Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
- Saturday, February 6, 2010, 7:33
- Threat Research
- 1 views
Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
The power of logs is that they can potentially tell us what happened on one or more systems at a given time. When attackers compromise systems, those systems can dutifully report and record everything they are doing, including everything the attacker did to them: That is, if the audit logs are configured correctly.
Example of How Well-Configured Logs Help
A media distribution company discovers that their unreleased films are being traded on the Internet. If they have well-configured logs running on all systems, their security team can observe: unusual commands, errors, and escalations of privileges that occurred on servers, routers or intrusion detection systems; system accounts that were unusually active; machines from inside or outside the network that accessed compromised systems; where copies of the movie files went. Perhaps their logs, rather than rumors, would have let them know that their intellectual property was being breached as it happened.
The media company could then work with the proper authorities to contact owners of suspicious systems to see what they were up to. They can discover what vulnerabilities must be patched to prevent further leaks. They will know which intellectual properties were compromised and which were not.
Unmanaged Logs Hurt
If that same media company did not configure their audit logs well, they would not have known how the movie copies got out. Vulnerable systems could have remained vulnerable. Intellectual property could have remained exposed. A computer forensics team could have been at a loss to help them determine the technical causes
...Read the original story
