20 CIS Controls: Control 6 - Maintenance, Monitoring, and Analysis of Audit Logs

Today, I will be going over Control 6 from version 7 of the top 20 CIS Controls – Maintenance, Monitoring, and Analysis of Audit Logs. I will go through the eight requirements and offer my thoughts on what I’ve found.

Key Takeaways for Control 6

Logs are the lifeblood of security. I like to think of a cyber-attack like I think of any other physical attack. A bank robber is going to break a ton of laws and create a lot of noise while they are at the bank, but they are going to probably obey as many laws as possible why they are fleeing the scene. The same goes in the digital world. An attacker may create a ton of noise on an endpoint while leaving little trace on the network or vice-versa. You need to collect logs from as many systems as possible to get an accurate picture of what is going on.
Hardening guides are handy again. Both CIS and DISA hardening guides provide guidance on how to enable logging on endpoints as well as how to get it off to a centralized server. Follow these best practices and you’ll be OK.
Two important logging items. The first is outlined in the first control. Time needs to be constant among all logging devices. Coordinating it with UTC so you can track an event across the globe is essential. The second is how data is normalized. The tool needs to call a piece of metadata the same across all logs. You don’t want to have to search for ip, ipv4, ipv4, address, and source just to look for the same thing.
The six basic controls. CIS now states that there are six basic controls rather than the original five. Consider this your warning that logging is now a basic control.

Requirement Listing for Control 6

1. Utilize Three Synchronized Time Sources

Description: Use at least three synchronized time sources from which all servers and network devices retrieve time information on a regular basis so that timestamps in logs are consistent.

Notes: Don’t forget that the logs should also be normalized in time, such as UTC. An event happening at 8AM in London is not the same as an event happening at 8AM in San Francisco.

2. Activate Audit Logging

Description: Ensure that local logging has been enabled on all systems and networking devices.

Notes: This is called out in the AV control, but enable logging on critical applications as well.

3. Enable Detailed Logging

Description: Enable system logging to include detailed information such as an event source, date, user, timestamp, source address, destination addresses, and other useful elements.

Notes: This is not the same as enabling detailed logging in section 14.9. Here we want to make sure the metadata of the log is available so that the normalization engine in the centralized log server can correlate events across multiple systems. More metadata is better than less metadata.

4. Ensure Adequate Storage for Logs

Description: Ensure that all systems that store logs have adequate storage space for the logs generated.

Notes: This not only includes local storage on the endpoints but also storage in your centralized logging server. Compliance frameworks have varying lengths of time that data needs to be retained. As you enable more logging, it is going to cost more in terms of storage to keep it around longer.

5. Central Log Management

Description: Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.

Notes: I like the word “appropriate” in the description of this requirement. You probably don’t need every log that Windows can generate sent to your logging server. You can use log aggregators to filter out the disinteresting events and only send “valuable” events up to a more expensive logging server or SIEM.

6. Deploy SIEM or Log Analytic Tools

Description: Deploy Security Information and Event Management (SIEM) or log analytic tool for log correlation and analysis.

Notes: This is a critical security control. The intelligence of your environment is going to be stored in your SIEM or Log Management tools. Without this, you are leaving your best detection mechanism on the sidelines.

7. Regularly Review Logs

Description: On a regular basis, review logs to identify anomalies or abnormal events.

Notes: The SIEM should be doing a lot of the heavy lifting for you here. The SIEM though is a force multiplier. Without anyone looking at the logs, you’re just multiplying by zero.

8. Regularly Tune SIEM

Description: On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise.

Notes: When first implementing a SIEM, this is going to be tough to do. You need a mature security organization to be able to tune your SIEM. I would rather see this requirement be moved to Control 19, where the incident response team can drive updates to the SIEM based on their findings.

See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.

The State of Security

News. Trends. Insights.

20 CIS Controls: Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs