“This is the way” is part of the Mandalorian creed. In the popular Star Wars series “The Mandalorian,” we follow a lone bounty hunter known as Din Djarin. Din Djarin wears a helmet and adheres to a strict code of conduct as a member of the Mandalorian.
Much like Din Djarin's helmet, which protects his identity and records his journey, an audit log collects data and records every event within an organization's digital assets. Every action taken within the digital environment is logged, ensuring that no important detail is overlooked. Just as the Mandalorian's helmet is an essential part of his gear, the collection of audit logs is crucial for maintaining security and compliance.
Throughout "The Mandalorian," Din Djarin encounters various challenges, adversaries, and allies on his journey. He reviews his past experiences and decisions to adapt to new situations and make informed choices. Similarly, organizations must review their audit logs to analyze historical data, identify security threats, and ensure compliance with industry standards. Just as Din Djarin relies on his experiences to guide his actions, reviewing audit logs guides an organization's cybersecurity efforts.
CIS Safeguard 8.1 emphasizes the crucial role of developing and upholding a robust audit log management strategy. Effective management of audit logs is vital for the surveillance, analysis, and reaction to possible security incidents across an organization’s network.
- Log Collection: Ensure that all essential systems and devices are set to record events relevant to security.
Typically, the log data should include:
- Timestamp: The exact date and time of the event, ideally synchronized with a network time protocol (NTP) for accuracy across all devices.
- Source Identifier: Information about the source of the event, such as the IP address, hostname, or device ID.
- User Identifier: Details of the user associated with the event, including usernames or unique user IDs.
- Event Type: The specific type of event that occurred, such as login attempt, file access, network connection, or system error.
- Action Taken: What action was performed, like file modified, command executed, or settings changed.
- Outcome: The result of the event or action, indicating success, failure, or error messages.
- Severity Level: The importance or impact level of the event, which helps in prioritization during analysis.
- Centralized Management: Consolidate collected logs in a central system to facilitate efficient analysis and storage.
- Regular Review: Conduct systematic examinations of log data to detect and probe any unusual or suspicious activities.
- Retention Policy: Establish and maintain a policy for log retention that adheres to legal and industry standards.
- Secure Storage: Maintain the integrity and confidentiality of logs with secure storage mechanisms.
Commitment to these measures allows organizations to strengthen their security stance, bolster incident response measures, and comply with regulatory standards effectively.
Here’s a link to the Audit Log Management Policy Template provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/audit-log-management-policy-template-for-cis-control-8
Here’s some detail on this specific Control/Safeguard. If you want more detail, DM me.
CIS Control 8 – Audit Log Management
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
Implementation Group 1
CIS Safeguard 8.1 - Establish and Maintain an Audit Log Management Process
Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.