Information is everything. When a security incident takes place that affects your systems, most security experts agree that they would be better able to respond to and remediate incidents in less time if they had adequate logs at their disposal. As the de-facto method for storing session or event information, logs are often overlooked regarding their value in security situations.
Many organizations find themselves lacking adequate logging information once an event occurs. This makes incident response and picking up the pieces afterward a more challenging prospect than it has to be.
In its Cost of a Data Breach Report 2020, IBM found that reducing the detection time to below 200 days can reduce its impact by $1 million. From that angle, logs can be a valuable asset to help your organization mitigate the damage of these incidents.
Why are logs important?
- To help detect sophisticated attacks: Attackers are getting increasingly good at using obfuscating techniques to bypass detection systems and achieve long-term persistence. While cutting-edge AI-based security solutions (and, even these are usually dependent on adequate logging) are catching up, some anomalous behavior that may indicate an attack are most accurately identified by actual security personnel.
- To respond to attacks more effectively: Comprehensive logging that includes wide-ranging system information is more likely to provide information that’s useful in detecting and responding to an attack. It will give security personnel a greater insight into the nature, scale, scope, and goal of the attack as well as the circumstances and events that led up to it.
- For digital forensics: Similarly, traceability is incredibly important both for recovering from an attack as well as digital forensics. The information gathered during this stage can be crucial for compliance, ongoing legal action, and to prepare for future incidents. You can only adequately audit an incident if you have the logs with all the most useful information.
Containing a threat or an event is the first step in the mind of cyber professionals, but gathering information and evidence to pursue legal action typically follows immediately afterward. LIFAR’s Digital Forensics Services specialize in getting to the bottom of every case with deep science and industry experience.
Factors that prevent adequate logging
- A lack of centralized logs: Like most organizations today, you probably operate on a diverse ecosystem of applications, hardware, on-premise, cloud-based, and hybrid systems. These are further divided into a broad spectrum of proprietary products that may each have their own logging mechanisms and practices. Digging through disparate logs can be like looking for a single needle across a number of haystacks. It may also mean various teams or individuals don’t have access to the same logs or interface to access them.
- Not logging verbose data: Another issue is that you may be collecting logs, but that you’re only capturing the most basic data. Whether it’s because it’s the default logging settings or logistical concerns, this can seriously hamper incident detection and response. For example, typical “start” and “stop” events don’t mean much to a security analyst trying to nail down a malware infection. Instead, you need to collect verbose logs with detailed information even if it ends up not being used.
- Controlling access to logs: In some sophisticated attacks, the attacker or even malware itself can get access to logs and erase or modify them to hide their own tracks. Privileged access must always be required to access logs to help prevent this kind of tampering.
How to create an effective logging strategy
When it comes down to it, the main reasons why it may seem that your organization never has access to enough logs probably comes down to the lack of a custom logging strategy. Every organization should sit down and come up with a logging strategy that corresponds to their systems, assets, weaknesses, threats, and internal process/resources.
You can help create an effective logging strategy for your organization by implementing the following steps:
- Collect from all systems: There is no telling which systems will be affected by an attack, as a target, initial attack vector, or as a conduit for lateral movement. It’s best to cover your bases and log events from all assets.
- Store in a centralized location: Instead of logging this information separately, it should be stored and collated together in a single location. This makes it easier to search and organize as well as to provide access to the same information and resources for all stakeholders.
- Organize for search/auditing: Your security analysts will already have their hands full trying to audit your logs for security incidents. To make their jobs easier and reduce response times, the information must be searchable and easy to consume. This relates to both how the information is organized as well as the tools used to access them.
- Special monitoring for privileged accounts: Privileged accounts with log access by targets for attackers to tamper with said logs. These accounts need to be monitored even more carefully. You should be able to track all movements in a privileged account session.
- Training: Logs can be a superb resource for use as a security training and education tool. Real-life logs can be used in tabletop exercises to sharpen the abilities of your security teams and prepare for future incidents.
Why Are There Never Enough Logs During an Incident Response?