Need to build a logging and monitoring solution and unsure where to begin? Get started with our logging and monitoring best practices guide.
The concept of logging and monitoring isn’t new, but organizations still struggle to formulate and implement a security-focused logging and monitoring policy. Security teams need to build logging and monitoring programs that not only collect traditional operational metrics, but are also capable of storing, analyzing, and even mitigating a variety of attacks. This proactive approach of collecting and analyzing information can help developers, sysadmins and security teams in many ways such as detecting issues in their code via “application-level logging,” identifying anomalies in network traffic via “infrastructure logs like AWS/Azure,” and detect as well as prevent security incidents by using advance Security Information and Event Management capabilities. You can address these challenges by employing these logging and monitoring best practices.
Determining why the organization wants a logging solution will help define what you need to log. The following are some of the reasons an organization might want such as solution:
Discussing these factors with your organization’s security governance team, legal department, and other stakeholders will help define the goals for logging and monitoring.
Based on your goals, determine what metadata needs to be captured and what events need to be logged. Some examples of metadata and events to be logged and why include:
Infrastructure administrators and security teams should collaborate to build an effective logging and monitoring program that collects traditional operational metrics and can analyze them to mitigate attacks. Alerts on certain events, such as multiple failed login attempts or weekly notifications on commands executed on a server, can be set up to monitor these events. It is also important to work with application teams to understand what the different attributes of a log entry mean. Once you have a baseline for normal operations, you can configure correlation rules, aggregations, thresholds, and alerts to be triggered for any anomaly based on the security risk profile for the application. For example, every log entry should have at least the following:
Log data is a huge volume of datasets that impact performance and costs. When determining what data you should monitor start by not leaving anything out. You need to identify which systems/applications should be monitored and what level of monitoring is required. You should also classify your data and systems according to the organization’s statutory, regulatory, or contractual requirements. Keep in mind that this classification may differ from your security system classification or your business data classification.
There are a many solutions—both commercial products and open source projects—to choose from when you want to build a scalable and resilient logging and monitoring program. Choosing the right technologies for a logging and monitoring architecture can be overwhelming. A few key points that you need to keep in mind are:
A logging and monitoring program by itself is an asset to the organization because it looks into organization wide activities and may contain sensitive information. Here are few points to consider to secure it:
Work with security teams to enforce companywide policies and procedures that define logging requirements in detail for all systems. This ensures consistency and that protocols and procedures are followed in logging. Policies with a strong mandate and corporate backing ensure that logging and monitoring practices are followed.
Without strong logging mechanisms, an organization is truly in the dark before, during, and after any incident. Attacks on sophisticated systems are often carried out for months or even years. Would your organization be able to detect and block a probe like this? If a motivated adversary can slowly pick apart an application for that length of time and go undetected, there is a high chance that an actual exploit will occur. The following steps are vital to prevent such a scenario:
Although it is no easy task to build a secure logging and monitoring program, it is an imperative part of any application architecture and it will make all the difference in detecting and blocking a sophisticated attack by a motivated and determined adversary. Explore Synopsys eLearning courses to learn more on logging and monitoring best practices.
Ashutosh Rana is a senior security consultant with over 10 years of enterprise security experience. He works on various security related activities such as architecture/design risk assessments, penetration testing, vulnerability management, configuration reviews etc. and believes in built-in security or security by design. He holds a Masters in Cybersecurity from Syracuse University and enjoys PC gaming in his spare time.