Security Logging and Monitoring failures first made the OWASP Top 10 in 2017 and has moved up one spot to Number 9 in the 2021 edition.
Security Logging and Monitoring failures have no direct vulnerabilities that can be exploited but this doesn’t mean that logging and monitoring is any less critical.
Insufficient logging and monitoring of systems can impact visibility, incident alerting, login failures, system failures and breaches. This makes it essential to have a fully operational logging and monitoring system to collect logs and give out alerts to Security Operation Center (SOC) staff and administrators. It is also important to perform checks on a regular basis to ensure all the correct systems are logging as expected — you don’t want valuable logs to be missing from your firewall.
What’s the risk of improper security logging and monitoring?
Login and failed attempts not being logged
All login attempts should be recorded. This helps verify who logged in where and when, allows you to track hosts that may be causing unintentional logins, and helps mitigate breaches. If you can spot an excessive number of login failures this may be caused by a breach.
Logs not backed up or being stored locally
Logs should be stored away from the original host machine in case of a failure. If logs are backed up in a separate location, this protects them against accidental or unintentional loss which can be accessible in case of a hardware failure or a natural disaster.
Improper logs that do not provide any valuable information
Ensure you are backing up logs that are important to you and contain all the relevant information that you may need. There are different logging levels to ensure the most important logs are backed up. For example, you may choose to back up fatal and error and logs while not backing up debug or informational ones.
Lack of monitoring systems in real time
Having a central system to monitor logs or SIEM (Security Information Event Management) provides an extra layer of protection and can help prevent attacks by having a built-in rule set to alert your SOC or administrator. Collecting information in real time and being able to analyze and alert on events for network infrastructure as it happens is important to stop threats.
Missing monitoring and alerting systems
Ensure that all systems that you need logs from are configured correctly and log to the correct central point.
Logs not protected for integrity
Businesses should be able to demonstrate that logs cannot be altered or they risk failing audits and missing compliance regulations. This may also make the logs inadmissible as evidence for law enforcement agencies.
What’s the fix for security logging and monitoring failures?
Ensure login, access control, and server-side input validation is logged
Ensure sufficient details are logged to identify malicious accounts and held for enough time to allow forensic analysis.
Ensure logs contain enough context to identify suspicious behavior and enable in-depth forensic analysis
Having the relevant logs logging is not enough if there isn’t enough information or context within the logs. Ensuring that the correct logging severity level is set is important. Set a baseline to enable east identification of suspicious and malicious activity.
Ensure logs are in a format compatible with log management solutions
Make sure that the format of the logs is in a format that is compatible with your other systems as you may need further tools that include parsing rules.
Take measures to prevent attackers from tampering with log data
Use Encryption for Data-At-Rest and Data-in-Transit (SSL, TLS, HTTPS). Use Copy-on-write. This will ensure snapshots are taken and data tampering can be detected by checking unexpected snapshots. Sign files using HMAC (Hash-based message authentication) this will help determine authenticity. Use a FIM (File Integrity Monitoring) system FIM systems typically monitor user credentials, privileges, identities, operating systems, configuration files, application files, and encryption key stores. Use a WORM (Write Once Read Many) system this ensures that once data is written to a device it cannot be modified.
Where should I start?
- Determine which logs to generate and backup.
- Decide how to retain logs by looking at the log sources and see how these should be properly collected, stored, and secured.
- Implement log storage and tooling for analysis. If you are using a central solution, you need to think about the large volumes of traffic moving across your network and ensure it’s transported securely.
- Have the correct tools installed to perform analysis.
- Validate that logging is working as expected. If you make changes within your network or to infrastructure, think about how those logs are connected. As a precaution the logging strategy should be reviewed periodically as a precaution.
Avoid security logging and monitoring failures
Foresite makes it easy to understand the risks facing your web applications with comprehensive web application penetration testing. Our experienced security professionals conduct thorough assessments of your web apps and provide detailed reports on the state of your systems. Contact us today for a quote!
James Clements
After 10 years in various IT Support roles Mr. Clements made the move into IT Security starting off as a Security Analyst. As a Security Analyst Mr. Clements provided log analysis on Firewalls, Windows Servers and End Points as well as performing change requests on Firewalls. As part of his role Mr. Clements was also a technical account manager for various SME/Public Sector customers providing detailed reporting on logs, incidents as well as providing security recommendations to harden their security posture.
Mr. Clements has since made the move into Consulting and Compliance services and performs Internal and External penetration testing and vulnerability assessments as well as Web application and Mobile application testing for both authenticated and un-authenticated applications.