Cyber-Security-Monitoring-Guide

More documents

Recommendations

Info

Cyber Security Monitoring and Logging GuidePart 3 Cyber security log managementRequirementsImportant security-related events should be recorded in logs, stored centrally, protected against unauthorised changeand analysed on a regular basis. This will help in the identification of threats that may lead to a cyber securityincident (also known as ‘indicators of compromise’ or IOCs), maintain the integrity of important security-relatedinformation and support forensic investigations.Your organisation should adopt a real time solution that automatically isolates the key events you need to know about(which you should have specifically defined), when you need to know them, so that you receive instant advice about usefulor critical matters that are no longer buried in a mountain of less important data. This will help to ensure appropriate cybersecurity-related events are identified earlier – and then analysed and actioned more quickly and effectively.Requirements for cyber security event logging should cover:• Management of event logging (eg. setting policy, defining roles and responsibilities, and reporting)• Identification of business applications and technical infrastructure systems on which event logging should beenabled, including those that have been outsourced or are ‘in the cloud’• Configuration of information systems to generate the right cyber security-related events• Regular ‘tuning’ and review to reduce the number of false positives to an acceptable level• Storage of security-related events within event logs (eg. using local systems, central servers, SIEMs or by usingstorage provided by an external service provider)• Analysis of security-related event logs (including normalisation, aggregation and correlation)• Synchronisation of time stamps in event logs to a common, trusted source• Protection of security-related event logs (eg. via encryption, access control and backup)• Defined retention requirements and/or log rotation periods• Taking necessary actions to remediate any issues identified and respond to cyber security incidents in a fast,effective manner.!Some organisations that have synchronised their logs have not actually done this aswell as they think they have, so events in certain timelines could be missed.Analysis was restricted to monitoring from a cyber security incident management perspective, but logs can also be used forcompliance and awareness purposes, covering topics like:• Monitoring/efficiency/performance• Status/asset management.!Storage solutions are often cloud-based (with doubtful or unknown securityarrangements) and the security of actual physical servers can be overlooked.Findings from project research revealed that effective logging can save you time and money if you should experience acyber security incident – and that it can also be very helpful as part of a defence (or prosecution) in a court case. Youshould therefore:• Establish cyber security-related logging standards and procedures• Configure systems to record the most important cyber-security related events and monitor these events forspecified purposes• Respond to alerts correctly (eg. to avoid overlooking indicative alerts or over-reacting to benign alerts)• Aggregate what may seem like benign alerts into what is a coherent threat message• Make appropriate event logs available to investigators in a suitable format• Retain logs according to retention standards/procedures, storing them securely for possible forensic analysis at alater date.16
Cyber Security Monitoring and Logging GuideLogging challengesThere are many challenges facing organisations when it comes to monitoring the relevant events on their systems andnetworks for signs of a cyber security attack. For example, organisations often collect a lot of cyber security-related data,but do not have the resources, technical skills or awareness to analyse that data effectively.“Organisations can put blind trust in the monitoring tools they have purchased, giving them afalse sense of security”Project research revealed that many long established, ‘traditional’ logging challenges still remain, which includes organisations:• Struggling to understand the purpose, importance and effectiveness of the full range of data sources (putting theminto some sort of ‘pecking order’ of importance)• Suffering from the sheer volume of log management tasks such as:o Turning on relevant logs, logging them correctly and keeping them long enougho Prioritisation, storage, correlation and protection of logs• Failing to examine alerts in an effective manner (eg. handling false positives, performing situational analysis andremediating issues)• Being unsure as to which logs they need to pay most (and least) attention or the implications of the events thatthey record• Not being able to find the right tools and people to help them easily, effectively and at the right price.Many challenges reported are still traditional logging challenges that go back many years, but they have actually got worsein recent times due to the:• Proliferation of data located outside the perimeter, such as in-cloud service providers or outsourced arrangements• Vast amounts of structured and unstructured data, fuelled by the rise of consumerism (eg. social networking),creating data sets so large and complex that traditional data processing approaches are inadequate – often referred toas ‘Big Data’.“We are not just looking for a needle in a haystack; we have to find the right haystack(s)”Addressing many of the traditional logging challenges in depth – such as examiningdetailed fields in event logs - is out of scope for this project as they are well coveredin other guidance, such as the CPNI/Context report ‘Effective Log Management’.17
Page 1: Cyber SecurityMonitoring and Loggin
Page 4 and 5: Cyber Security Monitoring and Loggi
Page 60: The quadrants in this diagram outli

Cyber-Security-Monitoring-Guide

Create successful ePaper yourself

Delete template?

Save as template?