FAQ on Audit Log Best Practices

Q: What are audit logs?

A: Audit logs are records of all events and security-related information that occur within a system. This information is crucial for incident response, threat detection, and compliance monitoring.

Q: Why is audit log management important?

A: Audit log management is essential for every organization that wants to ensure its data security. Without audit logs, organizations would have no way of knowing who accessed what information when or how the incident happened or whether unauthorized users or suspicious activity occurred. Moreover, audit log management supports compliance with industry regulations and guidelines.

Q: What are the best practices for audit log management?

A: To ensure that your audit log management practices meet the CIS CSC version 8 guidelines and safeguard requirements, consider implementing the following best practices:

1. Define the audit log requirements based on industry regulations, guidelines, and best practices.

2. Establish audit policies and procedures that align with your organization’s requirements and implement them consistently across all systems and devices.
3. Secure audit logs by collecting, storing, and protecting them securely to prevent unauthorized access or tampering.
4. Monitor and review audit logs regularly for anomalies, suspicious activity, and security violations, such as unauthorized access attempts, changes to access rights, and software installations.
5. Configure audit logging settings to generate records of critical security controls, including attempts to gain unauthorized access or make unauthorized changes to the network.
6. Generate alerts in real-time for critical events, including security violations, unauthorized access attempts, changes to access rights, and software installations.
7. Regularly test audit log management controls to ensure their effectiveness and meet your organization’s audit log requirements.

Q: What are the benefits of following audit log management best practices?

A: Following audit log management best practices can establish a strong framework for incident response, threat detection, and compliance monitoring. This, in turn, can help safeguard against unauthorized access, malicious activity, and other security breaches, prevent legal and financial penalties, and maintain trust levels with clients and partners.

Q: How long should audit logs be kept?

A: As a general rule, storage of audit logs should include 90 days hot (meaning actively available for immediate review or alerting), 6 months warm (meaning they can be restored within hours), and two years cold (meaning they can be restored within days). However, organizations should define retention periods based on their audit log requirements and compliance regulations. [1] [2]

*This article was written with the help of AI tools and Grammarly.

Let’s Talk About Audit Logs

CIS Control 8: Audit Log Management

Data is at the core of every business in today’s digital age. Protecting that data is of paramount importance. For this reason, the Center for Internet Security (CIS) developed the CIS Controls to provide a comprehensive framework for cybersecurity best practices.

One of these controls, CIS Control 8, focuses specifically on audit log management. This control aims to ensure that all events and security-related information are recorded and retained in an audit log for a defined period.

This article will explore the importance of audit log management as a fundamental component of any organization’s security posture. We will examine the CIS Control 8 safeguard requirements and industry-standard best practices for audit log management.

By following the procedures outlined in this article, organizations can improve their security posture, meet all CIS CSC version 8 safeguards, and ensure compliance with industry standards.

Why audit log management is essential

Audit log management is essential for every organization that wants to ensure its data security. The reason is simple: audit logs provide a comprehensive record of all events and security-related information that occurs within a system. This information is critical for incident response, threat detection, and compliance monitoring. Without audit logs, organizations would have no way of knowing who accessed what information, when or how the incident happened, or whether unauthorized users or suspicious activity occurred.

In addition to aiding in incident response and threat detection, audit log management also supports compliance with industry regulations and guidelines. Many compliance requirements mandate that organizations maintain a record of all activity that occurs on their systems. Failing to comply with these requirements can result in significant legal and financial penalties. Therefore, organizations prioritizing data security must take audit log management seriously and implement practices that meet their data security needs and safeguard requirements.

Best practices for audit log management

Audit log management is critical to an organization’s data security efforts. To ensure that your audit log management practices meet the CIS CSC version 8 guidelines and safeguard requirements, consider implementing the following best practices:

1. Define the audit log requirements: Assess the audit log requirements for your organization based on industry regulations, guidelines, and best practices. Define the data to be logged, audit events, and retention periods.

2. Establish audit policies and procedures: Develop audit policies and procedures that align with your organization’s requirements. Ensure these policies and procedures are implemented consistently across all systems and devices.

3. Secure audit logs: Audit logs should be collected, stored, and protected securely to prevent unauthorized access or tampering. Only authorized personnel should have access to audit logs.

