Written By: Austin Miller
Logging is fundamental to effective security practices, but sometimes it goes wrong. It’s not exactly a glamorous role – collecting event logs from various systems, analyzing the data, and then compressing and safely storing everything that has been collected – but failures in logging have led to its recognition as a standalone CWE – CWE-778: Insufficient Logging!
Getting the best out of your logging practices isn’t easy though and even OWASP recognizes that insufficient logging is difficult to grasp. It’s vague and not an immediate problem until there is a breach. For companies that are looking to roll back on their cybersecurity budget, expensive log management tools can be seen as an expendable luxury. But these tools aren’t quite so expendable when the adversary slips through the gaps unnoticed or a sophisticated ransomware gang destroys your event and security logs!
Our penultimate guide on turning the OWASP Top 10 into actionable security practices is all about giving log management the respect it deserves. Have any tips on how to effectively manage log data? Send us an email at [email protected] or tag me on the SecPro Discord.
Where Do We See Security Logging and Monitoring Failures?
Getting a clear answer on how many cyberattacks come from security logging and monitoring failures is difficult for one key reason – no one wants to publicly say that they were hacked because they weren’t following basic protocol.
But this isn’t a game of bashing the ineffectual security analyst. Logging and monitoring failure can also be inflicted on an organization through clever play from the adversary. In this week’s SecPro newsletter alone, we’ve covered one of the most notorious examples – the LockBit 2.0 ransomware which deletes security and event logs before disabling any future logs from being created. Without carefully stored log data backups, the victim will find an empty log and no way to restore it.
How Do I Stop Security Logging and Monitoring Failures?
Because “clear protocols about the importance of data logging” is a little obvious, here are some other helpful tips to improve your defenses against security logging and monitoring failures.
- Ensure that all systems are configured to create logs – not all devices automatically collect log data, meaning that you will have blind spots in your records. Pay special attention to IoT devices!
- All logs should be consistent in a certain format or your team should be supported with software like Splunk or Gravwell that allows you easily combine and analyze log data from one interface.
- Collected log data should be encoded and encrypted securely to avoid tampering (e.g., injections or deletions) from insider attackers or outside adversaries.
- Audit trails should be properly logged, especially in the case of high value transactions.
- The security team should establish consistent monitoring practices with automated alerts.
- Creating a proper incident response and recovery plan based on the advice in NIST 800-61r2 will help you protect and utilize log data to its fullest (the full NIST document can be found here).
What Do Security Logging and Monitoring Failures Look Like in the Real World?
Insufficient or missing logs aren’t a direct problem if there isn’t an attack on an organization. But the second that there is a data breach or any Indicators of Compromise (IOC), logging failures quickly become a massive problem for the IT team.
Of course, not taking effective logs is a 100% way to break compliance. That’s why you won’t find many companies admitting that they mishandled their logs and were caught unawares by the adversary. OWASP offered a few anonymous scenarios where logging failures have come back to haunt irresponsible IT teams, for example:
A children’s health plan provider’s website operator couldn’t detect a breach due to a lack of monitoring and logging. An external party informed the health plan provider that an attacker had accessed and modified thousands of sensitive health records of more than 3.5 million children. A post-incident review found that the website developers had not addressed significant vulnerabilities.
As there was no logging or monitoring of the system, the data breach could have been in progress since 2013, a period of more than seven years.
Want some more tips?
OWASP has offered five helpful resources to improving your logging policy in addition to three documents on ensuring data integrity. Although you can find the full list here in the References section, here are a few of the SecPro team’s favorites:
- OWASP Proactive Controls: Implement Logging and Monitoring
- OWASP Testing Guide: Testing for Detailed Error Code
- OWASP Cheat Sheet: Logging
- Data Integrity: Recovering from Ransomware and Other Destructive Events
- Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events
Know about an even better resource? Send us an email or post it to our Discord server to help your fellow cybersecurity professionals cut out the mistakes.