In our latest blog installments on monitoring, we spoke about compliance and decreasing overall detection times. These two benefits alone are fantastic; however, why should organizations monitor logs from their environment? And if they do, should they use a centralized logging platform (SIEM)?
Should we bother monitoring?
The answer is simple, YES! All organizations should be producing an abundance of logs and reviewing them on a regular basis. If a business is not producing any logs whatsoever, then you’re doing yourself a disservice. When a breach or any anomalous event occurs, analysts need to be able to find the root cause of the event and whether any other devices have been affected. Without audit logs, this task is impossible. Consider following directions without being able to see, you won’t know something is there until you bump into the object. The same applies to information security. Without logs, an organization is only aware of an incident when a tragic and obvious event happens, such as ransomware locking out a system or a third party notifying them that their sensitive information was found on Pastebin. Only by creating a more comprehensive picture of the networked environment can businesses hope to identify issues before they become a catastrophic incident.
Centralized or No?
As highlighted in my last blog, centralized logging is an insane time saver for security teams; an analyst can review the millions of logs captured over the last few months in a matter of minutes versus weeks for manual inspection efforts. To us the clear answer is a resounding yes! Do this and do it now!! For businesses who think they can easily hop around and look at logs manually, you are wasting precious time. Here is a better way to think about it: if ransomware has infected the network, do you have weeks to hunt it down or is the entire network going to be compromised by then? Time is truly of the essence with malware outbreaks and most cyber attacks. From a financial perspective, this one investment in centralized logging can save a company million in expenses and lost revenue.
What should be logged?
Let’s say that I have done a fantastic job arguing for better logging capabilities, what should organizations actually log. The best place to start is by reviewing the Cyber Kill Chain, or any other hacker methodology for that matter. As a defensive team, you want to be able to observe every stage of an attack, from initial recon to embedded persistence. As the team responds to incidents, these gaps in knowledge will become clear and should be noted for improvement. From our experience, client-side logs are usually the least robust, forcing analyst to make assumptions and infer activity via other means such as network logs. Fortunately, Windows has great audit log features! With a little research, teams can vastly increase their insight with logs such as PowerShell and Sysmon. To be fair, no organization is perfect, keep in mind that hackers are always evolving and in turn so should your methods as a defender.
Hopefully with this blog I have convinced more organizations to implement better auditing and use a centralized monitoring capability. Please comment below to tell us why you dislike monitoring or why you love it.
To catch up on part one and two click the links below: