Skip to main content

Monitoring and Auditing

Log Files & Monitoring

Log Files

  • Purpose: Record data in databases or files.
  • Types: Authentication logs, security logs, system logs, app logs, firewall logs, proxy logs, etc.
  • Storage: Protect by centrally storing and restricting access.
  • Integrity: Archived logs should be read-only to ensure no tampering.

Monitoring

  • Definition: Active review of log data to hold entities accountable.
  • Usage: Monitor system performance, detect potential threats.
  • Tools: IDS, SIEM automate monitoring, provide real-time analysis, and may auto-create incident reports.

Audit Trails

  • Purpose: Record events and occurrences.
  • Examples: Authentication events, access events, actions on servers or in the cloud.
  • Usage:
    • Reconstruct an event.
    • Prove or disprove culpability.
  • Importance: Essential for prosecuting criminals. E.g., Windows logs; if set to minimal level, crucial information for prosecution may be lost. Common is usually the lowest you should go. 

Sampling

Sampling is a technique used to select a subset from a larger population to derive insights or conclusions about the entire group without examining every individual item.

Key Concept: Sampling provides a snapshot of a larger data set, making analysis more manageable and feasible.

Statistical Sampling

Statistical sampling utilizes mathematical methods to derive meaningful insights from vast amounts of data. It ensures a subset that's statistically representative of the whole.

Example: A cybersecurity firm analyzes a sample of 10,000 network packets out of millions daily to detect anomalies or patterns indicating a potential security threat.

Statistical sampling is about its ability to provide accurate insights about the entire population from a smaller subset.

Clipping

Clipping is a non-statistical sampling method. Instead of choosing samples based on mathematical formulas, clipping focuses on specific criteria, often capturing events surpassing a predefined threshold.

Illustration: In a network monitoring system, rather than recording every network event, the system might be configured to only log events that have a data transfer rate exceeding 1 Gbps, treating them as potential security concerns.

Can be efficient by narrowing focus but it might miss out on events below the threshold that could still be of significance.

Maintaining Accountability

Accountability is crucial for ensuring individual subjects adhere to expected behaviors. By implementing auditing, user activities are recorded and therefore, individuals can be held accountable for their actions. Accountability promotes good user behavior and ensures compliance with an organization's security policy.

Security Audits & Reviews

Security managers should monitor key performance and risk indicators on an ongoing basis. Commonly tracked metrics are:

Key Performance Indicator (KPI) Example
Number of open vulnerabilities 10 vulnerabilities still open
Time to resolve vulnerabilities Average of 5 days to resolve
Vulnerability/defect recurrence 3 recurring vulnerabilities in Q2
Number of compromised accounts 2 accounts compromised in June
Number of software flaws detected in preproduction scanning 5 flaws detected before product launch
Repeat audit findings 2 repeated issues from previous audit
User attempts to visit known malicious sites 15 attempts in the last month

After identifying the desired security metrics, managers should develop a dashboard to display these metrics over time. Ideally, it should be accessible to both managers and the security team, perhaps on the organization's intranet.

Security audits and reviews play a vital role in guaranteeing that management programs are not only effective but also diligently followed. They are particularly intertwined with account management practices, primarily to:

  • Uphold the principles of least privilege and need-to-know.
  • Oversee the effectiveness and adherence of programs such as patch management, vulnerability management, change management, and configuration management.
  • Periodically review to ensure correct implementation and to spot any non-compliance, like fast-tracking processes or not locking tickets.

What is Auditing?

Auditing can be understood as:

  • A systematic examination of an environment, aiming to assure compliance with set regulations and to detect any abnormalities, unauthorized events, or even crimes.
  • A primary detective control in many security settings.

Auditing frequency is determined by risk. Higher risks necessitate more frequent audits.

Security IT environments place a significant emphasis on auditing, and it's worth noting that many regulations mandate its implementation.

  • Security Audits
    • Performed by third parties.
    • Assess the security controls of an organization's assets.
  • Internal Audits
    • Conducted by internal staff.
    • Intended for management use or in preparation for a security audit. 

For the exam, assume "audit" refers to a 3rd-party audit unless stated otherwise.

Due Care

The practice of security audits and effectiveness reviews are critical demonstrations of due care. In their absence, senior management might find themselves accountable and potentially liable for any asset loss.

Due care implies acting with common sense, prudent management, and responsible action.

Controlling Access to Audit Reports

Access to audit reports should be managed with utmost care as they contain sensitive information. Details in these reports encompass the audit's purpose, scope, findings, problems identified, standards applied, root causes, and subsequent recommendations.

  • Senior Security Administrators: Should have access to the complete, detailed report.
  • Senior Management: Should receive a high-level summary, giving an overview of the organizational stance and bottom-line findings.

Only individuals with the appropriate privilege should have access to audit reports due to their sensitive nature.

User Entitlements & Access Reviews

  • Access Review: A process to ensure that object access and account management practices align with the security policy.
  • Key Point: Access review helps in verifying if access rights are in line with the security policy.

Always verify that access rights remain relevant and don't violate the principle of least privilege.

  • User Entitlement Audits: These audits ensure adherence to the principle of least privilege, focusing particularly on privileged accounts.
  • Cloud Platforms: Some offer a 'privileged identity feature' which might include an access review feature. This can be scheduled to periodically verify if users, like Steve, still need access.

Audit Access Controls

It's crucial to review and audit the effectiveness of access controls regularly.

  • Log Tracking: Monitoring both successful and failed logons can unveil unusual events such as logins from unknown devices or locations.
  • Resource Access: This includes tracking both the access to resources (objects) and actions performed on them.
  • Automation: Access control audits are often automated, with the ability to auto-generate reports. These processes can be enhanced with AI support for better accuracy and efficiency.

IDSs can not only monitor these logs, but make it simpler to spot potential attacks by quickly alerting administrators.

Back to top