Cause and Effect ft. Bryon Singh, RailWorks Corporation

Cause and Effect ft. Bryon Singh, RailWorks Corporation

By Steve Gold
Posted in Security
On January 23, 2024

In Episode 18 of Season 5 of “Star Trek: The Next Generation,” the USS Enterprise becomes ensnared in a time loop, a phenomenon that causes the ship to repeatedly experience the same sequence of events. This time loop not only endangers the ship, but also poses a severe threat to the crew's safety and the ship's mission

The character Data, played by Brent Spiner, is an android with a positronic brain that enables him to retain memories in ways that the rest of the crew cannot. As the time loop repeats, Data begins to experience a sense of déjà vu. It becomes apparent that he is the key to understanding the situation and finding a way to break free from the cycle.

Just as Data's memories provide a record of events in each time loop, enterprises must maintain comprehensive logs that capture all relevant data related to their digital operations. These logs include system activities, user actions, and network events. Without comprehensive logging, crucial information may be missed, leaving an organization vulnerable to threats and compliance issues.

As the time loop continues, Data's memories accumulate, highlighting the necessity of adequate storage. In an enterprise, it is essential to ensure that logging destinations have sufficient storage capacity to handle the volume of audit logs generated over time. Running out of storage can result in the loss of valuable data, hampering incident response, forensic analysis, and compliance efforts.

Ensure that logging systems have sufficient storage capacity in line with the organization's log management policies. Audit log storage is crucial for compliance with legal and regulatory standards and provides necessary data for forensic activities post-security incidents.

Essential audit log data includes:

  • User IDs and Credentials: Record of user access and authentication
  • Terminal Identities: Information on the devices or terminals used
  • System Configuration Changes: Details of any alterations to system settings
  • Event Timing: The date and time for each recorded event
  • Access Attempts: Records of both successful and failed login attempts

Refer to NIST publication SP 800-92, Sections 5.1 and 5.4, for guidelines on policy development and the management of long-term log storage. The organizational policy should dictate the duration of log retention based on the data's value and other relevant considerations, ranging from immediate disposal for insignificant data to long-term centralized storage for critical information. Regular log rotation should be part of this policy to ensure ongoing logging without storage overflow.

Retention periods vary by business nature and policy, typically spanning from two months to several years. For extended retention, select a uniform log format and appropriate backup media, ensuring the integrity and secure offsite storage of the logs.

Here’s a link to Audit Log Management Policy Template provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/audit-log-management-policy-template-for-cis-control-8

Here are some details on this specific Control/Safeguard. If you want more detail, DM me.

CIS Control 8 – Audit Log Management

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

Implementation Group 1

CIS Safeguard 8.3 - Ensure Adequate Audit Log Storage

Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.