4. Monitor and review audit logs: Regularly monitor and review audit logs for anomalies, suspicious activity, and security violations. This includes monitoring for unauthorized access attempts, changes to access rights, and software installations.

5. Configure audit logging settings: Ensure audit logs capture essential system information and user activity information. Configure audit logging settings to generate records of critical security controls, including attempts to gain unauthorized access or make unauthorized changes to the network.

6. Generate alerts: Configure the system to generate real-time alerts for critical events. This includes alerts for security violations, unauthorized access attempts, changes to access rights, and software installations.

7. Regularly test audit log management controls: Ensure audit log management controls are consistently implemented and reviewed. Conduct regular testing to ensure they are effective and meet your organization’s audit log requirements.

Organizations can establish a strong framework for incident response, threat detection, and compliance monitoring by implementing these best practices for audit log management. This will help safeguard against unauthorized access, malicious activity, and other security breaches, prevent legal and financial penalties, and maintain trust levels with clients and partners.

Audit log management policies

To establish audit log management policies that meet CIS CSC version 8 guidelines and safeguard requirements, organizations should follow the following sample policy:

1. Purpose: The purpose of this policy is to establish the principles for collecting, monitoring, and auditing all system and user activity logs to ensure compliance with industry regulations, guidelines, and best practices.

2. Scope: This policy applies to all employees, contractors, equipment, and facilities within the organization, including all workstations, servers, and network devices used in processing or storing sensitive or confidential information.

3. Policy:

– All computer systems and devices must generate audit logs that capture specified audit events, including user logins and accesses, system configuration changes, application accesses and modifications, and other system events necessary for detecting security violations, troubleshooting, and compliance monitoring.

– Audit logs must be generated in real-time and stored in a secure, centralized location that is inaccessible to unauthorized users.

– The retention period for audit logs must be at least 90 days, or longer if law or regulation requires.

– Only authorized personnel with appropriate access rights and clearances can view audit logs. Access to audit logs must be audited and reviewed regularly by the Information Security team.

– Audit logs must be reviewed regularly to identify patterns of suspicious activity, security violations, or potential security breaches. Any unauthorized access or security violation detected in the audit logs must be reported immediately to the Information Security team.

– Audit log management controls, and procedures must be tested periodically to ensure effectiveness and compliance with CIS CSC version 8 guidelines and safeguard requirements.

4. Enforcement: Failure to comply with this policy may result in disciplinary action, up to and including termination of employment or contract. All violations must be reported to the Information Security team immediately.

By implementing the above policy, organizations can ensure they meet the audit log management standards set forth by CIS CSC version 8 guidelines and safeguard requirements. This will help organizations prevent unauthorized access, malicious activity, and data breaches, maintain compliance with industry regulations, and protect the integrity and confidentiality of sensitive or confidential information.

Audit log management procedures

Here are the audit log management procedures that establish best practices for performing the work of this control:

I. Initial Setup

– Determine which audit events will be captured in the logs based on industry regulations, guidelines, and best practices.

– Configure all computer systems and devices to capture the specified audit events in the logs.

– Establish a secure, centralized location for storing the logs that is inaccessible to unauthorized users.

II. Ongoing Operations

– Set the logs to generate in real time.

– Monitor the logs regularly to detect security violations, troubleshoot, and monitor compliance.

– Ensure only authorized personnel with appropriate access rights can view the logs.

– Review the logs regularly to identify patterns of suspicious activity, security violations, or potential security breaches.

– Immediately report any unauthorized access or security violation detected in the logs to the Information Security team.

– Retain log data for at least 90 days, or longer if required by law or regulation.

III. Testing and Evaluation

– Test the audit log management controls and procedures periodically.

– Ensure that all testing and evaluation are conducted in compliance with CIS CSC version 8 guidelines and safeguard requirements.

By following these audit log management procedures, organizations can establish best practices for performing the work of this control and ensure that all system and user activities are properly monitored and audited. This will help organizations maintain compliance with industry regulations, prevent unauthorized access, and protect sensitive or confidential information from data breaches.

 

*This article was written with the help of AI tools and Grammarly.

3 Key Tips for Rapid and Effective Incident Response in Information Security

Incident response is a critical component of any successful information security program. An effective incident response process can help organizations detect, investigate, and respond to threats in a timely manner. This blog post will discuss three key tips to ensure rapid and effective incident response during an information security incident.

