Audit logs provide a rich source of data critical to preventing, detecting, understanding, and minimizing the impact of network or data compromise in a timely manner. Collection logs and regular review is useful for identifying baselines, establishing operational trends, and detecting abnormalities. In some cases, logging may be the only evidence of a successful attack. CIS Control 8 emphasizes the need for centralized collection and storage and standardization to better coordinate audit log reviews. Some industries have regulatory bodies that require collection, retention, and review of logs, so CIS Control 8 is not only important but also in some cases mandatory.

The Control is composed of twelve safeguards, mostly in the IG2 category, with Protect or Detect security functions that all organizations with enterprise assets should implement. Audit logs should capture detailed information about (1) what event happened, (2) what system the event happened on, (3) what time the event happened, and (4) who caused the event to happen. Alerts should be set for suspicious or major events such as when users attempt to access resources without appropriate privileges or execution of binaries that should not exist on a system.

Audit logs are also a target for attackers looking to cover their tracks. So, audit logging must be configured to enforce access control and limit the users who can modify or delete logging data.

The CIS Benchmarks, which are available for many product families, are best-practice security configuration guides that are mapped to the controls and walk you through configuration remediation step-by-step.

Key Takeaways for Control 8

An audit log management plan should at least implement processes to:

  1. Ensure that detailed, time-synchronized audit logs are collected across enterprise assets.
  2. Ensure that logs are stored in a centralized location and retained for a minimum 90 days.
  3. Ensure audit log reviews are (Read more...)