Not knowing exactly who’s doing what on your corporate network is nothing short of “Risky Business.”
Any sound corporate cybersecurity plan these days better have the basics in place: give a CISO a seat at the decision table; determine which cybersecurity and compliance standard you need to align with; optimize ROI by leveraging a threat model for effective response and mitigation; and leverage logging, monitoring and alerting on risks, while also focusing on proactive threat hunting.
However, one fundamental piece of the puzzle that’s often overlooked is the last one: activity (or event) logging (combined with monitoring and alerting). Maybe that’s not the sexiest part of your plan or the most visible to upper management, but it could easily be the one that pays the highest dividends when it comes to protecting your network and data.
Consistent, thorough activity logging and monitoring practices help identify ‘normal’ profile activity on your network so you can more easily recognize potentially ‘abnormal’ or risky activity that may be a precursor to a bigger attack (a hacker’s ‘test’), or an attack itself. Best practices on activity logs can also help, if needed, in performing post-breach forensics and remediation.
If you’re overwhelmed by the volume of events that routinely occur across your IT environment (operating systems, applications, firewalls, network hardware, dispersed mobile devices, IoT, remote and virtual machines… oh my!), no matter how big or small your environment might be, getting a real handle on it is crucial, and activity logs can help you do exactly that… if done right.
What Kind of Activity Logs Should You Monitor?
So here are a few keys to leveraging activity logs across your IT environment to better identify precisely ‘who’s doing what on your corporate network.’
- Be sure you’re actively monitoring critical applications, processes that manage your sensitive data, any systems that were previously compromised, and all systems connected to third parties and/or the Internet.
- Conduct an application and system risk assessment so there’s no question which systems are considered mission critical and which are not, and so you can determine what level of audit, log review and monitoring is required.
- Implement and use a sophisticated log filtering system so you don’t quickly end up in operational analysis paralysis with too much data and no way to sift through it to uncover the risks.
- Plan and document log retention policies to be sure critical data is still available if required for future security related events. Note, you may need specialists in this area to help, so find a reputable security and business intelligence expert if needed.
- Identify and implement your risk alert and escalation plan so your security and management teams understand the process from ‘A to Z.’
- Create profiles of ‘normal network and user activities’ so that when you pair log data with a security information and event management system (SIEM), you can track baseline data and more easily find and mitigate suspicious activity (an ‘early warning system,’ if you will).
- Ensure you’re logging the following, at a minimum:
○ User IDs
○ Date and time of logon and logoff, plus other key events (e.g. physical entry points)
○ Terminal identity
○ Successful and failed system, data and/or application attempts
○ Networks and files accessed
○ All changes to system configurations
○ System utility usage
○ Exceptions and security-related events, e.g. triggered alarms
○ Activation of protection systems
○ System clocks (so activity logs have synchronized time stamps)
Collecting, filtering, analyzing and acting on such activity log data will help identify and isolate potential breaches, and in the end, help you and your IT team become more proactive in minimizing impact of an attack, if not preventing it altogether. It also gives you the all-important audit trail needed from a regulatory and/or legal perspective in the event of a breach – whether it be from negligence, a brute force attack, or some other source.
If by now you’re thinking ‘my network is too small to bother,’ think again. Even smaller networks can generate volumes of data, so log files are a fantastic source of information… if you review them, that is. Still not convinced? You may not have a choice. Now, ISO/IEC 27001 control A.10.10.2 not only requires procedures for monitoring the use of information processing facilities, it demands the results are regularly reviewed.
Activity log data can also be used to advanced IDS signatures or firewall rule sets – although a highly iterative process, frequent tuning of your monitoring system will, over time, reduce false positives and improve the general integrity of log data overall.
Don’t expect to reduce false positives to ZERO, just understand it’s an ongoing and continuous process and keep working towards the zero goal as you adjust for new threats. The more you tune and iterate the process, the more you will be able to trust log file data and the integrity of your analyses.
A few important side notes:
1. Activity log monitoring is great training ground for your security awareness program; coordinate with your training and/or HR departments to get your whole company on the bus.
2. Don’t neglect a clear check and balance with your own network administrators; they have powerful rights across your system, so their activities should be meticulously recorded and checked too. An internal audit team or external audit consultant is a great way to handle this area.
Log systems will monitor for two general types: faults created by systems and applications, and faults / errors reported by system users. These kinds of logs are used to discover trends that can indicate more complex problems that might not initially be considered a ‘security risk,’ but that could certainly lead to a breach down the line (think ‘faulty equipment’, or ‘unpatched’ or ‘outdated’ applications). Set detection systems to thresholds and alerts to notify key personnel on your security team.
Good news is that today’s operating systems and an increasing number of mainstream applications have basic logging and alerting features. When incorporated into your business intelligence platform, you can ignite a powerful top to a bottom solution that is feeding data from everywhere, filtering it for you to focus on suspicious events, and helping you mitigate short- and long-term risk.
Hackers often attempt to alter log files with the goal of hiding their presence, so that they can then be manipulated at a later time. That means you should also record logs locally as well as on a remote log server to offer redundancy with an extra security layer. Don’t forget to compare the two — it’s often a telling indicator of suspicious activity.
Finally, be sure you have a well-documented plan that details how activity logs are collected, analyzed, who investigates, and average resolution times – just like a typical SLA. Protecting activity logs is mission critical as compromised log files can significantly hamper investigations after an event, and in some cases even invalidate disciplinary and/or legal action.
I bet you didn’t see all of that coming. Well, hopefully, you saw SOME of it, and these tips will help you close the gaps in your security protocols by not neglecting activity logs.
Ready for more on this topic?
Looking for more expert tips on leveraging activity logs in your security plan and how to integrate it with your business intelligence platform? Then be sure to watch our webinar on advanced security features of ClicData and you can ask our experts about your unique requirements.