Cyber-Security-Monitoring-Guide

Cyber Security Monitoring and Logging Guide!From an MSSP perspective, there are differing approaches to classifying and managing“Personally Identifiable Information” (PII) in log streams. For example, there are multiplelocations where organisations store and back up data and they are rightly concerned froma DPA compliance perspective about where that data is stored and how it is protected.You should therefore review the need for your organisation to:• Store data in a data centre (even using cloud computing) in your own region (eg.Europe)• Identifying when and how to filter out PII data, if necessary• Obfuscate or mask data to protect PII information – considering how attackersmight be able to remove this protection.Prioritising log useMany of the log management challenges are associated with:• The vast volume of event logs produced by myriad applications, systems, tools and networks;• Which ones are most relevant; and• The cost (and resources) required to handle them effectively.Your organisation should therefore seek to understand the wide range of logs available and prioritise which logs youneed to monitor. Your organisation may not be able to monitor everything (or wish to do so) due to a lack of securitybudget or specially skilled analysts. It is therefore important that you concentrate on the data and services that areabsolutely critical to your business.Event logs can typically be categorised as system logs, network logs, application logs and logs generated by commercialtools, such as malware protection and intrusion detection (IDS) software. However, these logs can also be considered interms of their value from a cyber security monitoring perspective.Workshop participants determined what they believe are typically essential, important or useful logs; what they arecommonly used for; and how much they cost (broadly speaking). This data was then supplemented by the extent to whichfive different actions were carried out by respondents to the Project Survey for each of these types of logs.!Prioritisation of cyber security-related logs during the workshop was mainly based ontypical requirements for identifying possible cyber security attacks, so may vary forother types of cyber security incident, such as fraud or abuse.The results of this analysis are presented in the tables below. There was not complete agreement amongst experts, forexample with some analysts arguing that endpoint logs are often important or even essential.Essential - priority 1Cost Collect Retain Monitor Analyse RespondEmail Free 59% 56% 44% 24% 17%HTTP proxy Free 54% 44% 39% 22% 15%Malware protection logs £ 59% 46% 66% 46% 51%NIDS ££ 59% 49% 51% 44% 41%NIPS ££ 54% 41% 41% 32% 29%20