Contact us
Request demo →
Contact us
German website
search
close

Uncanny Loggings: How poor data monitoring leads to The Danger Zone

by Justin Frank Blog 14 Oct 2021

The practice of logging has come a long way over the past few years. It started as a way to demonstrate regulatory compliance and to provide evidence in legal processes, but it has now evolved into being a norm for best security practice and governance evaluation. So what are the most important aspects? How do you start and maintain oversight over your logging capabilities?

How does logging help?

Logging is the process of recording all system activities and the user interactions with those systems. It has shaped the way security teams are able to monitor and protect their digital assets. To get this data, an organisation would need to take a few steps. First, inventory all assets, then configure the collected log data of those assets with a log management system, and subsequently feed that log data into a SIEM (Security Information and Event Management). A SIEM is usually an automated tool that aggregates system, network and user logs, then analyses that data to catch abnormal behaviour or potential cyberthreats.

This process helps security teams to correlate data from multiple systems and then display an analysis overview of all events and alerts happening within an organisation's IT infrastructure. It serves various purposes: 

  • Monitoring system and user activity to detect and solve problems (debugging). This supports business continuity;
  • Meeting regulatory requirements set by compliance frameworks or litigations. An example is the ISO 27001 framework;
  • Investigating anomalies and indicators of compromise. This is used in threat detection and risk management.

What makes logging difficult? 

A security team uses different types of log data and a SIEM to identify and respond to events, provide evidence and trace steps during incident response, and monitor assets for anomalous changes or issues. 

Being able to see what's happening in your IT infrastructure in real-time via logs brings a significant advantage in identifying key problems or potential risks.

However, as the vastness and complexity of your IT systems increases, so does the data. The more log data being fed into a SIEM, the more resources are needed to monitor all that data. The cost and weight of having that much log data from a growing IT infrastructure pushes an organisation to think about their log management strategy. 

To avoid creating unnecessary costs by monitoring every single system, security teams often begin defining the criticality of each system and prioritise based on business value. Though this is more cost-effective, it requires continuous assessment of each asset related to the organisation. At a certain point, this becomes way too challenging to do manually – potentially steering into a ‘danger zone’ of logging.

Tip: Don't forget that the way you manage your logs and protect your SIEM will determine your risk exposure. If your logs are compromised, an attacker will be able to get a full picture of your IT systems and do much more damage during both the attack and your recovery phase. 

What and how to monitor? 

Continuous asset inventory and asset management is key to achieving a good monitoring strategy. This will help you determine the criticality of each system related to your organisation's business continuity – especially over time.

However, as stated above, this process can become too time-consuming and labour intensive without the right tools. Not to mention the level of risk management involved when critical vulnerabilities have been discovered. This is when you can stick to the tech industry's favourite mantra:  

"Automate. Automate. Automate." 

But how do you combine asset management, risk management and monitoring strategies to determine what to log? The answer might be simpler than you think: attack surface management (ASM). 

How does ASM support log management and monitoring strategies? 

First of all, it’s important to understand that any organisation’s attack surface is a dynamic thing. It is always evolving, growing and shrinking in different parts, it’s differently interpretable and contextual. And almost always is it bigger than estimated. 

An attack surface management solution supports you by removing repetitive work. It identifies your organisation’s digital assets, detects risks, and helps managing changes as part of your monitoring strategy. Having the right insights into your attack surface will help you prioritise critical assets that need monitoring and logging. The benefit is that security teams will be able efficiently determine what should be tracked - and when. 

Interested to see how attack surface management applies to your organisation? Read Blog


Sources: 

https://www.varonis.com/blog/what-is-siem/ 

https://www.pmi.org/learning/library/risks-issues-changes-forms-logs-1078 

https://www.cybersprint.com/blog/attack-surface-management-explained 

https://thenewstack.io/logging-and-monitoring-why-you-need-both/ 

 

Justin Frank is Cybersecurity Analyst at Cybersprint.
With a background in Safety & Security Management,
he is responsible for aligning internal privacy and security policies. Justin is driven by an ambition to open the dialogue about cybersecurity in a wider societal context.

 

Uncanny Loggings: How poor data monitoring leads to The Danger Zone

The practice of logging has come a long way over the past few years. It started as a way to demonstrate regulatory compliance and to provide evidence in legal processes, but it has now evolved into being a norm for best security practice and governance evaluation. So what are the most important aspects? How do you start and maintain oversight over your logging capabilities?

read more

Securing critical infrastructure: new regulations mandate control

The name itself says it already: organisations in the critical infrastructure are vital in the services they provide in society. Should something go wrong in their daily operations, it can have severe consequences and disrupt individual people and other companies. That doesn’t necessarily mean they are more often targeted in (cyber-)attacks, but it does pose an extra reason to prevent any successful attack. Such organisations have often been in charge of their own cybersecurity, guided by regulations. Now though, authorities in the EU are starting to intensify their watchful eyes with the RCE directive. What is the EU RCE? And how should critical infrastructure organisations prepare?

read more

Mandatory IT audits: risk scores don’t mean security

More organisations in the Netherlands recognise the need for an active approach to stay in control over their attack surfaces in order to mitigate risks. Every organisation is able to create their own IT security governance and processes. Now, though, a new standard might be introduced in the form of an annual, mandatory IT audit. Is this a development helping businesses further? Or one that doesn’t really add anything other than paperwork?

read more

Do you have a question?

Our experts have the answers

Contact us