CIS Control 6: Maintenance, Monitoring and Analysis of Audit Logs
Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.
6.1: Utilize Three Synchronized Time Sources
- Maintain documented security configuration standards for all authorized operating systems and software.
6.2: Activate Audit Logging
- Ensure that local logging has been enabled on all systems and networking devices.
6.3: Enable Detailed Logging
- Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
6.4: Ensure Adequate Storage for Logs
- Ensure that all systems that store logs have adequate storage space for the logs generated.
6.5: Central Log Management
- Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.
6.6: Deploy SIEM or Log Analytic Tools
- Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation and analysis.
6.7: Regularly Review Logs
- On a regular basis, review logs to identify anomalies or abnormal events.
6.8: Regularly Tune SIEM
- On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise.
Figure: System Entity Relationship Diagram
- CIS Control 1: Inventory and Control of Hardware Assets
- CIS Control 2: Inventory and Control of Software Assets
- CIS Control 3: Continuous Vulnerability Management
- CIS Control 4: Controlled Use of Administrative Privileges
- CIS Control 5: Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
- CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- CIS Control 7: Email and Web Browser Protections
- CIS Control 8: Malware Defenses
- CIS Control 9: Limitation and Control of Network Ports, Protocols, and Services
- CIS Control 10: Data Recovery Capabilities
- CIS Control 11: Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
- CIS Control 12: Boundary Defense
- CIS Control 13: Data Protection
- CIS Control 14: Controlled Access Based on the Need to Know
- CIS Control 15: Wireless Access Control
- CIS Control 16: Account Monitoring and Control
- CIS Control 17: Implement a Security Awareness and Training Program
- CIS Control 18: Application Software Security
- CIS Control 19: Incident Response and Management
- CIS Control 20: Penetration Tests and Red Team Exercises