Skip to content

Page268

Centralized Logging

Centralized log storage should be configured. Having logs in a central repository allows for more scalable security monitoring and intrusion detection capabilities. A centralized log repository can also help to verify the integrity of log information should the endpoint’s view of the logs be corrupted or intentionally altered. Ensuring the integrity of log information should be considered when transmitting and storing log data.

Note
Syslog, the most widely used logging subsystem, by default transmits log data in plaintext over UDP/514 when sending data to a remote server. UDP, a transport protocol that does not guarantee the delivery of transmissions, has implications for ensuring the continuity of logging. This means that the central log server might not have received all the log data, even though the endpoint has no facility for knowing that it failed to be delivered successfully. The plaintext nature of Syslog means that a suitably positioned adversary could see the (potentially sensitive) log data as it traverses the network. Syslog messages may also be spoofed due to the lack of authentication, lack of encryption, and use of UDP as the layer 4 transport protocol.

In addition to the centralized logs, preferably at least some limited recent logs should be maintained on the endpoint system itself. Having local logs in addition to the centralized log store can help in several ways. Should the continuity of logging be disrupted, the logs might still be able to be recovered from the endpoint. If an adversary intentionally corrupts or edits the logs on the endpoint, comparing the differences can guide incident response to the adversary's activities.

Log Retention

A retention and rotation policy for log information should be created and maintained. The retention and rotation should vary depending upon the source of the log, the type of logged information, and the practical value of the log information. Having a tremendous volume of log data that is categorically ignored provides very little value and can also make finding meaningful data in the rest of the logs more challenging. While the security value of the log information is important, log retention can also be relevant to legal or regulatory compliance matters. Legal or regulatory considerations must be accounted for when considering log retention.

Compliance Checks

Compliance checks review an organization’s policies and procedures to verify they are compliant with relevant best practices and relevant industry and government standards. NIST Special Publication 800-53, Revision 5—Security and Privacy Controls for Information Systems and Organizations states the following:

Organizations should answer several key questions when addressing information security and privacy controls:

  • What security and privacy controls are needed to satisfy security and privacy requirements and to adequately manage mission/business risks or risks to individuals?
  • Have the selected controls been implemented or is there a plan in place to do so?
  • What is the required level of assurance (i.e., grounds for confidence) that the selected controls, as designed and implemented, are effective? [5]

NIST SP 800-53R5 lists the following controls that should be verified:

  • Access Control
  • Awareness
  • Audit and Accountability
  • Assessment, Authorization, and Monitoring
  • Configuration Management
  • Contingency Planning
  • Identification and Authentication
  • Incident Response
  • Maintenance
  • Media Protection
  • Physical and Environmental Protection
  • Planning
  • Program Management
  • Personnel
  • Personally Identifiable Information Processing and Transparency
  • Risk Assessment
  • System and Services Acquisition
  • System and Communications Protection
  • System and Information Integrity
  • Supply Chain Risk Management [5]

Then perform the following steps: conduct a gap analysis to see if these controls (and any additional necessary controls) are in place. Then determine whether the controls are comprehensive and effective.