CIS Controls v8 Overview- Control 08

Our review of the 18 CIS Controls v8 continues and today we turn our focus towards Control 08.

Control 08: Audit Log Management — Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

Why is this Control Important?

The collection and analysis of logs is critical for an organization to be able to quickly detect malicious activities. There are two common types of logs that are enabled and managed with different purposes in mind: system logs and audit logs.

System logs provide system-level events that detail various system updates and processes such as start/end times, crashes, etc. Logs are typically native in nature to systems and are easy to enable with minimal configuration.

Audit logs track user-level interactions and events such as user login, file access, password errors, etc. Based on the nature and importance of these events, audit logs typically take more planning and effort to set up.

Both system and audit logs must be enabled within an organization and they must be reviewed on a regular basis. Attackers know that many organizations maintain audit logs for compliance purposes, but they rarely analyze them. Attackers use this angle to hide their location, malicious software, and activities on victim machines. It is not unusual for organizations that do not review with logs to have had attackers control internal assets for months or years with out them being aware of it. Sometimes audit logs are the only evidence of a successful attack.

Logs also assist with Incident Response which will be covered in Control Control 17. After an incident has been detected, log reviews are key to helping an organization understand the extent of the incident attack including how and when it occurred, what information was accessed, what data may have been exfiltrated, and what systems were affected. Logs must be retained to support any follow-ups or investigations that typically take place after an incident.

How is this Control implemented?

Logging capabilities are available out of the box with most enterprise assets and software. For log reviews to be most effective and secure, logs are sent to centralized logging servers. Due to the importance of log retention in the event an incident as mentioned before, the centralized logging servers must have sufficient space to retain logs over an extended period of time. Security Information and Event Management (SIEM) software is commonly used to perform analytics on these centralized logs.

Using the enterprise asset inventory from Control 01, organizations must also cross-check the inventory with logging entries on the logging servers to ensure all assets are generating and posting logs. All enterprise assets must also be configured to create access control logs when a user attempts to access resources without the appropriate privileges.

Key Reminder(s)

Logging should be enabled on all enterprise assets and software within an organization. Best practices include compiling the various logs on a centralized log server and typically is analyzed with SIEM. Whether manually done or automated, all logs must be reviewed on a regular basis.

In the next post, we will look at Control 09: Email and Web Browser Protections. If you enjoyed this post, please 𝙇𝙞𝙠𝙚 and 𝙎𝙝𝙖𝙧𝙚!

Contact Temples Consulting (a CIS SecureSuite Partner) to schedule a no-cost consultation for Audit Log Management using the latest CIS Benchmarks.

#cybersecurity #security #infosec #informationsecurity #riskmanagement #ciscontrols #cissecuresuite #safeguards #ciscontrolsv8 #templesconsultinggroup #security #clarity #delivery #riskassessment #riskremediation #risk2remediation #software #cyber #governance #GRC #implementations #dataprotection #datasecurity