theDocumentId => 1341411 Why Are There Never Enough Logs During an Incident ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

7/1/2021
01:00 PM
Robert Meyers
Robert Meyers
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Why Are There Never Enough Logs During an Incident Response?

Most security pros believe their responses could be dramatically quicker were the right logs available, and usually they're not.

When an incident occurs, response teams regularly face the same obstacle: the lack of usable logs. Between a lack of logs and poor configuration, companies are often more blind than they think, until a cyberattack happens. 

Related Content:

9 Modern-Day Best Practices for Log Management

Special Report: Building the SOC of the Future

New From The Edge: Data Privacy Is in 23andMe CSO's DNA

Logs are files that store actions from events in a computer system or application. Even though they're simple, event logs are the main source of information for the analysts responsible for determining the cause, nature, and impact of a cybersecurity incident. Yet these files are often lacking or, even worse, nonexistent.

This isn't a secret, either. Most incident responders believe their response could have been dramatically quicker if the right logs were available to them from the outset — and normally, they're not.

The most surprising thing is that system administrators only realize that they're sorely lacking in logs after an incident occurs. This leads root cause analysis to often require after-the-fact forensics instead of immediate action. Additionally, it often takes forensic analysts an extremely long time to determine the scale of an attack. What's worse is that sometimes a full analysis can't even be carried out because the right information wasn't collected, let alone stored for a sufficient period of time, and has been overwritten.  

How did it come to this? Let's take a look at why so many companies have an insufficient log management strategy and how they can fix it before a cyber-incident occurs.  

Default Settings Lead to Failure 
The reality is that very few companies implement a true logging strategy. Often companies run with default configurations that generate a basic log and are set to overwrite to save storage. The idea is that they then keep only the information that is most useful. This becomes the lowest common factor, which doesn't always correspond with companies' cybersecurity needs. 

With products generating logs into their own location (often unknown to the admin), the lack of centralized logs makes the process of identifying a cyberattack even more complicated. Typically, when an incident occurs, the IT department isn't prepared to respond to requests from the incident response team. Without being able to identify which machine or user was on the IP that was affected, companies are challenged to determine how the incident occurred and how wide its impact is on the network. 

So, even if an admin redirects to a central log service, it's not enough. They need to collect all logs while also being set for audit and verbose. These are two settings often ignored. Instead of real data, businesses are storing things like generic "start" and "stop," showing a piece of software was opened and then closed with no details, instead of collecting compromised events with details such as "user BadActor started Y program" and "User BadActor copied files to X share."

As if the absence of logs and the restricted information wasn't disabling enough in itself, privileged compromise makes it worse. Without a proper logging strategy, it's a good bet that the accounts in question will be able to delete or manipulate available logs. So, when compromised, an attacker can remove the most useful information from a log in order to make an investigation more challenging — if not impossible — to complete.   

Creating an Effective Logging Strategy 
Determining an effective logging strategy is the key to a strong incident response program. This strategy may vary depending on the company and the sensitivity of its information system. Additionally, the logs themselves need to be protected. The issue is that businesses need collectors from all systems, cloud, on-premises, hybrid, or application, and it needs to be aggregated and searchable from a single location. These also need to be secured — remember the most notorious breaches of the last 10 years have involved insecure logs.

Once businesses have the logs, they need to audit them and stage some tabletop events in attempt to use the logs to identify an activity. This will help corporate teams understand why having a single interface to launch queries on all logs multiplies the effectiveness and shortens the intervention time by several days. 

It's also important to implement special monitoring for privileged accounts to ensure that privileged events are logged. The goal is to have enough events to track a complete session and easily determine the actions taken by an administrator or a privileged account. Often, hundreds of critical events can be missed or deleted without careful consideration. Through dedicated solutions that keep logs from different systems for over a year, versus 90 days, IT teams can ensure they have the resources to properly analyze an incident.

Strong logging strategies aren't a new concept, but when companies neglect logs they're setting themselves up for failure when a cyberattack occurs. Implementing a solid logging strategy will not only enable organizations to react quickly and effectively in times of crisis but also speed resolution and root cause analysis.

Robert Meyers is the compliance and privacy professional and channel program solutions architect at One Identity. He is a 30-year veteran of the identity and access systems and information security industry, with more than 10 years of that time focused on planning, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AndyRobbins
100%
0%
AndyRobbins,
User Rank: Apprentice
7/10/2021 | 6:29:18 PM
Great article
Great article, Robert. Logging is one of those fundamental security controls that is actually much harder to get right than most realize.
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-37443
PUBLISHED: 2021-07-25
NCH IVM Attendant v5.12 and earlier allows path traversal via the logdeleteselected check0 parameter for file deletion.
CVE-2021-37444
PUBLISHED: 2021-07-25
NCH IVM Attendant v5.12 and earlier suffers from a directory traversal weakness upon uploading plugins in a ZIP archive. This can lead to code execution if a ZIP element's pathname is set to a Windows startup folder, a file for the inbuilt Out-Going Message function, or a file for the the inbuilt Au...
CVE-2021-37445
PUBLISHED: 2021-07-25
In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via logprop?file=/.. for file reading.
CVE-2021-37446
PUBLISHED: 2021-07-25
In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via documentprop?file=/.. for file reading.
CVE-2021-37447
PUBLISHED: 2021-07-25
In NCH Quorum v2.03 and earlier, an authenticated user can use directory traversal via documentdelete?file=/.. for file deletion.