Written with contributions from Bryon Singh, Director of Security Operations, RailWorks Corporation
In The Bourne Identity, Jason Bourne is a man on the run, trying to piece together his past while evading a global intelligence network. The agencies chasing him rely heavily on surveillance, communications intercepts, and, most importantly, detailed logs of his movements, interactions, and digital footprints.
Without those logs, they’d have no way to reconstruct his path or understand how he keeps slipping through their fingers.
This is the essence of CIS Safeguard 8.5, which emphasizes the importance of collecting detailed audit logs to monitor activity, detect anomalies, and support investigations.
What Is CIS Safeguard 8.5?
CIS Safeguard 8.5 is part of the Audit Log Management control family. It states:
“Collect detailed audit logs containing security-relevant information on enterprise assets.”
This means capturing logs that go beyond basic system events. Organizations should collect logs that include:
- Authentication attempts
- Access to sensitive data
- Configuration changes
- Privilege escalations
- Network connections
- Application-level events
These logs are essential for incident detection, response, and forensics.
Why It Matters
In The Bourne Identity, the CIA uses detailed logs to track Bourne’s use of passports, hotel check-ins, phone calls, and ATM withdrawals. Each log entry helps build a timeline and understand his behavior.
In cybersecurity, detailed audit logs serve the same purpose:
- Detect suspicious activity (e.g., failed login attempts, unusual access patterns)
- Investigate breaches by reconstructing attacker movements
- Support compliance with regulations like HIPAA, PCI-DSS, and GDPR
- Enable threat hunting and proactive defense
Without detailed logs, security teams are flying blind—unable to see what happened, when, or how.
How to Implement It
To align with CIS Safeguard 8.5, organizations should:
- Enable detailed logging on all enterprise assets, servers, endpoints, cloud services, and applications.
- Include security-relevant fields: user IDs, timestamps, IP addresses, event types, and outcomes.
- Centralize logs using a SIEM or log aggregation tool (e.g., Splunk, ELK, Sentinel).
- Ensure logs are protected from tampering and unauthorized access.
- Retain logs for an appropriate period based on business and regulatory needs.
- Regularly review and tune logging policies to ensure completeness and relevance.
Bourne’s Digital Trail
Bourne’s pursuers rely on logs to track his every move. When he uses a phone, accesses a bank account, or enters a building, those actions are logged. The more detailed the logs, the clearer the picture.
In cybersecurity, attackers often try to erase or avoid logs. That’s why collecting them in detail and securing them is vital. It’s your best chance to understand what happened—and prevent it from happening again.
Final Thoughts
CIS Safeguard 8.5 is about visibility. Like the intelligence agencies in The Bourne Identity, your security team needs a clear, detailed trail to follow. Audit logs are that trail. They tell the story of what’s happening in your environment—good or bad.
So don’t settle for vague or incomplete logs. Collect them in detail, protect them, and use them to stay one step ahead of the threat.
Resources
Here’s a link to the Policy Templates provided free of charge from the fine folks at the Center for Internet Security:
Looking for even more detail? Here you go. If this still doesn’t satisfy your curiosity, DM me.
CIS Control 8 – Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
CIS Safeguard 8.5 – Collect Detailed Audit Logs
Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.
Shameless Marketing Information
Gotham Technology Group offers a Security Operations Center as a Service (SOCaaS) powered by Arctic Wolf Networks. Our team will work alongside your team to support and mature your security operations.