Importance of Audit Log Management

Audit Log Management

Audit logs play a critical role in security management. They can provide us with insight into what has happened on our systems, and on our networks at any given time. More specifically, if implemented correctly, logs can tell us what happened across multiple systems and when a system is compromised, it will log and record all activity of the attacker. These logs can help us prevent or detect violations of confidentiality, integrity, and availability.

What is an audit log?

An audit log is a recorded history of activities that occurred on a system. Specifically, an audit log is either a file on disk or a space in temporary memory that a system automatically records its activities to. Typically, when we think of logging we think of the System, Application, or Security logs (on a Windows based system) and while those are valuable components of logging, what is often overlooked is the actual audit log configuration itself. In addition, systems such as routers, switches, wireless access points and firewalls also generate log files, and these are often not given the attention that they need.

Most vendors such as Microsoft have recommended audit logging documentation however, these advanced log settings are often not enabled by default. It’s not uncommon when we perform a gap assessment to find audit logging to be at the bottom of the list of priorities, especially in smaller companies with limited resources.

Why does it matter?

If not configured properly this could allow an attacker to hide their location, malicious remote access software and other nefarious activities on a system to occur without being detected. Vulnerable systems could remain vulnerable, and your intellectual property could remain exposed or worse, walk out the front door right under your nose. Without an effective audit logging implementation, you are left blind to the details of an attack and any subsequent activity performed by an attacker. Essentially these attacks can go unnoticed, and any resulting damages could be irreversible.

How?

There are several steps that even the smallest organization can take to achieve a successful log management program.

  1. Organizations should synchronize the clock time on all systems. This will aid the process of log analysis once logs are centrally aggregated. When systems have clocks that are different by even just a few minutes, it can make the process of event reconstruction and analysis difficult for incident handlers as they try to reconstruct the events that occurred.
  2. All devices should be configured to log events in a format that can be easily ingested into a central log management solution. This can be performed either using standard log formats such as syslog or with a log aggregator that can accept logs in a variety of different formats. These central log management solutions are referred to as a Security Information and Event Management (SIEM).
  3. Audit logs from systems should be generated locally on the system logging the event. However, they also need to be aggregated in a central location (SIEM) where they can be protected, archived, and used for event analysis. Simply having logs on individual systems is a good first step, but distributed logs are exceedingly difficult to process and are often only useful on an ad hoc basis. Relying on logs to be stored on the local endpoints is a surefire way to ensure that when an incident occurs, the logs you need will not be available.
  4. Log retention is another area that must be considered. The average time to detect a breach in 2021 was reported to be 212 days (about 7 months). This means that you must ensure that you have allocated enough storage space for the retention and archiving of your logs. When logs are removed from central storage for long term archival, they should be protected and digitally signed in order to detect any tampering that may be attempted on them.
  5. Logs need to be reviewed on a regular basis in order to identify any potential anomalies that could be indicators of risk or potential system compromise. There’s no magic formula for how often logs should be reviewed but a good rule of thumb is that they’re reviewed at least weekly.

Centralized Logging

A centralized logging platform (SIEM) works by collecting logs and event data generated by your applications, security devices, servers and workstations and aggregating them all together into a single centralized platform. A SIEM can also gather data from antivirus events, firewall, and database logs. Once collected it sorts this data into categories such as malware activity or failed login attempts. When a potential threat is identified, the SIEM will generate an alert and threat level based on defined predetermined rules.

While there are several commercial and open-source platforms for centralized log management, your budget and unique environment will determine which is the best fit for you.

Summary

An effective audit logging system is dependent on collecting the necessary critical events and alerts from an otherwise overwhelming amount of information. Centralized log management is an important and often overlooked step towards an efficient IT infrastructure and is critical for organizations to understand the events happening within their environment. Contact Brockton Point Solutions to see how we can help.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top