  1. Develop a well-structured incident response plan:

    A comprehensive incident response plan serves as the foundation for effective incident response. The plan should outline each process phase’s roles, responsibilities, and procedures. Key elements include clear communication channels, escalation paths, and predefined actions to be taken during an incident. Regularly review, update, and test the plan to ensure it remains relevant and practical.

  2. Implement proactive detection and monitoring tools:

    The rapid response starts with early detection. Invest in advanced detection and monitoring tools, such as intrusion detection systems (IDS), security information and event management (SIEM) solutions, and endpoint detection and response (EDR) technologies. These tools enable organizations to identify potential security incidents in real time and respond quickly to minimize their impact.

  3. Train and empower your Incident Response Team (IRT):

    An experienced and well-equipped IRT is crucial for effective incident response. Provide regular training, including tabletop exercises and simulations, to ensure team members are familiar with the incident response plan and can execute it efficiently during an actual incident. Ensure the IRT has access to the necessary resources and tools, and maintain a culture of open communication to encourage swift reporting of potential incidents.

 

*This article was written with the help of AI tools and Grammarly.

High-Level FAQ for Incident Response

  1. Q: What is an incident response process in information security?

A: The incident response process in information security is a systematic approach to identifying, containing, analyzing, and resolving security incidents that may compromise the confidentiality, integrity, or availability of an organization’s information systems and data. It involves a set of predefined policies, procedures, and tools designed to minimize the impact of security incidents and facilitate a swift recovery.

  1. Q: Why is the incident response process necessary?

A: The incident response process is crucial for organizations because it helps to minimize the damage caused by security incidents, protect sensitive data, maintain business continuity, and comply with regulatory requirements. A well-defined incident response process can also help organizations learn from security incidents and improve their overall security posture.

  1. Q: What are the critical phases of an incident response process?

A: The incident response process typically includes six key phases:

  • i. Preparation: Developing and maintaining an incident response plan, training staff, and setting up necessary tools and resources.
  • ii. Detection and Analysis: Identifying potential security incidents through monitoring, reporting, and analyzing security events.
  • iii. Containment: Limiting the spread and impact of an identified security incident by isolating affected systems or networks.
  • iv. Eradication: Removing the cause of the security incident, such as malware or unauthorized access, and restoring affected systems to a secure state.
  • v. Recovery: Restoring affected systems and networks to regular operation and verifying their security.
  • vi. Post-Incident Activity: Reviewing the incident response process, identifying lessons learned, and implementing improvements to prevent future incidents.
  1. Q: Who should be involved in the incident response process?

A: An effective incident response process involves a cross-functional team, typically called the Incident Response Team (IRT), which may include members from IT, information security, legal, human resources, public relations, and management. External stakeholders, such as law enforcement, third-party vendors, or cyber insurance providers, may also be involved, depending on the nature and severity of the incident.

  1. Q: How can organizations prepare for incident response?

A: Organizations can prepare for incident response by:

  • Developing a comprehensive incident response plan that outlines roles, responsibilities, and procedures for each process phase.
  • Regularly updating and testing the incident response plan to ensure its effectiveness and relevance.
  • Training employees on their roles and responsibilities during an incident, including reporting procedures and essential security awareness.
  • Establishing a well-equipped IRT with clear communication channels and access to necessary resources.
  • Implementing continuous monitoring and detection tools to identify potential security incidents early.
  1. Q: How can organizations improve their incident response process?

A: Organizations can improve their incident response process by:

  • Regularly reviewing and updating the incident response plan to reflect changes in the organization’s infrastructure, personnel, and threat landscape.
  • Conducting periodic tests and simulations, such as tabletop exercises or red team exercises, to evaluate the plan’s effectiveness and identify improvement areas.
  • Implement a continuous improvement cycle incorporating lessons learned from past incidents and industry best practices.
  • Investing in advanced detection and monitoring tools to enhance the organization’s ability to identify and respond to security incidents.
  • Providing ongoing training and support to the IRT and other stakeholders to ensure they remain up-to-date with the latest threats and best practices.

 

*This article was written with the help of AI tools and Grammarly.

