Logging and monitoring are inseparable – or rather, they should be.
A critical part of cybersecurity is generating audit logs for changes being made to your sensitive data and critical systems and monitoring those logs for signs of potential cybersecurity threats. Logging and monitoring should cover the entirety of your IT infrastructure, as wherever your users are able to make changes, there is the potential for breaches in security.
The problems many organizations face is that when they enable audit logging on their critical IT infrastructure, they are quickly bombarded with unmanageable amounts of raw log information as changes are being constantly made. So much so, that it can be incredibly difficult to glean any meaningful insight from monitoring them.
What Qualifies as Inadequate Logging and Monitoring?
The goal should be to automate as much of the logging and monitoring processes as you possibly can. Simply put, trying to dig through raw logs in search of changes that could potentially damage the security of your organization just isn’t good enough. Rarely will you find yourself in a situation where you can spot a potentially damaging change quickly enough to take preventative action. It’s far more common to see organizations using this manual method to reactively investigate an incident after the fact.
Automate as much as possible. One example would be access control systems, which can be given their own monitoring rules. You can set an automatic rule to prevent a user from logging in to their account if they reach a certain number of log-on attempts in a session. The system would automatically blog the IP for a defined period of time. The security or IT team would then be alerted to the fact that this incident had occurred.
However, even this kind of automation in the logging can be problematic, as it still required someone to be manually monitoring the alerts being generated. If you don’t spot these alerts, then you can find yourself in the same scenario as before.
How Bad is the Problem?
If you’ve ever tried to manually manage audit logs to investigate an event, you know how bad the situation is currently, and it’s only getting worse. Cyber-attacks are increasing in both severity and frequency, even to the point now where we are seeing them to be state sponsored (allegedly). These attacks are quite often designed to circumvent the native log monitoring software and go unnoticed – thus not producing any sort of alert that can be easily spotted by the security or IT team.
Inadequate logging and monitoring, whilst not a direct cause of data breaches itself, affects your ability to react quickly and effectively to all manner of cybersecurity threats. If a suspicious or unauthorized change in your IT infrastructure goes unnoticed due to improper log monitoring practices, your chance to address the threat posed to your cybersecurity is gone.
In most of the different types of data breach your organization is likely to face, including hacks, phishing attacks, ransomware and insider threats, thorough logging and monitoring will help you detect and react faster. The Ponemon Institute’s 2017 Cost of Data Breach Study suggests that the average time to detect a data breach is 191 days. I don’t need to tell you how concerning that is. Logging and monitoring is the first step to solving this problem.
What Can Enterprises Do to Improve Cybersecurity?
One way to test if your logging and monitoring is in need of improvement is to fake a cybersecurity incident. Have a user delete an important file from somewhere within your IT infrastructure. How long does it take you to identify what has been deleted and reverse the change? Through this process, you’ll likely realize how unprepared for a data breach incident you are if you don’t have some sort of logging and monitoring solution in place.
Gartner predicts that analytics is going to play a crucial role in reducing the severity and frequency of cyber-attacks over the next few years. User behaviour analytics is a crucial part of ensuring that you are able to continuously monitor the way your users are interacting with critical data, and proactively alert on any suspicious or anomalous behaviour. But this simply cannot be done using native audit tools, such as Event Viewer.
Do yourself a massive favour and invest in a User Behaviour Analytics solution, like LepideAuditor, that aggregates information from raw logs and presents them in readable, actionable reports. Solutions like these do most of the legwork for you, meaning that you will no longer have to sift through the noise generated by native auditing and you will be automatically alerted when a change in your environment could potentially impact your cybersecurity.
If you’re an enterprise organization that deals with large quantities of sensitive information (be it personally identifiable information or company secrets), it’s only a matter of time before you’re hit with a cyber-attack. You best make sure you’re ready!