Collecting valuable information from the various network devices, hosts, applications, and endpoint devices is not only critical; several privacy and compliance mandates, including GPDR and TISAX for the German automotive industry, require this activity.

Managed detection and response (MDR) providers like ForeNova leverage several capabilities within their managed offerings to help clients manage their vast amounts of log data and extract valuable telemetry to help prevent current and future cyberattacks. 

Definition Importance of The Log Management Process

The telemetry embedded within the log files provides critical insight into network connections, application port and protocol communications, and elements of a cyberattack. Log management, specifically for cybersecurity, is essential in identifying the early stages of a ransomware attack or a hacker executing reconnaissance to look for vulnerabilities.

Organizations seeking to gain the most value from aggregating their log files must invest in a solution designed to ingest and parse the log data into usable form.

Log Management Critical to Threat Hunting

Effective threat hunting by the SecOps team relies heavily on log management to provide rationalized data. Threat hunters leverage rationalized data because they can search faster than executing similar queries within the SIEM.

Search queries are slower within the SIEM tool than in log management solutions. Threat hunters need their searches to respond faster, especially during a zero-day attack.

Log Management vs SIEM

Log management solutions and traditional Security Information Event Management (SIEM) solutions overlap in their functionality and have some critical differences. SIEM solutions collect data from various devices, analyze the telemetry data, and then provide alerts to different stakeholders, including SecOps, IT operations, and governance, risk, and compliance (GRC) Teams.

Log management also collects telemetry, similar to a SIEM. These solutions focus more on collecting, parsing, and rationalizing the data for better searching. Log management systems also help parse the data into specific categories, making the ingress into an SIEM solution more efficient.

Data rationalization is critical in separating valuable telemetry from less essential elements. SIEM solutions receiving filtered and rationalized data from a log management system will have less parsing to execute. This increased telemetry efficiency helps the SIEM create faster and more accurate stakeholder notifications.

Accessing Log Information for Auditing, Legal Hold, and Reporting

SecOps teams supporting frequent auditing and reporting for compliance need access to the filtered and unstructured telemetry feed. The source data embedded within the log files often becomes evidence for lawsuits and criminal investigations, especially if the organization becomes subject to cyberattack.

The FBI, Homeland Security, and law enforcement agencies in the European Union have cybersecurity experts assigned to these cases. Collecting log information from the management platform becomes a priority in some cyber investigations. The actual raw data quickly becomes the source of truth within the evidence chain, requiring preservation, including the chain of custody.

Log data processes within the SIEM often become less important in the evidence chain because a good portion of the information only represents the original raw data if the organization uses the SIEM for 100% of its log management functionality.

SOAR Automation and Alerts

Log management systems similar to a SIEM provide adequate alerts and notifications, often in real-time.

“SIEM solutions provide more workflows, including Security Orchestration Automation and Response (SOAR).”

SOAR workflows create cases on either a single thread of evidence, including log files, or critical information collected from many sources. Another valuable point of SOAR functionality is the SIEM's ability to create and distribute playbooks based on specific attack vectors. These playbooks help stakeholders understand their role and the steps each member needs to execute to help stop the propagation of the attack.

What are Some Recommended Approaches for Log Management in Cybersecurity?

Organizations seeking to maximize their investment in log management for cybersecurity must carefully plan their strategy before enabling the data telemetry collection process.

Here are some questions all CISOs and CIOs need to consider before establishing log management within the organization.

What Events Should Be Collected?

Log collection takes up a tremendous amount of digital storage space. Parsing and rationalizing log files requires extensive compute, memory, and IOPS resources. Organizations need to determine which events should be collected for cybersecurity and compliance purposes.

Everyday events collected by the SecOps team include:

• User authentications, including Geo fencing data
• Firewall logs above informational level
• IPS, endpoint security, and cloud security logs need to be collected.

Separately, CIOs must determine a similar scope regarding what events within applications, databases, and end-user devices need to be collected.

Who Should Access the Log Files?

