Audit logs provide a rich source of data, which is important to prevent, detect, understand and minimize the effects of network or data compromises in a timely manner. Collection logs and periodic reviews are useful for identifying baselines, determining operational trends, and pinpointing anomalies. In some cases, logging can be the only evidence of a successful attack. CIS Control 8 emphasizes the need for centralized collection and storage as well as standardization in order to better coordinate audit log reviews. Some industries have regulators that require logs to be collected, retained, and reviewed, so CIS Control 8 is not only important, but in some cases mandatory.
The control consists of twelve protective devices, mostly in category IG2 To protect or Recognize Security features that all organizations with corporate resources should implement. Audit logs should capture detailed information about (1) what event occurred, (2) what system the event occurred on, (3) when the event occurred, and (4) who caused the event. Alerts should be set for suspicious or serious events, such as: For example, when users try to access resources without proper permissions or to run binary files that should not exist on a system.
Audit logs are also a target for attackers who want to cover their tracks. Therefore, audit logging must be configured to enforce access control and restrict the users who can modify or delete log data.
The CIS benchmarks, available for many product families, are best-practice security configuration guides that are associated with the controls and walk you through correcting the configuration step-by-step.
Important findings for the control 8
An audit log management plan should at least implement processes to:
- Ensure that detailed, time-synchronized audit logs are collected for all company resources.
- Make sure logs are stored in a central location and retained for at least 90 days.
- Make sure that audit log reviews are performed weekly or more frequently to establish baselines and identify potential threats.
Security precautions for inspection 8
1. Establishing and maintaining an audit log management process
Description: Create and maintain an audit log management process that defines the company’s logging requirements. At the very least, deal with the collection, review, and retention of logs for corporate resources. Review and update documentation annually or whenever there are significant company changes that could affect this safeguard.
Remarks: This IG1 Safeguard is intended to protect company values by ensuring that audit logs are collected, checked and maintained in a systematic and repeatable manner. Audit logs must be complete and accurate. Simulations of events may need to be scheduled to verify that the desired logs are being generated. Tools may be required to capture and search logs. Log data may need to be normalized for quick and efficient analysis.
2. Collect audit logs
Description: Collect audit logs. Make sure that logging has been enabled for all company resources according to the company’s log management process.
Remarks: This IG1 Safeguard is intended to support the detection of threats to company resources. It’s basic cyber hygiene and should be implemented by all businesses.
3. Provide adequate audit log space
Description: Make sure that the logging targets have enough memory to meet the company’s audit log management process.
Remarks: This IG1 Safeguard supports protection of company resources and maintaining log history to ensure logging audit or compliance requirements are met.
4th Standardize time synchronization
Description: Standardize the time synchronization. Configure at least two synchronized time sources for all company resources, if supported.
Remarks: This IG2 Safeguard supports the correlation of logging data by synchronizing time stamps.
5. Collect detailed audit logs
Description: Configure detailed audit logging for corporate resources with sensitive data. Even add the source, date, username, timestamp, source addresses, destination addresses, and other useful elements that might be helpful in a forensic investigation.
Remarks: This IG2 protection is intended to support recognition of anomalies and data compromise by ensuring that detailed logs are collected that allow us to reconstruct what happened during an event and determine the extent of the assets involved.
6th Collect DNS query audit logs
Description: Collect DNS query audit logs for corporate resources when appropriate and supported.
Remarks: DNS query logs can help track down misconfigured hosts or the signs and sources of intrusion or attack.
7th Collect audit logs for URL requests
Description: Collect URL request audit logs for corporate resources when appropriate and supported.
Remarks: This IG2 Safeguard intends to recognize Threats and anomalous events related to URL requests.
8th. Collect command line audit logs
Description: Collect command line audit logs. Sample implementations include collecting logs from PowerShell, BASH, and remote administration terminals.
Remarks: This IG2 Safeguard intends to recognize unusual or threatening behavior at command consoles. Attackers can use a common set of instructions from reconnaissance to exfiltration or impact.
9. Centralize audit logs
Description: Where possible, centralize the collection and retention of audit logs for all corporate resources.
Remarks: This IG2 Safeguard is intended to support other control safeguards in organizations with increased operational complexity. Centralizing audit logs simplifies collection, retention and review. Tools are available to collect, normalize, and analyze logs for efficient search and analysis.
10. Keep audit logs
Description: Retain audit logs for all company resources for at least 90 days.
Remarks: This IG2 Safeguard intends to to protect Company resources by requiring that real-time log data be retained for a specified period of time to meet audit or compliance requirements.
11. Implementation of audit log reviews
Description: Review audit logs to recognize Anomalies or abnormal events that could indicate a potential threat. Perform weekly or more frequent reviews.
Remarks: It is not enough to just collect audit logs. The purpose of this IG2 safeguard is to detect unusual behavior by regularly checking the log.
12. Collect service provider logs
Description: Collect service provider logs if supported. Example implementations include collecting authentication and authorization events, data creation and deletion events, and user management events.
Remarks: This IG3 protection supports recognition of threats and abnormal events related to service providers.
Learn how simple and effective security controls can create a framework to help protect your business and data from known cyberattack vectors by downloading the CIS Controls Guide here.
Read more about the 18 CIS controls here:
CIS Control 1: Inventory and control of company assets
CIS Control 2: Inventory and control of software assets
CIS Control 3: data protection
CIS Control 4: Secure configuration of company resources and software
CIS Control 5: Account Management
CIS Control 6: Access Control Management
CIS Control 7: Continuous weak point management
CIS Control 08: Audit Log Management