Audit logs play a critical role in security management. They can provide us with insight into what has happened on our systems, and on our networks at any given time. More specifically, if implemented correctly, logs can tell us what happened across multiple systems and when a system is compromised, it will log and record all activity of the attacker. These logs can help us prevent or detect violations of confidentiality, integrity, and availability.
An audit log is a recorded history of activities that occurred on a system. Specifically, an audit log is either a file on disk or a space in temporary memory that a system automatically records its activities to. Typically, when we think of logging we think of the System, Application, or Security logs (on a Windows based system) and while those are valuable components of logging, what is often overlooked is the actual audit log configuration itself. In addition, systems such as routers, switches, wireless access points and firewalls also generate log files, and these are often not given the attention that they need.
Most vendors such as Microsoft have recommended audit logging documentation however, these advanced log settings are often not enabled by default. It’s not uncommon when we perform a gap assessment to find audit logging to be at the bottom of the list of priorities, especially in smaller companies with limited resources.
If not configured properly this could allow an attacker to hide their location, malicious remote access software and other nefarious activities on a system to occur without being detected. Vulnerable systems could remain vulnerable, and your intellectual property could remain exposed or worse, walk out the front door right under your nose. Without an effective audit logging implementation, you are left blind to the details of an attack and any subsequent activity performed by an attacker. Essentially these attacks can go unnoticed, and any resulting damages could be irreversible.
There are several steps that even the smallest organization can take to achieve a successful log management program.
A centralized logging platform (SIEM) works by collecting logs and event data generated by your applications, security devices, servers and workstations and aggregating them all together into a single centralized platform. A SIEM can also gather data from antivirus events, firewall, and database logs. Once collected it sorts this data into categories such as malware activity or failed login attempts. When a potential threat is identified, the SIEM will generate an alert and threat level based on defined predetermined rules.
While there are several commercial and open-source platforms for centralized log management, your budget and unique environment will determine which is the best fit for you.
An effective audit logging system is dependent on collecting the necessary critical events and alerts from an otherwise overwhelming amount of information. Centralized log management is an important and often overlooked step towards an efficient IT infrastructure and is critical for organizations to understand the events happening within their environment. Contact Brockton Point Solutions to see how we can help.