Control Summary
Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.
Why is it needed?
Effective log collection and analysis play a pivotal role in an enterprise’s capacity to swiftly detect malicious activity. In certain instances, audit records serve as the sole evidence of a successful attack. It’s worth noting that attackers are well aware that many enterprises maintain audit logs primarily for compliance purposes but seldom delve into their analysis. This awareness empowers attackers to obfuscate their whereabouts, malicious software, and activities on compromised machines. Regrettably, due to deficient or nonexistent log analysis procedures, attackers can sometimes maintain control over victimised machines for extended periods, stretching into months or even years, without raising suspicion within the targeted enterprise.
In the context of log management, two distinct types of logs are typically addressed and often configured separately: system logs and audit logs. System logs predominantly capture system-level events, such as system process start and end times, crashes, and related data. These logs are inherent to the system and typically require minimal configuration to activate. In contrast, audit logs primarily document user-level events, such as login activities and file access. Configuring audit logs necessitates meticulous planning and effort to establish an effective and comprehensive logging framework.
Implementing Control
The basic level of this control involves establishing and maintaining an audit log management process. This process defines the organisations logging requirements and specifies the collection, review and retention of all log data.
Implementation Group 1 requires the following three safeguards:
8.1 Establish and Maintain an Audit Log Management Process
Create and sustain an audit log management procedure that outlines the enterprise’s logging prerequisites. This should encompass the gathering, examination, and retention of audit logs for enterprise assets. Periodically review and revise the documentation on an annual basis or whenever substantial enterprise changes take place that could influence this security measure.
8.2 Collect Audit Logs
Gather audit logs and verify that logging, as specified in the enterprise’s audit log management procedure, is activated across all enterprise assets.
8.3 Ensure Adequate Audit Log Storage
Verify that logging destinations have sufficient storage capacity to adhere to the requirements outlined in the enterprise’s audit log management procedure.
Additional safeguards at level 2 or 3:
8.4 Standardise Time Synchronisation
8.5 Collect Detailed Audit Logs
8.6 Collect DNS Query Audit Logs
8.7 Collect URL Request Audit Logs
8.8 Collect Command-Line Audit Logs
8.9 Centralize Audit Log
8.10 Retain Audit Logs
8.11 Conduct Audit Log Reviews
8.12 Collect Service Provider Logs
Incident Response Solutions 