Contact us
Request demo →
Contact us

Uncanny Loggings: How poor data monitoring leads to The Danger Zone

by Justin Frank Blog 14 Oct 2021

The practice of logging has come a long way over the past few years. It started as a way to demonstrate regulatory compliance and to provide evidence in legal processes, but it has now evolved into being a norm for best security practice and governance evaluation. So what are the most important aspects? How do you start and maintain oversight over your logging capabilities?

How does logging help?

Logging is the process of recording all system activities and the user interactions with those systems. It has shaped the way security teams are able to monitor and protect their digital assets. To get this data, an organisation would need to take a few steps. First, inventory all assets, then configure the collected log data of those assets with a log management system, and subsequently feed that log data into a SIEM (Security Information and Event Management). A SIEM is usually an automated tool that aggregates system, network and user logs, then analyses that data to catch abnormal behaviour or potential cyberthreats.

This process helps security teams to correlate data from multiple systems and then display an analysis overview of all events and alerts happening within an organisation's IT infrastructure. It serves various purposes: 

  • Monitoring system and user activity to detect and solve problems (debugging). This supports business continuity;
  • Meeting regulatory requirements set by compliance frameworks or litigations. An example is the ISO 27001 framework;
  • Investigating anomalies and indicators of compromise. This is used in threat detection and risk management.

What makes logging difficult? 

A security team uses different types of log data and a SIEM to identify and respond to events, provide evidence and trace steps during incident response, and monitor assets for anomalous changes or issues. 

Being able to see what's happening in your IT infrastructure in real-time via logs brings a significant advantage in identifying key problems or potential risks.

However, as the vastness and complexity of your IT systems increases, so does the data. The more log data being fed into a SIEM, the more resources are needed to monitor all that data. The cost and weight of having that much log data from a growing IT infrastructure pushes an organisation to think about their log management strategy. 

To avoid creating unnecessary costs by monitoring every single system, security teams often begin defining the criticality of each system and prioritise based on business value. Though this is more cost-effective, it requires continuous assessment of each asset related to the organisation. At a certain point, this becomes way too challenging to do manually – potentially steering into a ‘danger zone’ of logging.

Tip: Don't forget that the way you manage your logs and protect your SIEM will determine your risk exposure. If your logs are compromised, an attacker will be able to get a full picture of your IT systems and do much more damage during both the attack and your recovery phase. 

What and how to monitor? 

Continuous asset inventory and asset management is key to achieving a good monitoring strategy. This will help you determine the criticality of each system related to your organisation's business continuity – especially over time.

However, as stated above, this process can become too time-consuming and labour intensive without the right tools. Not to mention the level of risk management involved when critical vulnerabilities have been discovered. This is when you can stick to the tech industry's favourite mantra:  

"Automate. Automate. Automate." 

But how do you combine asset management, risk management and monitoring strategies to determine what to log? The answer might be simpler than you think: attack surface management (ASM). 

How does ASM support log management and monitoring strategies? 

First of all, it’s important to understand that any organisation’s attack surface is a dynamic thing. It is always evolving, growing and shrinking in different parts, it’s differently interpretable and contextual. And almost always is it bigger than estimated. 

An attack surface management solution supports you by removing repetitive work. It identifies your organisation’s digital assets, detects risks, and helps managing changes as part of your monitoring strategy. Having the right insights into your attack surface will help you prioritise critical assets that need monitoring and logging. The benefit is that security teams will be able efficiently determine what should be tracked - and when. 

Interested to see how attack surface management applies to your organisation? Read Blog



Justin Frank is Cybersecurity Analyst at Cybersprint.
With a background in Safety & Security Management,
he is responsible for aligning internal privacy and security policies. Justin is driven by an ambition to open the dialogue about cybersecurity in a wider societal context.


Disinformation: a certainty in uncertain times

Since the beginning of the internet, we have seen a near, if not an exponential, surge of information sharing amongst users in cyberspace. Not long after, we saw how the emergence of social media ushered an access to public online platforms where other internet users worldwide could share, discuss, promote, and consume information, whether by deliberate choice or not.

read more

Threat Report: Remote vulnerability in Confluence, fixes available

On 2 June, 2022 a critical vulnerability was identified in Atlassian Confluence (CVE-2022-26134). The vulnerability in question relates to active exploitation of unauthenticated remote code execution in Confluence Data Center and Server; meaning that the vulnerability could lead to code being executed remotely.  

read more

Looking back on the 2021 vulnerability: Log4shell

In December 2021 a critical vulnerability surfaced named Log4shell within Log4j, a widely used logging tool for java applications. Log4j is used globally by computers running online services, which meant it impacted a multitude of people, organisations, and government organisations. Since then, multiple fixes have been implemented in the hope to avoid such an outbreak in the future.

read more

Do you have a question?

Our experts have the answers

Contact us