Best Practices for DHCP Logging

As an IT and security auditor, I have seen the importance of DHCP logging in, ensuring network security, and troubleshooting network issues. Here are the best practices for DHCP logging that every organization should follow:

 

1. Enable DHCP Logging: DHCP logging should be turned on to record every event that occurs in the DHCP server. The logs should include information such as the time of the event, the IP address assigned, and the client’s MAC address.

2. Store DHCP Logs Securely: DHCP logs are sensitive information that should be stored in a secure location. Access to the logs should be restricted to authorized personnel only.

3. Use a Centralized Logging Solution: To manage DHCP logs, organizations should use a centralized logging solution that can handle logs from multiple DHCP servers. This makes monitoring logs, analyzing data, and detecting potential security threats easier.

4. Regularly Review DHCP Logs: Regularly reviewing DHCP logs can help detect and prevent unauthorized activities on the network. IT and security auditors should review logs to identify suspicious behavior, such as unauthorized IP and MAC addresses.

5. Analyze DHCP Logs for Network Performance Issues: DHCP logs can also help identify network performance issues. By reviewing logs, IT teams can identify IP address conflicts, subnet mask issues, and other network performance problems.

6. Monitor DHCP Lease Expiration: DHCP lease expiration is vital to ensure IP addresses are not allotted to unauthorized devices. DHCP logs can help to monitor lease expiration and to deactivate the leases of non-authorized devices.

7. Implement Alerting: IT and security audit teams should implement alerting options to ensure network security. By setting up alert mechanisms, they can be notified of suspicious activities such as unauthorized devices connecting to the network or DHCP problems.

8. Maintain DHCP Logs Retention Policy: An effective DHCP logs retention policy should be defined to ensure logs are saved for an appropriate period. This policy will help to provide historical audit trails and to comply with data protection laws.

 

Following these DHCP logging best practices will help ensure the network’s security and stability while simplifying the troubleshooting of any network issues.

Saved By Ransomware Presentation Now Available

I recently spoke at ISSA Charlotte, and had a great crowd via Zoom. 

Here is the presentation deck and MP3 of the event. In it, I shared a story about an incident I worked around the start of Covid, where a client was literally saved from significant data breach and lateral spread from a simple compromise. What saved them, you might ask? Ransomware. 

That’s right. In this case, ransomware rescued the customer organization from significant damage and a potential loss of human life. 

Check out the story. I think you’ll find it very interesting. 

Let me know if you have questions – hit me up the social networks as @lbhuston.

Thanks for reading and listening! 

Deck: https://media.microsolved.com/SavedByRansomware.pdf

MP3: https://media.microsolved.com/SavedByRansomware.mp3

PS – I miss telling you folks stories, in person, so I hope you enjoy this virtual format as much as I did creating it! 

Utility Tabletop Cybersecurity Exercises

Recently, a group of federal partners, comprised of the Federal Energy Regulatory Commission (FERC), North American Reliability Corporation (NERC) and it’s regional entities released their Cyber Planning for Response and Recovery Study (CYPRES). The report was based on a review and analysis of the incident response and recovery capabilities of a set of their member’s cyber security units, and is a great example of some of the information sharing that is increasing in the industry. The report included reviews of eight utility companies’ incident response plans for critical infrastructure environments, and the programs reviewed varied in their size, complexity and maturity, though all were public utilities.

Though the specific tactics suggested in the report’s findings have come under fire and criticism, a few items emerged that were of broad agreement. The first is that most successful programs are based on NIST 800-61, which is a fantastic framework for incident response plans. Secondly, the report discusses how useful tabletop exercises are for practicing responses to cybersecurity threats and re-enforcing the lessons learned feedback loop to improve capabilities. As a result, each public utility should strongly consider implementing periodic tabletop exercises as a part of their cyber security and risk management programs.

Tabletop Exercises from MSI

At MicroSolved, we have been running cyber security tabletop exercises for our clients for more than a decade. We have a proprietary methodology for building out the role playing scenarios and using real-world threat intelligence and results from the client’s vulnerability management tools in the simulation. Our scenarios are developed into simulation modules, pre-approved by the client, and also include a variety of randomized events and nuances to more precisely simulate real life. During the tabletop exercise, we also leverage a custom written gaming management system to handle all event details, track game time and handle the randomization nuances.

