The implementation of the "Audit Log management" control is critical on several levels:
Enterprise environments are more likely to quickly identify and respond to malicious incursions when they incorporate robust log collection and analysis.Sometimes, audit logs are the only trace of evidence to identify a successful security breach, underscoring their important role in corporate cyber hygiene.
A common strategy employed by attackers is to take advantage of the fact that many companies keep audit logs primarily for compliance reasons, and rarely analyze them in depth. This neglect often enables attackers to camouflage their whereabouts and actions, establishing a hidden presence in the victim's systems, sometimes for months or even years. Implementing an effective log analysis process can dismantle this strategy, forcing attackers to rethink and rebuild their approach, thereby strengthening the organization's defense matrix.
Understanding the difference between system and audit logs is essential in configuring an adept log management strategy. While system logs primarily record system-centered events like process initiation and termination, crashes, and other operational details requiring minimal configuration, audit logs are user-centric, chronicling user login details, file access records, and necessitate a more strategic and planned setup. Leveraging the strength of both types of logs creates a fortified security system capable of providing a 360-degree view of both system and user activities.
Post an attack detection, logs serve as a rich reservoir of data facilitating a comprehensive understanding of the breach's extent. Detailed log records provide a chronological narrative of the attack’s trajectory, encompassing details such as the method and time of the attack, accessed information, and potential data exfiltration, thereby aiding in crafting an effective incident response strategy.
Retaining complete log records not only aids in retrospective analyses of security incidents but also furnishes indispensable data for follow-up investigations. Furthermore, it ensures compliance with regulatory mandates and aids in uncovering breaches that remained undetected for extended durations.
Description by CIS Controls: “Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.”
Implementation Group concerned by this Safeguard: IG1, IG2, IG3
Description by CIS Controls: “Collect audit logs. Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.”
Implementation Group concerned by this Safeguard: IG1, IG2, IG3
Description by CIS Controls: “Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process.”
Implementation Group concerned by this Safeguard: IG1, IG2, IG3
Description by CIS Controls: “Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets, where supported.”
Implementation Group concerned by this Safeguard: IG2, IG3
Description by CIS Controls: “Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.”
Implementation Group concerned by this Safeguard: IG2, IG3
Description by CIS Controls: “Collect DNS query audit logs on enterprise assets, where appropriate and supported”
Implementation Group concerned by this Safeguard: IG2, IG3
Description by CIS Controls: “Collect URL request audit logs on enterprise assets, where appropriate and supported.”
Implementation Group concerned by this Safeguard: IG2, IG3
Description by CIS Controls: “Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals.”
Implementation Group concerned by this Safeguard: IG2, IG3
Description by CIS Controls: “Centralize, to the extent possible, audit log collection and retention across enterprise assets”
Implementation Group concerned by this Safeguard: IG2, IG3
Description by CIS Controls: “Retain audit logs across enterprise assets for a minimum of 90 days”.
Implementation Group concerned by this Safeguard: IG2, IG3
Description by CIS Controls: “Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.”
Implementation Group concerned by this Safeguard: IG2, IG3
Description by CIS Controls: “Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.”
Implementation Group concerned by this Safeguard: IG3