ITM Tech Cybersecurity Essentials Booklet - Flipbook - Page 27
8.1
Establish and Maintain an
Audit Log Management
Process
Network
Protect
8.2 Collect Audit Logs
Network
Protect
8.5 Collect Detailed Audit Logs
Network
Detect
8.6 Collect DNS Query Audit Logs
Network
Detect
8.7 Collect URL Request Audit Logs
Network
Detect
8.8 Collect Command-Line Audit
Logs
Devices
Detect
8.9 Centralise Audit Logs
Network
Detect
8.10 Retain Audit Logs
Network
Protect
8.11 Conduct Audit Log Reviews
Network
Detect
8.12 Collect Service Provider Logs
Data
1
Detect
2
3
4
5
Asset Type Security Function
1= Asset Type
2= Security Function
3= Implentation Group 1
12
IG1 3/12
IG2 11/12
IG3 12/12
Collect, alert, review, and retain audit logs of events that could help detect,
understand, or recover from an attack.
Why Is This CIS Control Critical?
Protect
8.4 Standardise Time
Synchronisation
Network
Safeguards Total
Detect
8.3 Ensure Adequate Audit Log
Storage
Network
08 - Audit Log Management
4= Implentation Group 2
5= Implentation Group 3
Log collection and analysis is critical
for an enterprise’s ability to detect
malicious activity quickly. Sometimes
audit records are the only evidence of a
successful attack. Attackers know that
many enterprises keep audit logs for
compliance purposes, but rarely analyse
them. Attackers use this knowledge to
hide their location, malicious software,
and activities on victim machines. Due to
poor or nonexistent log analysis processes,
attackers sometimes control victim
machines for months or years without
anyone in the target enterprise knowing.
Logging records are also critical for
incident response. After an attack has
been detected, log analysis can help
enterprises understand the extent of an
attack. Complete logging records can show,
for example, when and how the attack
occurred, what information was accessed,
and if data was exfiltrated. Retention of
logs is also critical in case a follow-up
investigation is required or if an attack
remained undetected for a long period of
time.
CONTROL 08
THE SAFEGUARDS
There are two types of logs that are
generally treated and often configured
independently: system logs and audit logs.
System logs typically provide systemlevel events that show various system
process start/end times, crashes, etc.
These are native to systems, and take
less configuration to turn on. Audit logs
typically include user-level events—when
a user logged in, accessed a file, etc.—and
take more planning and effort to set up.
Did You Know?
Most businesses are legally obligated to have a data audit trail. Multiple governmentmandated standards and regulations, including ISO 27001, PCI-DSS, HIPAA, PNR Directive,
and more, require some form of audit trail. Talk to us today to help configure your Auditing.
27