Our tabletop exercise process is performed by two MSI team members. The first acts as the simulation moderator and “game master”, presenting the scenarios and tracking the various open threads as the simulation progresses. The second team member is an “observer” and they are skilled risk management team members who pre-review your incident response policies, procedures and documentation so that they can then prepare a gap analysis after the simulation. The gap analysis compares your performance during the game to the process and procedure requirements described and notes any differences, weaknesses or suggestions for improvement.

Target scenarios can be created to test any division of the organization, wide scale attacks or deeply nuanced compromises of specific lines of business. Various utility systems can be impacted in the simulation, including business networks, payment processing, EDI/supply chain, metering/AMI/smart grid, ICS/SCADA or other mission critical systems.Combination and cascading failures, disaster recovery and business continuity can also be modeled. In short, just about any cyber risks can be a part of the exercise.

Tabletop Exercise Outcomes and Deliverables

Our tabletop exercises result in a variety of detailed reports and a knowledge transfer session, if desired. The reports include the results of the policy/procedure review and gap analysis, a description of the simulated incident and an action plan for future improvements. If desired, a board level executive summary can also be included, suitable for presentation to boards, management teams, direct oversight groups, Public Utility Commission and Homeland Security auditors as well.

These reports will discuss the security measures tested, and provide advice on proactive controls that can be implemented, enhanced, matured or practiced in order to display capabilities in future incidents that reflect the ability to perform more rapid and efficient recovery.

The knowledge transfer session is your team’s chance to ask questions about the process, learn more about the gaps observed in their performance and discuss the lessons learned, suggestions and controls that call for improvement. Of course the session can include discussions of related initiatives and provide for contact information exchange with our team members, in the event that they can assist your team in the future. The knowledge transfer session can also be performed after your team has a chance to perform a major review of the reports and findings.

How to Get Started on Tabletop Exercises from MSI

Tabletop exercises are available from our team for cyber security incidents, disaster preparedness and response or business continuity functions. Exercises are available on an ad-hoc, 1 year, 2 year or 3 year subscription packages with frequencies ranging from quarterly to twice per year or yearly. Our team’s experience is applicable to all utility cyber programs and can include any required government partners, government agencies or regulators as appropriate.

Our team can help develop the scope of threats, cyber attacks or emergency events to be simulated. Common current examples include ransomware, phishing-based account compromises, cyber attacks that coincide with catastrophic events or service disruptions, physical attacks against substations or natural gas pipelines, data breach and compromise of various parts of the ICS/SCADA infrastructure. Our team will work with you to ensure that the scenario meets all of your important points and concerns.

Once the scenario is approved, we will schedule the simulation (which can be easily performed via web-conference to reduce travel costs and facilitate easy team attendance) and build the nuances to create the effects of a real event. Once completed, the reporting and knowledge transfer sessions can follow each instance.

Tabletop exercises can go a long way to increasing cybersecurity preparedness and re-enforcing the cybersecurity mindset of your team. It can also be a great opportunity for increasing IT/OT cooperation and strengthening relationships between those team members.

To get started, simply contact us via this web form or give us a call at (614) 351-1237. We would love to discuss tabletop exercises with you and help you leverage them to increase your security posture.

 

Ransomware TableTop Exercises

When it comes to Ransomware, it’s generally a good idea to have some contingency and planning before your organization is faced with a real life issue. Here at MicroSolved we offer tabletop exercises tailored to this growing epidemic in information technology. 

 

What if your organization was affected by the Golden Eye or WannaCry today? How quick would you be able to react? Is someone looking at your router or server log files? Is this person clearly defined? How about separation of duties? Is the person looking over the log files also uncharge of escalating an issue to higher management?

 

How long would it take for you organization to even know if it was affected? Who would be in-charge of quarantining the systems? Are you doing frequent backups? Would you bet your documents on it? To answer these questions and a whole lot more it would be beneficial to do a table top exercise. 

 

A table top exercise should be implemented on an annual basis to evaluate organizational cyber incident prevention, mitigation, detection and response readiness, resources and strategies form the organizations respective Incident Response Team. 

 

As you approach an incident response there are a few things to keep in mind:

 

  1. Threat Intelligence and Preparation

An active threat intelligence will help your organization to Analyze, Organize and refine information about potential attacks that could threaten the organization as a whole.

