II.C.22 Log Management

Network and host activities typically are recorded on the host and sent across the network to a central logging repository. The data that arrive at the repository are in the format of the software that recorded the activity. The logging repository may process the data and can enable timely and effective log analysis. Management should have effective log retention policies that address the significance of maintaining logs for incident response and analysis needs.

Log files are critical to the successful investigation and prosecution of security incidents and can potentially contain sensitive information. Intruders often attempt to conceal unauthorized access by editing or deleting log files. Therefore, institutions should strictly control and monitor access to log files whether on the host or in a centralized logging repository. Considerations for securing the integrity of log files include the following:

  • Encrypting log files that contain sensitive data or that are transmitted over the network.
  • Ensuring adequate storage capacity to avoid gaps in data gathering.
  • Securing backup and disposal of log files.
  • Logging the data to a separate, isolated computer.
  • Logging the data to read-only media.
  • Setting logging parameters to disallow any modification to previously written data.
  • Restricting access to log files to a limited number of authorized users.

Additionally, logging practices should be reviewed periodically by an independent party to ensure appropriate log management.

Logs are voluminous and challenging to read. They come from a variety of systems and can be difficult to manage and correlate. Security information and event management (SIEM) systems can provide a method for management to collect, aggregate, analyze, and correlate information from discrete systems and applications. Management can use SIEM systems to discern trends and identify potential information security incidents. SIEM systems can be used to gather information from the following:

  • Network and security devices and systems.These can include intrusion detection and prevention systems, DLP solutions, and firewalls.
  • Identity and access management applications.
  • Vulnerability management and policy compliance tools.
  • Operating system, database, and application logs.
  • Physical and environmental monitoring systems.
  • External threat data.

Regardless of the method of log management, management should develop processes to collect, aggregate, analyze, and correlate security information. Policies should define retention periods for security and operational logs. Institutions maintain event logs to understand an incident or cyber event after it occurs. Monitoring event logs for anomalies and relating that information with other sources of information broadens the institution's ability to understand trends, react to threats, and improve reports to management and the board.

 

Previous Section
II.C.21 Business Continuity Considerations
Next Section
II.D Risk Monitoring and Reporting