How to implement the CIS Controls 8 “Audit Log Management”
Compliance

How to implement the CIS Controls 8 “Audit Log Management”

Learn how to implement CIS Control 8 for audit log management, improve detection of malicious activity, and enhance incident response with expert insights.


Why is this Control critical?

The implementation of the "Audit Log management" control is critical on several levels:

Rapid detection of malicious activity

Enterprise environments are more likely to quickly identify and respond to malicious incursions when they incorporate robust log collection and analysis.Sometimes, audit logs are the only trace of evidence to identify a successful security breach, underscoring their important role in corporate cyber hygiene.

Thwarting Attacker's Strategy

A common strategy employed by attackers is to take advantage of the fact that many companies keep audit logs primarily for compliance reasons, and rarely analyze them in depth. This neglect often enables attackers to camouflage their whereabouts and actions, establishing a hidden presence in the victim's systems, sometimes for months or even years. Implementing an effective log analysis process can dismantle this strategy, forcing attackers to rethink and rebuild their approach, thereby strengthening the organization's defense matrix.

Distinction between System and Audit Logs

Understanding the difference between system and audit logs is essential in configuring an adept log management strategy. While system logs primarily record system-centered events like process initiation and termination, crashes, and other operational details requiring minimal configuration, audit logs are user-centric, chronicling user login details, file access records, and necessitate a more strategic and planned setup. Leveraging the strength of both types of logs creates a fortified security system capable of providing a 360-degree view of both system and user activities.

Enhancing Incident Response Strategy

Post an attack detection, logs serve as a rich reservoir of data facilitating a comprehensive understanding of the breach's extent. Detailed log records provide a chronological narrative of the attack’s trajectory, encompassing details such as the method and time of the attack, accessed information, and potential data exfiltration, thereby aiding in crafting an effective incident response strategy.

Ensuring Log Retention

Retaining complete log records not only aids in retrospective analyses of security incidents but also furnishes indispensable data for follow-up investigations. Furthermore, it ensures compliance with regulatory mandates and aids in uncovering breaches that remained undetected for extended durations.

The 12 Safeguards of the CIS Control 8 “Audit Log Management”

18 controls from CIS

Safeguard 8.1: Establish and Maintain an Audit Log Management Process

Description by CIS Controls: “Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.”

Implementation Group concerned by this Safeguard: IG1, IG2, IG3

Safeguard 8.2: Collect Audit Logs

Description by CIS Controls: “Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.”

Implementation Group concerned by this Safeguard: IG1, IG2, IG3

Safeguard 8.3: Ensure Adequate Audit Log Storage

Description by CIS Controls: “Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process.”

Implementation Group concerned by this Safeguard: IG1, IG2, IG3

Safeguard 8.4: Standardize Time Synchronization

Description by CIS Controls: “Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported.”

Implementation Group concerned by this Safeguard: IG2, IG3

Safeguard 8.5: Collect Detailed Audit Logs

Description by CIS Controls: “Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.”

Implementation Group concerned by this Safeguard: IG2, IG3

Safeguard 8.6: Collect DNS Query Audit Logs

Description by CIS Controls: “Collect DNS query audit logs on enterprise assets, where appropriate and supported”

Implementation Group concerned by this Safeguard: IG2, IG3

Safeguard 8.7: Collect URL Request Audit Logs

Description by CIS Controls: “Collect URL request audit logs on enterprise assets, where appropriate and supported.”

Implementation Group concerned by this Safeguard: IG2, IG3

Safeguard 8.8: Collect Command-Line Audit Logs

Description by CIS Controls: “Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals.”

Implementation Group concerned by this Safeguard: IG2, IG3

Safeguard 8.9: Centralize Audit Logs

Description by CIS Controls: “Centralize, to the extent possible, audit log collection and retention across enterprise assets”

Implementation Group concerned by this Safeguard: IG2, IG3

Safeguard 8.10: Retain Audit Logs

Description by CIS Controls: “Retain audit logs across enterprise assets for a minimum of 90 days”.

Implementation Group concerned by this Safeguard: IG2, IG3

Safeguard 8.11: Conduct Audit Log Reviews

Description by CIS Controls: “Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.”

Implementation Group concerned by this Safeguard: IG2, IG3

Safeguard 8.12: Collect Service Provider Logs

Description by CIS Controls: “Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.”

Implementation Group concerned by this Safeguard: IG3

👉Implement CIS Controls 8 with Trout Software

Get notified about Trout articles

Receive an email when our team releases new content.