Accessing log files should be clearly defined, similar to government employees handling classified materials. The persons requesting access to the log files should need to know, need to retrieve, and need to export to external systems and key stakeholders. Enabling a role-based access control (RBAC) functionality to prevent the log file chain of custody is essential for organizations to maintain data integrity. This data needs to be classified as an asset to the organization, especially if the firm stopped a zero-day cyberattack. Threat intelligence systems later reference this valuable data fed by organizations. Allowing hackers access to this telemetry could create future attacks.

Should CIOs and CISOs Separate the Collection of Cybersecurity Logs and Application Logs?

This is an excellent question that needs to be discussed between the CISO and CIO. Log management for cybersecurity and application services can coexist as one complete environmental view. Application services showing signs within their log files that they are becoming exploited should be reported as a cybersecurity attack.

Additional log information, including increased CPU utilization, a memory leak, and saturated log files, shows signs of system exploits.

Most organizations would benefit from one centralized log management system with role-based access control (RBAC) enabled to restrict access to the raw data, date-time settings, and location.

Where Should the Organization Store the Log Data?

Organizations that retain log files for six years must develop a storage strategy. This storage could be a mix of on-premise, cloud, and removable storage media. Most organizations will leverage tiered storage strategies. Tiered storage will move less-accessed log files from expensive tier-1 devices to a lower-cost environment.

How Long Should the Logs Be Retained?

There must be a uniform statute regarding how long cybersecurity logs should be kept. Organizations working within the regulated industries, including finance, government, research, automotive, and healthcare, tend to be cautious and keep the logs for several years.

Here is an example of some compliance and privacy mandates that guide retention periods for log files:

“Basel II Accord: This international banking regulation requires financial institutions to keep log files for 3 to 5 years. They must also ensure they can keep files indefinitely in case of legal hold.”

“HIPAA: The Health Insurance Portability and Accountability Act requires organizations operating within the healthcare sector to keep log files for six years.”

“IS027001: The ISO 27001 compliance framework requires organizations to retain data logs for at least three years.”

“GDPR: According to Article 5 (1)(e) of the GDPR, you can only keep personal data as long as necessary for its purpose, which will differ based on the type of log data you collect."

What are the Log Management Requirements for TISAX 5.2.4 under ISA?

“The Trusted Information Security Assessment Exchange 5.2.4 requires collecting event logs for tracking incidents.”

Documented within the Information Security Assessment (ISA) guidelines, automotive manufacturers, dealers, and suppliers seeking the TISAX certification need to collect and keep the following logs:

Logging Enablement Across the Enterprise Network and Access Control

• Logging of network security activities reported from firewalls, IPS, and networking security devices.
• Logging from all cybersecurity-related attack issues on all endpoint devices.
• Enabling logging is necessary to validate all patching and remediation services are working as expected.
• Enabling logging across security devices and services is essential to detect and prevent data exfiltration attacks.
• System administrators, security engineers, and applications provide security access to critical systems and must log their activities within these essential host, device, and database systems.
• Enabling logging for all external access to critical systems, including authentication activities while accessing the various systems is necessary.
• Logging needs to be enabled for any users attempting to access unauthorized systems.

Log Management Security and Governance

• All automotive-related businesses seeking TISAX need to develop and maintain procedures for logging data, including workflows for notifying security operations, executive leadership, and other critical stakeholders of severe events.
• To ensure access restriction, all automotive-related businesses need to develop and implement log data protection capabilities, including encryption, secured data transmission between locations, multifactor authentication, and RBAC.
• All automotive-related businesses must ensure they enable logging across all systems connected to the TISAX compliance framework assessment and maturity levels.

Proving The Logging Management Solution is Working As Expected

Organizations seeking TISAX assessment maturity levels must prove the following to external third-party auditors regarding their log management strategy and capabilities.

• Prove they have visibility into the beginning stages of cybersecurity incidents through log collecting, parsing, and rationalization.
• Prove they can trace the suspected kill chain the hackers executed against specific systems relevant to the TISAX certification.
• Prove their cybersecurity adaptive controls stopped and prevented the cybersecurity attack through the log collecting process.

The TISAX compliance guide

Shift into gear now! Download the free guide on TISAX compliance and discover your way to new partnerships!