Skip to main content

Monitoring and Auditing

Log Files & Monitoring

Log Files

  • Purpose: Record data in databases or files.
  • Types: Authentication logs, security logs, system logs, app logs, firewall logs, proxy logs, etc.
  • Storage: Protect by centrally storing and restricting access.
  • Integrity: Archived logs should be read-only to ensure no tampering.

Monitoring

  • Definition: Active review of log data to hold entities accountable.
  • Usage: Monitor system performance, detect potential threats.
  • Tools: IDS, SIEM automate monitoring, provide real-time analysis, and may auto-create incident reports.

Audit Trails

  • Purpose: Record events and occurrences.
  • Examples: Authentication events, access events, actions on servers or in the cloud.
  • Usage:
    • Reconstruct an event.
    • Prove or disprove culpability.
  • Importance: Essential for prosecuting criminals. E.g., Windows logs; if set to minimal level, crucial information for prosecution may be lost. Common is usually the lowest you should go. 

Sampling

Sampling is a technique used to select a subset from a larger population to derive insights or conclusions about the entire group without examining every individual item.

Key Concept: Sampling provides a snapshot of a larger data set, making analysis more manageable and feasible.

Statistical Sampling

Statistical sampling utilizes mathematical methods to derive meaningful insights from vast amounts of data. It ensures a subset that's statistically representative of the whole.

Example: A cybersecurity firm analyzes a sample of 10,000 network packets out of millions daily to detect anomalies or patterns indicating a potential security threat.

Statistical sampling is about its ability to provide accurate insights about the entire population from a smaller subset.

Clipping

Clipping is a non-statistical sampling method. Instead of choosing samples based on mathematical formulas, clipping focuses on specific criteria, often capturing events surpassing a predefined threshold.

Illustration: In a network monitoring system, rather than recording every network event, the system might be configured to only log events that have a data transfer rate exceeding 1 Gbps, treating them as potential security concerns.

Can be efficient by narrowing focus but it might miss out on events below the threshold that could still be of significance.

Maintaining Accountability

Accountability is crucial for ensuring individual subjects adhere to expected behaviors. By implementing auditing, user activities are recorded and therefore, individuals can be held accountable for their actions. Accountability promotes good user behavior and ensures compliance with an organization's security policy.

Security Audits & Reviews

Security audits and reviews play a vital role in guaranteeing that management programs are not only effective but also diligently followed. They are particularly intertwined with account management practices, primarily to:

  • Uphold the principles of least privilege and need-to-know.
  • Oversee the effectiveness and adherence of programs such as patch management, vulnerability management, change management, and configuration management.
  • Periodically review to ensure correct implementation and to spot any non-compliance, like fast-tracking processes or not locking tickets.

KPI & KRI

Security managers should monitor key performance and risk indicators on an ongoing basis. Commonly tracked metrics are:

Key Performance Indicator (KPI) Example
Number of open vulnerabilities 10 vulnerabilities still open
Time to resolve vulnerabilities Average of 5 days to resolve
Vulnerability/defect recurrence 3 recurring vulnerabilities in Q2
Number of compromised accounts 2 accounts compromised in June
Number of software flaws detected in preproduction scanning 5 flaws detected before product launch
Repeat audit findings 2 repeated issues from previous audit
User attempts to visit known malicious sites 15 attempts in the last month

After identifying the desired security metrics, managers should develop a dashboard to display these metrics over time. Ideally, it should be accessible to both managers and the security team, perhaps on the organization's intranet.

What is Auditing?

Security IT environments place a significant emphasis on auditing, and it's worth noting that many regulations mandate its implementation. Auditing can be understood as:

  • A systematic examination of an environment, aiming to assure compliance with set regulations and to detect any abnormalities, unauthorized events, or even crimes.
  • A primary detective control in many security settings.
  • Auditing frequency is determined by risk. Higher risks necessitate more frequent audits.

The practice of security audits and effectiveness reviews are demonstrations of due care. In their absence, senior management might find themselves accountable and potentially liable for any asset loss.

External vs. Internal Audits

For the exam, assume "audit" refers to a 3rd-party audit unless stated otherwise.

Internal Audits
  • Internal audits are conducted by an organization's own audit staff.
  • Their primary audience is within the organization itself.
  • The audit staff operates independently from the departments they assess.
  • Typically, the Chief Audit Executive (CAE) reports directly to top leadership, such as the CEO or president.
  • The CAE might also report directly to the organization’s governing board for increased transparency and independence.
External Audit
  • Conducted by an entity outside of the organization being audited.
  • Purpose is often to provide assurance to stakeholders (such as shareholders, customers, or regulators) about various aspects of the organization.
  • Common examples include financial statement audits or compliance audits.
Third-Party Audit
  • Also conducted by an entity outside the organization being audited.
  • Specifically refers to evaluations by a completely independent third party.
  • Often focused more on specific standards, criteria and compliance requirements, like ISO 27001 for information security or SOC 2 for service organizations.

Standards

  • SSAE 18 (US Standard): Set by the AICPA to provide a common auditing standard for service organizations, aiming to streamline external evaluations and share the results with clients.
  • ISAE 3402 (International Standard): Similar to SSAE 18 but applicable outside the U.S.

SSAE-18 does not follow a specific specific controls. It's purpose is only to review and audit. Think of a Third-Party audit as passing an exam, and an external audit as what you can for yourself to get a job with the results. 

SOC Audits:

  • SOC 1: Focuses on controls affecting financial reporting.
  • SOC 2: Concentrates on controls about the system's security (confidentiality, integrity, availability), and privacy. Results are typically shared under an NDA.
  • SOC 3: Similar to SOC 2, but the results are meant for public consumption.

SOC Report Types:

  • Type I: Provides an opinion on management's control description and its design. It's a snapshot, reflecting a specific moment in time. Mainly a documentation review.
  • Type II: Offers an opinion on control effectiveness, encompassing at least six months. It's more like a traditional audit, verifying controls in operation. This report is deemed more reliable than Type I.

Audits offer insights into security controls and may be asked to participate actively in control evaluations. Auditors typically have unrestricted access to organizational info, with security staff expected to cooperate.

Controlling Access to Audit Reports

Access to audit reports should be managed with utmost care as they contain sensitive information. Details in these reports encompass the audit's purpose, scope, findings, problems identified, standards applied, root causes, and subsequent recommendations.

  • Senior Security Administrators: Should have access to the complete, detailed report.
  • Senior Management: Should receive a high-level summary, giving an overview of the organizational stance and bottom-line findings.

Only individuals with the appropriate privilege should have access to audit reports due to their sensitive nature.

User Entitlements & Access Reviews

  • Access Review: A process to ensure that object access and account management practices align with the security policy.
  • Key Point: Access review helps in verifying if access rights are in line with the security policy.

Always verify that access rights remain relevant and don't violate the principle of least privilege.

  • User Entitlement Audits: These audits ensure adherence to the principle of least privilege, focusing particularly on privileged accounts.
  • Cloud Platforms: Some offer a 'privileged identity feature' which might include an access review feature. This can be scheduled to periodically verify if users, like Steve, still need access.

Audit Access Controls

It's crucial to review and audit the effectiveness of access controls regularly.

  • Log Tracking: Monitoring both successful and failed logons can unveil unusual events such as logins from unknown devices or locations.
  • Resource Access: This includes tracking both the access to resources (objects) and actions performed on them.
  • Automation: Access control audits are often automated, with the ability to auto-generate reports. These processes can be enhanced with AI support for better accuracy and efficiency.

IDSs can not only monitor these logs, but make it simpler to spot potential attacks by quickly alerting administrators.

Back to top