By Stephen Ramage, Threat Security Specialist at Adarma
In cybersecurity, logs are often side-lined as mundane and repetitive tasks, akin to routine tasks like visiting the dentist or doing laundry. Logs, such as those found in the Windows operating system or on firewall devices, are a fairly dry topic, and nobody really likes to talk about them. However, they should be viewed as one of the fundamental pillars of a robust cybersecurity strategy. Neglecting to take logging seriously or carry them out properly, could easily be hamstringing your security and putting your business operations at risk.
When a cyber incident occurs, every security analyst or incident responder’s dream scenario is to be furnished with 12 months of good logs. Security teams rely heavily on these logs to piece together the sequence of events that led to the incident and understand the scope of the breach. Unfortunately, due to a variety of constraints that is rarely the case. Often, they encounter the bare minimum, that is because some Windows process logs, maybe the basic security logs and firewall logs, or are set to a short retention period. This can be for a variety of reasons, the most common being cost.
Despite the growing complexity of the threat landscape and a rising awareness of the importance of cybersecurity at a board level, some organisations still struggle with the perception of cybersecurity as a cost-centre, rather than an investment.
When making decisions regarding security, those in charge must take into account various factors such as storage costs, licensing costs for data transfer, the amount of data, technical expertise, and whether to use cloud or on-prem systems. Additionally, IT hygiene factors such as system visibility, attack surface management, vulnerability management, and the ability to investigate security incidents must also be considered, as they also play a crucial role in maintaining a secure system.
Inevitably, some security aspects receive less investment, with logs often deprioritised. In some respects, this is very understandable, after all, do you really need every single Windows log from an endpoint or server? Can’t we just optimise and choose just the most important ones?
Of course, the answer is yes, we can, but the question remains: which ones are the most important, and what volume and kind of data do they produce? This is a critical consideration, especially when that figure must be multiplied across the entire estate. Finding the right balance is the solution. When investigating and remediating an intrusion, it is important to determine which logs to focus on and which to ignore weighted against the evidence required. At a high level, an organisation may want to consider the following:
- Firewall logs to identify command and control infrastructure, and to try to determine if there has been any exfiltration of data.
- Endpoint logs, of which there is no shortage, including command line logging, PowerShell on windows machines, system security logs, application logs.
- Server and EDR logs, which follow a similar pattern to endpoint ones.
- Other software, sometimes core business software, often has its own logging which can be examined.
- Cloud infrastructure, which is its own wild west world of logging, depending on the cloud vendor and the subscription level that has been purchased.
Security teams should consider when they last checked the retention of their logs. It’s possible that they are still set to the manufacturer’s default unless configured during setup. One important factor to consider is whether the logs are being pushed to a central location or platform that enables easy searching. If so, it’s important to know which logs are being pushed and how long they are being stored centrally.
The first and most important rule of effective logging is to prioritise quality over quantity. It is not necessary to log every single event, but only a few important things for a reasonable amount of time.
Deciding what to log and how to log is the first step in building your foundation. This will likely be driven by other security projects such as Threat Modelling, which help identify the risk areas across the network as well as examining how a potential threat actor could access and exploit various applications and systems. The information these models produce can be crucial to drive where you need logging if you are to identify suspicious or malicious activity.
Once you have determined the logs you require, the next steps are to ensure the logs are enabled, they contain the data you require, and most importantly are being fed into an appropriate monitoring platform. Without this, whilst you will be able to investigate an incident after the event, it could be far down the line before you are aware of it.
Having identified and ingested the required logs into a centralised platform such as a Security Information and Event Management (SIEM) system, quality alerting and detection engineering are essential to detect malicious activity as fast as possible. This involves SOC analysts being able to access the data they require for an investigation, and the ability to tune the detection logic that is in place to reduce false positives and noise. By doing this, they will be able to rapidly determine the legitimacy of the activity, which could mean the difference between a full-blown compromise or just the initial stages of one.
At a high level, amongst the logs that are of greatest use are:
- Windows system logs looking for new processes being created.
- Windows PowerShell logs.
- Windows application logs.
- Windows internet logs.
- Windows security logs, looking for remote devices being connected.
- EDR logging.
- Firewall logs, possibly including VPN logs.
There are far more log sources that are available to fully determine the extent of suspicious activity. If the infected system is a cloud hosted server, then other log sources such as active directory authentication logs, remote access logs, and the myriads of cloud logging that exists and differs by cloud provider could easily be added to the list above.
While logs may not garner the same attention as some cutting-edge cybersecurity technologies, they serve as indispensable assets in safeguarding business operations and digital assets. By recognising the critical role of logging and investing in effective logging strategies, such as the ones outlined above, organisations can bolster their cyber resilience and stay ahead in the ever-evolving cybersecurity landscape.
If you would like to learn more about how Adarma can support your organisation’s cyber resilience, please get in touch with us at hello@adarma.com.
To hear more from us, check out the latest issue of ‘Cyber Insiders,’ our c-suite publication that explores the state of the threat landscape, emerging cyber threats, and most effective cybersecurity best practices.
You can also listen to our new podcast, which explores what it’s really like to work in cybersecurity in today’s threat landscape.
Stay updated with the latest threat insights from Adarma by following us on X and LinkedIn.
![adarma_logo_twgt-black[11615449]](https://adarma.com/wp-content/uploads/2022/10/adarma_logo_twgt-black11615449.png){kind=logo}
