Managed detection and response (MDR) providers like ForeNova leverage several capabilities within their managed offerings to help clients manage their vast amounts of log data and extract valuable telemetry to help prevent current and future cyberattacks.
The telemetry embedded within the log files provides critical insight into network connections, application port and protocol communications, and elements of a cyberattack. Log management, specifically for cybersecurity, is essential in identifying the early stages of a ransomware attack or a hacker executing reconnaissance to look for vulnerabilities.
Organizations seeking to gain the most value from aggregating their log files must invest in a solution designed to ingest and parse the log data into usable form.
Search queries are slower within the SIEM tool than in log management solutions. Threat hunters need their searches to respond faster, especially during a zero-day attack.
Log management solutions and traditional Security Information Event Management (SIEM) solutions overlap in their functionality and have some critical differences. SIEM solutions collect data from various devices, analyze the telemetry data, and then provide alerts to different stakeholders, including SecOps, IT operations, and governance, risk, and compliance (GRC) Teams.
Log management also collects telemetry, similar to a SIEM. These solutions focus more on collecting, parsing, and rationalizing the data for better searching. Log management systems also help parse the data into specific categories, making the ingress into an SIEM solution more efficient.
Data rationalization is critical in separating valuable telemetry from less essential elements. SIEM solutions receiving filtered and rationalized data from a log management system will have less parsing to execute. This increased telemetry efficiency helps the SIEM create faster and more accurate stakeholder notifications.
SecOps teams supporting frequent auditing and reporting for compliance need access to the filtered and unstructured telemetry feed. The source data embedded within the log files often becomes evidence for lawsuits and criminal investigations, especially if the organization becomes subject to cyberattack.
The FBI, Homeland Security, and law enforcement agencies in the European Union have cybersecurity experts assigned to these cases. Collecting log information from the management platform becomes a priority in some cyber investigations. The actual raw data quickly becomes the source of truth within the evidence chain, requiring preservation, including the chain of custody.
Log data processes within the SIEM often become less important in the evidence chain because a good portion of the information only represents the original raw data if the organization uses the SIEM for 100% of its log management functionality.
“SIEM solutions provide more workflows, including Security Orchestration Automation and Response (SOAR).”
SOAR workflows create cases on either a single thread of evidence, including log files, or critical information collected from many sources. Another valuable point of SOAR functionality is the SIEM's ability to create and distribute playbooks based on specific attack vectors. These playbooks help stakeholders understand their role and the steps each member needs to execute to help stop the propagation of the attack.
Organizations seeking to maximize their investment in log management for cybersecurity must carefully plan their strategy before enabling the data telemetry collection process.
Here are some questions all CISOs and CIOs need to consider before establishing log management within the organization.
Log collection takes up a tremendous amount of digital storage space. Parsing and rationalizing log files requires extensive compute, memory, and IOPS resources. Organizations need to determine which events should be collected for cybersecurity and compliance purposes.
Everyday events collected by the SecOps team include:
Separately, CIOs must determine a similar scope regarding what events within applications, databases, and end-user devices need to be collected.
Accessing log files should be clearly defined, similar to government employees handling classified materials. The persons requesting access to the log files should need to know, need to retrieve, and need to export to external systems and key stakeholders. Enabling a role-based access control (RBAC) functionality to prevent the log file chain of custody is essential for organizations to maintain data integrity. This data needs to be classified as an asset to the organization, especially if the firm stopped a zero-day cyberattack. Threat intelligence systems later reference this valuable data fed by organizations. Allowing hackers access to this telemetry could create future attacks.
This is an excellent question that needs to be discussed between the CISO and CIO. Log management for cybersecurity and application services can coexist as one complete environmental view. Application services showing signs within their log files that they are becoming exploited should be reported as a cybersecurity attack.
Additional log information, including increased CPU utilization, a memory leak, and saturated log files, shows signs of system exploits.
Most organizations would benefit from one centralized log management system with role-based access control (RBAC) enabled to restrict access to the raw data, date-time settings, and location.
Organizations that retain log files for six years must develop a storage strategy. This storage could be a mix of on-premise, cloud, and removable storage media. Most organizations will leverage tiered storage strategies. Tiered storage will move less-accessed log files from expensive tier-1 devices to a lower-cost environment.
There must be a uniform statute regarding how long cybersecurity logs should be kept. Organizations working within the regulated industries, including finance, government, research, automotive, and healthcare, tend to be cautious and keep the logs for several years.
Here is an example of some compliance and privacy mandates that guide retention periods for log files:
“Basel II Accord: This international banking regulation requires financial institutions to keep log files for 3 to 5 years. They must also ensure they can keep files indefinitely in case of legal hold.”
“HIPAA: The Health Insurance Portability and Accountability Act requires organizations operating within the healthcare sector to keep log files for six years.”
“IS027001: The ISO 27001 compliance framework requires organizations to retain data logs for at least three years.”
“GDPR: According to Article 5 (1)(e) of the GDPR, you can only keep personal data as long as necessary for its purpose, which will differ based on the type of log data you collect."
“The Trusted Information Security Assessment Exchange 5.2.4 requires collecting event logs for tracking incidents.”
Documented within the Information Security Assessment (ISA) guidelines, automotive manufacturers, dealers, and suppliers seeking the TISAX certification need to collect and keep the following logs:
Organizations seeking TISAX assessment maturity levels must prove the following to external third-party auditors regarding their log management strategy and capabilities.