After you gain Threat Intelligence, then there needs to be a contingency plan in place for what to do incase of an incident. Because threats are constantly changing this document shouldn’t be concrete, but more a living document, that can change with active threats.

  1. Detection and Alerting

The IT personal that are in place for Detection and Alerting should be clearly defined in this contingency plan. What is your organizations policy and procedure for frequency that the IT pro’s look at log files, network traffic for any kind of intrusion?

  1. Response and Continuity

When an intrusion is identified, who is responsible for responding? This response team should be different then the team that is in charge of “Detection and Alerting”. Your organization should make a clearly outlined plan that handles response. The worse thing is finding out you don’t do frequent backups of your data, when you need those backups! 

  1. Restoring Trust

After the incident is over, how are you going to gain the trust of your customers? How would they know there data was safe/ is safe? There should be a clearly defined policy that would help to mitigate any doubt to your consumers. 

  1. After Action Review

What went wrong? Murphy’s law states that when something can go wrong it will. What was the major obstacles? How can this be prevented in the future? This would be a great time to take lessons learned and place them into the contingency plan for future. The best way to lesson the impact of Murphy, is to figure out you have an issue on a table top exercise, then in a real life emergency! 


This post was written by Jeffrey McClure.

Brands Being Used in Pornography Search Engine Poisoning

Recently, during one of our TigerTrax™Targeted Threat Intelligence engagements, we were performing passive threat assessments for a popular consumer brand. In the engagement, we not only gathered targeted threat intelligence about their IT environments, applications and hosting partners, but also around the use of their brand on a global scale. The client had selected to take advantage of our dark net intelligence capabilities as well, and were keenly interested in how the dark net, deep web and underground portions of the Internet were engaged with their brand. This is a pretty common type of engagement for us, and we often find a wide variety of security, operational and reputational issues.

This particular time around, we ran into a rather interesting and new concern, at least on the dark net. In this case, a dark net pornography site was using the consumer brand embedded as an HTML comment in the porn site’s main pages. Overall, there were several hundred name brands in the comments. This seems to have been performed so that the search engines that index the site on the dark net, associate the site with the brands. That means when a user searches for the brand name, they get the porn site returned as being associated. In this case, it was actually the first link on several of the dark net search sites we tested. The porn site appears to be using the brand names to lure eyeballs to the site – essentially to up the chance of finding a subscriber base for their particularly nasty set of pornography offerings. Search engine poisoning has been an issue on the public web for some time, and it is a commonly understood tactic to try and link your content to brands, basically serving as “click bait” for users. However, on the dark net, this was the first time we had observed this tactic being used so overtly.

The brand owner was, of course, concerned about this illicit use of their brand. However, there is little they could do to respond, other than reporting the site to the authorities. Instead, after discussing various options, we worked with them to identify an action and response plan for how they would handle the problem if it became a public concern. We also worked with them to identify a standard process that they could follow to bring their existing legal, marketing, management and other parts of their incident response team up to date on threats like these as they emerged.

The client was very pleased to have the discussion and with the findings we identified. While any misuse of their brand is a concern, having their brand associated with pornography or other illicit material is certainly unnerving. In the end, there is little that organizations can do, other than work with authorities or work on take down efforts if the brand is misused on the public web. However, having the knowledge that the issue is out there, and working to develop the threat into existing response plans certainly goes a long way to help them minimize these kinds of risks.

To learn more about dark net brand issues, targeted threat intelligence or passive assessments, drop us a line (info@microsolved dot com) or get in touch on Twitter (@lbhuston) for a discussion. 

DOJ Best Practices for Breach Response

I stumbled on this great release from the US Department of Justice – a best practices guide to breach response.

Reading it is rather reminiscent of much of what we said in the 80/20 Rule of Information Security years ago. Namely, know your own environment, data flows, trusts and what data matters. Combine that with having a plan, beforehand, and some practice – and you at least get some decent insights into what your team needs and is capable of handling. Knowing those boundaries and when to ask for outside help will take you a long way.

I would also suggest you give our State of Security Podcast a listen. Episode 6, in particular, includes a great conversation about handling major breaches and the long term impacts on teams, careers and lives.

As always, if we can assist you in preparing a breach response process, good policies, performing those network mappings or running table top exercises (or deeper technical red team exercises), let us know. We help companies around the world master these skills and we have plenty of insights we would love to share!