Maintenance, Monitoring and Analysis of Audit Logs - Top 20 Security Controls

October 2021 | Michael Wetherald

Top 20 Critical Security Controls Series

In this article, we continue our blog series on the industry standard top 20 critical security controls -- sometimes referred to as the SANS top 20 or CIS Critical Security Controls. These controls provide your organization a set of best practices for protecting your organization from the most common attacks faced around the world.

POSTER | SANS 20 CRITICAL SECURITY CONTROLS - DL & Print crucial info for defending your org. http://t.co/MbpeDjiwRz pic.twitter.com/nqWx9oRl5t

— SANS Institute (@SANSInstitute) July 3, 2015

Basic Security Controls

Controls 1-6 are considered the basic controls every organization should employ to have a solid foundation to build from:

• Inventory and Management of Hardware Assets
• Inventory and Management of Software Assets
• Vulnerability Management
• Controlled Use of Administrator Privileges
• Secure Configuration for Hardware and Software
• Maintenance, Monitoring and Analysis of Audit Logs

#6: Maintenance, Monitoring and Analysis of Audit Logs

Logs contain the footsteps of hidden enemies working to compromise your environment. If these logs aren't deliberately generated and reviewed, you will be unaware when your prevention systems fail and your environment is compromised.

Why Is This Control Important?

Adequate logging practices are crucial for identifying the identification, comprehension, and recovery from a security incident. A successful incident response involves understanding how the incident happened, and what actions were taken. Without this information you cannot effectively implement measures to prevent it from happening again, or mitigate the damage that was done. Adequate logging will provide your incident response team with the information necessary to confidently determine what happened, how to stop further damage, and take step to prevent it from happening again.

How to Implement This Control

This control involves securely generating, storing, and analyzing logs generated by the devices in your environment.

Centralized Log Management

Utilize a centralized log management system which will collect logs from the devices in your environment. This centralized location is beneficial not only because it provides you with a single location to review logs, but it is also makes it far more difficult for adversaries to cover their tracks.

Some things to keep in mind are to make sure there is enough space to store all of the logs generated, for the period of time your organization determines is appropriate. You also want to utilize three synchronized time sources to ensure timestamps are consistent in your logs.

Detailed Audit Logging

Now that you have set up a centralized logging system to aggregate the logs generated in your environment, it is time to configure your devices to generate detailed logs and send them to your central logging system. A good approach here is to generate lots of detailed logs on the endpoint, and then determine which of those logs should be sent to the central logging server. Choosing what logs are important to collect will help reduce bandwidth in the environment and storage on the logging system.

Some detailed logging items include:

• Timestamp
• Source IPs
• Destination IPs
• Devices
• Event Source
• User
• Command/Service/Application Name

Analyzing Logs

Now that you are generating logs and sending them to a centralized location, it is time to implement a strategy for analyzing those logs. This strategy involves both utilizing software to analyze logs and manual review of logs. Log analytic tools have come a long way, but they are not foolproof. They should be treated as a tool to help the analyst work through the mountain of generated logs.

Implementing a Security Information and Event Management (SIEM) is a great addition to your log analysis strategy. The SIEM should be regularly adjusted to reduce noise, and more accurately identify security events which need review. But always remember the SIEM will miss information on its own, it's role is to assist your analysts in detecting actionable events.

Conclusion

Establishing and maintaining adequate logging in your environment is a critical step in reducing cybersecurity risk facing your organization. Viam is here to help guide you through implementing this control at your organization. Contact us today if you are ready to take steps to reduce the cybersecurity risk in your organization.