The practice of logging has come a long way over the past few years. It started as a way to demonstrate regulatory compliance and to provide evidence in legal processes, but it has now evolved into being a norm for best security practice and governance evaluation. So what are the most important aspects? How do you start and maintain oversight over your logging capabilities?
How does logging help?
Logging is the process of recording all system activities and the user interactions with those systems. It has shaped the way security teams are able to monitor and protect their digital assets. To get this data, an organisation would need to take a few steps. First, inventory all assets, then configure the collected log data of those assets with a log management system, and subsequently feed that log data into a SIEM (Security Information and Event Management). A SIEM is usually an automated tool that aggregates system, network and user logs, then analyses that data to catch abnormal behaviour or potential cyberthreats.
This process helps security teams to correlate data from multiple systems and then display an analysis overview of all events and alerts happening within an organisation's IT infrastructure. It serves various purposes:
- Monitoring system and user activity to detect and solve problems (debugging). This supports business continuity;
- Meeting regulatory requirements set by compliance frameworks or litigations. An example is the ISO 27001 framework;
- Investigating anomalies and indicators of compromise. This is used in threat detection and risk management.
What makes logging difficult?
A security team uses different types of log data and a SIEM to identify and respond to events, provide evidence and trace steps during incident response, and monitor assets for anomalous changes or issues.
Being able to see what's happening in your IT infrastructure in real-time via logs brings a significant advantage in identifying key problems or potential risks.
However, as the vastness and complexity of your IT systems increases, so does the data. The more log data being fed into a SIEM, the more resources are needed to monitor all that data. The cost and weight of having that much log data from a growing IT infrastructure pushes an organisation to think about their log management strategy.
To avoid creating unnecessary costs by monitoring every single system, security teams often begin defining the criticality of each system and prioritise based on business value. Though this is more cost-effective, it requires continuous assessment of each asset related to the organisation. At a certain point, this becomes way too challenging to do manually – potentially steering into a ‘danger zone’ of logging.
Tip: Don't forget that the way you manage your logs and protect your SIEM will determine your risk exposure. If your logs are compromised, an attacker will be able to get a full picture of your IT systems and do much more damage during both the attack and your recovery phase.
What and how to monitor?
Continuous asset inventory and asset management is key to achieving a good monitoring strategy. This will help you determine the criticality of each system related to your organisation's business continuity – especially over time.
However, as stated above, this process can become too time-consuming and labour intensive without the right tools. Not to mention the level of risk management involved when critical vulnerabilities have been discovered. This is when you can stick to the tech industry's favourite mantra:
"Automate. Automate. Automate."
But how do you combine asset management, risk management and monitoring strategies to determine what to log? The answer might be simpler than you think: attack surface management (ASM).
How does ASM support log management and monitoring strategies?
First of all, it’s important to understand that any organisation’s attack surface is a dynamic thing. It is always evolving, growing and shrinking in different parts, it’s differently interpretable and contextual. And almost always is it bigger than estimated.
An attack surface management solution supports you by removing repetitive work. It identifies your organisation’s digital assets, detects risks, and helps managing changes as part of your monitoring strategy. Having the right insights into your attack surface will help you prioritise critical assets that need monitoring and logging. The benefit is that security teams will be able efficiently determine what should be tracked - and when.
Justin Frank is Cybersecurity Analyst at Cybersprint.
With a background in Safety & Security Management,
he is responsible for aligning internal privacy and security policies. Justin is driven by an ambition to open the dialogue about cybersecurity in a wider societal context.