Center for Internet Security (CIS) recommends the following controls:
- Validate audit log settings for each hardware device and the software installed on it–including date, timestamp, source address, destination address, and other information about each packet and transactions. Also, logs are to be stored on dedicated servers and run biweekly reports to identify and document anomalies.
- Ensure all systems that store logs have adequate storage space for logs generated on a regular basis, so that log files will not fill up between log rotation intervals. Logs must be archived and digitally signed on a periodic basis.
- Configure network boundary devices, including firewalls, network based IPS, and inbound and outbound proxies, to verbosely log all traffic arriving at the device.
- Lastly, deploy a SIEM (Security Information and Event Management) or log analytic tool for log aggregation and consolidation from multiple machines and for log correlation and analysis. Using the SEIM, system administrators and security personnel should devise profiles of common events so that they can tune detection to focus on unusual activity, avoid false positives, rapidly identify anomalies, and prevent insignificant alerts.
Maintaining security logs and actively using them to monitor security related activities within the environment is essential, especially during post breach forensic investigation. Therefore, an organization must develop procedures to actively review and analyze logs in real time so that attacks can be detected quickly with appropriate response time. It’s one of several best practices for an environment to achieve a safer, better, cybersecurity posture.