Logs are crucial elements to breach investigations. However, some investigations suffer from a lack of logs. In such cases, the company must assume the worst if no evidence can be brought to the contrary. This may require sending notifications to an entire customer base or paying large fines. Some of these notices and fines could have been avoided had logs been preserved.
In many cases, logs are not available because they are overwritten. Many devices, by default, overwrite their logs when they fill up so that only recent events can be found. However, recent events are often insufficient for a cybersecurity investigation that may go back months or even years.
In other cases, logs are deleted by a cybercriminal or malicious insider. A criminal may steal information and then delete the logs to cover their tracks. Similarly, a malicious admin could perform some illegal activity and then remove the logs and the evidence they contain.
It is important, therefore, for companies to have a robust logging system that retains logs and prevents log tampering. Companies can take several active steps to make critical system logs as tamper-proof as possible.
Step 1: Centralized Archiving
The first step in protecting security log integrity is to send logs to a centralized log management system for archival. Some may choose to archive logs in batches such as on a nightly schedule. However, the best approach is to send logs to a central repository as they are created. Batch processing can result in missing some log data if log integrity is compromised in between archival cycles. However, continually writing logs to the repository ensures that important events are tracked, even if the local copy is deleted, corrupted or overwritten.
In the case of a breach or other event, incident response or investigative teams will need to be able to analyze the logs to piece together what happened, implement an effective response, and prevent future intrusions. Hackers or malicious insiders realize this, and will often look for ways to alter, delete or wipe these logs completely as a way to cover their tracks.
Step 2: Segregation
The next step is to secure the data from unauthorized tampering. This begins by restricting log access to a select group of individuals. The log archive should be accessible to cybersecurity personnel but not IT so that there is a separation of duties to protect log integrity.
Your goal here is to keep a “true copy” of your logs in one location that hackers or a malicious insider cannot reach. If a hacker or malicious insider, such as an administrator, had access to both the servers and the log archive, they would be able to remove evidence in both places. Separation of duties prevents this.
The log archive should also be segregated on a different network. Some companies may utilize a cloud system or a third-party monitoring service so that there is a technology separation between the production systems and archival system.
Step 3: Monitoring and Alerting
It is not enough to simply archive the logs. Companies need to know when log data indicates a cybersecurity event. In the past, this involved a person or team reviewing the logs daily to identify security events. However, the modern computing environment creates far too much data for a human to review. Today’s systems require intelligent computing systems to review logs and identify cybersecurity events.
A cybersecurity event is a potential incident. Monitoring systems such as Security Information and Event Management (SIEM) parse through logs from multiple devices and correlate the data to identify events and alert cybersecurity teams. Cybersecurity teams then review the relevant log data and make a determination as to whether the event is something that must be addressed.
Some events will be false positives, legitimate activity that differs from the norm, such as a user that backs up a large amount of data to a storage device upon project completion. However, the same indicators could be a security incident if an employee tried to steal data in the same way. This is why monitoring is a partnership between people and technology.
Step 4: Rapid response
Cybersecurity incidents need to be addressed quickly before an attacker is able to accomplish his or her goal. Some incidents, such as ransomware, need to be contained quickly to reduce the impact of the incident. For these reasons, companies need to build in rapid response protocols.
The first step is to identify potential incidents that might come up. This may be proactive or in response to incidents that have arisen. The initial response activities may have discrete technical steps that can be automated such as quarantining an infected machine, blocking connections, disabling accounts, or blocking data transmissions. It takes time to review an event and perform the required activities, but automation can decrease this time significantly to minimize the impact of an incident.
Incidents are not completely automated, but the most time-sensitive tasks should be automated whenever possible. Cybersecurity teams can then respond to the incident by taking over where the automation left off by cleaning and restoring quarantined machines, investigating potential data breaches or sharing data on malicious traffic with law enforcement or cybersecurity groups.
Log integrity and availability is the foundation for understanding and effectively responding to cybersecurity incidents. Log monitoring is needed to identify potential incidents, and rapid response helps reduce the impact of cybersecurity incidents. These four steps provide a framework for effective cybersecurity logging.
This article was sponsored by TCDI, a cybersecurity, computer forensics, and eDiscovery company.