This Is The Way ft. Bryon Singh, RailWorks Corporation

This Is The Way ft. Bryon Singh, RailWorks Corporation

By Steve Gold
Posted in Security
On January 09, 2024

“This is the way” is part of the Mandalorian creed. In the popular Star Wars series “The Mandalorian,” we follow a lone bounty hunter known as Din Djarin. Din Djarin wears a helmet and adheres to a strict code of conduct as a member of the Mandalorian.

Much like Din Djarin's helmet, which protects his identity and records his journey, an audit log collects data and records every event within an organization's digital assets. Every action taken within the digital environment is logged, ensuring that no important detail is overlooked. Just as the Mandalorian's helmet is an essential part of his gear, the collection of audit logs is crucial for maintaining security and compliance.

Throughout "The Mandalorian," Din Djarin encounters various challenges, adversaries, and allies on his journey. He reviews his past experiences and decisions to adapt to new situations and make informed choices. Similarly, organizations must review their audit logs to analyze historical data, identify security threats, and ensure compliance with industry standards. Just as Din Djarin relies on his experiences to guide his actions, reviewing audit logs guides an organization's cybersecurity efforts.

CIS Safeguard 8.1 emphasizes the crucial role of developing and upholding a robust audit log management strategy. Effective management of audit logs is vital for the surveillance, analysis, and reaction to possible security incidents across an organization’s network.

  1. Log Collection: Ensure that all essential systems and devices are set to record events relevant to security.

Typically, the log data should include:

  • Timestamp: The exact date and time of the event, ideally synchronized with a network time protocol (NTP) for accuracy across all devices.
  • Source Identifier: Information about the source of the event, such as the IP address, hostname, or device ID.
  • User Identifier: Details of the user associated with the event, including usernames or unique user IDs.
  • Event Type: The specific type of event that occurred, such as login attempt, file access, network connection, or system error.
  • Action Taken: What action was performed, like file modified, command executed, or settings changed.
  • Outcome: The result of the event or action, indicating success, failure, or error messages.
  • Severity Level: The importance or impact level of the event, which helps in prioritization during analysis.
  1. Centralized Management: Consolidate collected logs in a central system to facilitate efficient analysis and storage.
  2. Regular Review: Conduct systematic examinations of log data to detect and probe any unusual or suspicious activities.
  3. Retention Policy: Establish and maintain a policy for log retention that adheres to legal and industry standards.
  4. Secure Storage: Maintain the integrity and confidentiality of logs with secure storage mechanisms.

Commitment to these measures allows organizations to strengthen their security stance, bolster incident response measures, and comply with regulatory standards effectively.

Here’s a link to the Audit Log Management Policy Template provided free of charge from the fine folks at the Center for Internet Security:

Here’s some detail on this specific Control/Safeguard. If you want more detail, DM me.

CIS Control 8 – Audit Log Management

Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

Implementation Group 1

CIS Safeguard 8.1 - Establish and Maintain an Audit Log Management Process

Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.