CIS Control 6

CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs

This article breaks down the sixth and final basic CIS Control, CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs. 

Even with robust security defenses in place, there’s no way to absolutely guarantee that systems will not be breached. That’s why maintaining, monitoring and analyzing audit logs is so crucial.

Audit logs provide a detail-rich source of security data. When implemented correctly, attacks can be pre-empted based on the early warning signs presented within system logs. At worst, even if an attack is successful, a good audit trail will provide a forensic-level-detail, step-by-step record of the attacker’s origin, identity and methodology, together with details of the extent of any damage inflicted.

This critical data can help you gain insight into the inner workings of your IT environment and when properly implemented can help you detect, understand and recover from a cyber-attack.

Let’s dive into the eight sub controls associated with this critical security control.

6.1: Utilize Three Synchronized Time Sources

  • Maintain documented security configuration standards for all authorized operating systems and software.

In this sub-control, organizations are advised to use a minimum of three synchronized time sources so that timestamps in your logs are consistent. It’s also important to remember that logs should be normalized in time, such as UTC for example. You can only correlate events and build an accurate chronological audit trail if event timestamps are consistent.

Every CIS Benchmark provides full secure configuration guidance for all platforms, devices and applications including detailed audit policy settings, designed to ensure all relevant security information is logged.

CIS benchmark reports

6.2: Activate Audit Logging

  • Ensure that local logging has been enabled on all systems and networking devices.

Every CIS Benchmark provides full secure configuration guidance for all platforms, devices and applications including detailed audit policy settings, designed to ensure all relevant security information is logged.

6.3: Enable Detailed Logging

  • Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.

In this sub-control, organizations are encouraged to validate audit log settings for each hardware device and the software installed on it – including the date, user, timestamp, source address, destination address, and other useful information. It’s important to make sure that the metadata of the log is available so that the normalization engine in the centralized log server can correlate events across multiple platforms.

6.4: Ensure Adequate Storage for Logs

  • Ensure that all systems that store logs have adequate storage space for the logs generated.

This sub-control advised organizations to ensure that all systems that store logs have adequate storage space for logs generated on a regular basis so that log files don’t fill up between log rotation intervals. This includes local storage on the endpoints and storage in your centralized logging server.

Most compliance regulations have specific requirements for lengths of time that logs must be retained. For example, PCI DSS requires logs to remain searchable for up to 3 months and retained for up to 1 year, while the HIPAA log retention requirement mandates the need to store and archive logs for at least six years. 

Unfortunately, it can take weeks or even months for a breach to be uncovered, so the longer your organization retains these logs the better off you’ll be.

PIC icon
hipaa icon

6.5: Central Log Management

  • Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.

This requirement is critical to achieving CIS Control 6. Organizations must ensure that ‘appropriate’ logs are being stored in one central place.

Centralized, secure backup of log data defeats the basic hacker tactic of deleting local log files and destroying evidence of their activity. This also facilitates the means to compare logs across different systems and correlate audit trails across multiple devices

The keyword to note is the term ‘appropriate’. There can be a temptation to play it safe and store all the logs, but that’s not the most effective log management strategy. Learn which logs are essential to capture and which logs to exclude in our article Firewalls and SIEM - Fear and Loathing of Log Savers

6.6: Deploy SIEM or Log Analytic Tools

  • Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation and analysis.

This sub-control advises organizations to deploy a SIEM (Security Information and Event Management) or log analytic tool for log aggregation and consolidation from multiple machines and for log correlation and analysis. This requirement is critical because all of your environment’s intelligence will be stored in your SIEM or log management tool.

A modern-day SIEM solution must be flexible enough to cater to all devices, operating systems and platforms. It must also be scalable to handle thousands of devices generating millions of events. Finally, the solution must be intelligent, with the ability to correlate events and identify true security incidents so that your organization can focus on only genuine threats and attacks.

NNT Log Tracker is a great log management solution that can automatically assess events, event volumes, and patterns to intelligently judge on your behalf if there is something potentially dangerous going on.

Log Tracker Logo

Learn about the Top Ten of Audit and Event Log Monitoring

6.7: Regularly Review Logs

  • On a regular basis, review logs to identify anomalies or abnormal events.

Sometimes, logging records are the only evidence of a successful cyber-attack. That’s why we believe that you can never spend too much time reviewing your logs or understanding what good or regular operation looks like in order to spot the suspicious or irregular activity occurring in your environment.

NNT Log Tracker correlation threads automatically learn what normal behavior patterns look like in your network. Once patterns and volumes of regular activity have been absorbed, NNT Log Tracker then intelligently analyzes log data for you to automatically identify suspicious behavior patterns.

6.8: Regularly Tune SIEM

  • On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise.

The goal of any SIEM solution is to provide comprehensive log harvesting, with the ability to automatically filter out all ‘normal operation’ events and put a spotlight on a list of genuine, serious attack patterns or security incidents. If your SIEM solution is coming up short, NNT recommends looking at NNT Log Tracker, which can be tuned to detect particularly unusual activity, avoid false positives, quickly identify any anomalies, and prevent alerts on insignificant changes made in your environment.

Summary 

SIEM technology has been seen by many as the most complete solution to automating cybersecurity. Undoubtedly log files can be harnessed to provide a detailed picture of system activity and therefore, in turn, serve as both an advanced warning system for an impending attack, and as a forensic investigation tool to use following a breach.  

But don’t believe the SIEM hype. Log analysis can be a very blunt tool. In order to get the full picture for security analytics, the volume and rate of events to handle can quickly get out of hand, requiring ever more storage and SIEM processing resources and spiraling costs. Furthermore, the promise of SIEM systems delivering a fully automated Security Engineer is far from reality.

“However, these tools are neither a panacea nor a replacement for skilled information security personnel and system administrators. Even with automated log analysis tools, human expertise and intuition are often required to identify and understand attacks”

 See the NNT Opinion piece “Why Are IT Security Experts Looking For Footprints In The Garden?”

Figure: System Entity Relationship Diagram

CIS Control 5

USA Offices
New Net Technologies LLC
Naples
Suite #10115, 9128 Strada Place
Naples, Florida, 34108
Atlanta
1175 Peachtree St NE
Atlanta, Georgia, 30361.

Tel: (844) 898-8358
email [email protected]
UK Office
New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire
AL5 2JD

Tel: 01582 287310
email [email protected]
CIS benchmarking SEWP Cybersecurity 500Sans Institute Now Certified IBM Security
Copyright 2020, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.