Today, I will be going over Control 6 from version 7 of the CIS top 20 Critical Security Controls – Maintenance, Monitoring, and Analysis of Audit Logs. I will go through the eight requirements and offer my thoughts on what I’ve found.

Key Takeaways for Control 6

  • Logs are the lifeblood of security. I like to think of a cyber-attack like I think of any other physical attack. A bank robber is going to break a ton of laws and create a lot of noise while they are at the bank, but they are going to probably obey as many laws as possible why they are fleeing the scene. The same goes in the digital world. An attacker may create a ton of noise on an endpoint while leaving little trace on the network or vice-versa. You need to collect logs from as many systems as possible to get an accurate picture of what is going on.
  • Hardening guides are handy again. Both CIS and DISA hardening guides provide guidance on how to enable logging on endpoints as well as how to get it off to a centralized server. Follow these best practices and you’ll be OK.
  • Two important logging items. The first is outlined in the first control. Time needs to be constant among all logging devices. Coordinating it with UTC so you can track an event across the globe is essential. The second is how data is normalized. The tool needs to call a piece of metadata the same across all logs. You don’t want to have to search for ip, ipv4, ipv4, address, and source just to look for the same thing.
  • The six basic controls. CIS now states that there are six basic controls rather than the original five. Consider this your warning that logging is (Read more...)