Today, I will be going over Control 6 from version 7 of the top 20 CIS Controls – Maintenance, Monitoring, and Analysis of Audit Logs. I will go through the eight requirements and offer my thoughts on what I’ve found.
Key Takeaways for Control 6
- Logs are the lifeblood of security. I like to think of a cyber-attack like I think of any other physical attack. A bank robber is going to break a ton of laws and create a lot of noise while they are at the bank, but they are going to probably obey as many laws as possible why they are fleeing the scene. The same goes in the digital world. An attacker may create a ton of noise on an endpoint while leaving little trace on the network or vice-versa. You need to collect logs from as many systems as possible to get an accurate picture of what is going on.
- Hardening guides are handy again. Both CIS and DISA hardening guides provide guidance on how to enable logging on endpoints as well as how to get it off to a centralized server. Follow these best practices and you’ll be OK.
- Two important logging items. The first is outlined in the first control. Time needs to be constant among all logging devices. Coordinating it with UTC so you can track an event across the globe is essential. The second is how data is normalized. The tool needs to call a piece of metadata the same across all logs. You don’t want to have to search for ip, ipv4, ipv4, address, and source just to look for the same thing.
- The six basic controls. CIS now states that there are six basic controls rather than the original five. Consider this your warning that logging is now a basic control.
Requirement Listing for Control 6
1. Utilize Three Synchronized Time Sources
Description: Use at least three synchronized time sources from which all servers and network devices retrieve time information on a regular basis so that timestamps in logs are consistent.
Notes: Don’t forget that the logs should also be normalized in time, such as UTC. An event happening at 8AM in London is not the same as an event happening at 8AM in San Francisco.
2. Activate Audit Logging
Description: Ensure that local logging has been enabled on all systems and networking devices.
Notes: This is called out in the AV control, but enable logging on critical applications as well.
3. Enable Detailed Logging
Description: Enable system logging to include detailed information such as an event source, date, user, timestamp, source address, destination addresses, and other useful elements.
Notes: This is not the same as enabling detailed logging in section 14.9. Here we want to make sure the metadata of the log is available so that the normalization engine in the centralized log server can correlate events across multiple systems. More metadata is better than less metadata.
4. Ensure Adequate Storage for Logs
Description: Ensure that all systems that store logs have adequate storage space for the logs generated.
Notes: This not only includes local storage on the endpoints but also storage in your centralized logging server. Compliance frameworks have varying lengths of time that data needs to be retained. As you enable more logging, it is going to cost more in terms of storage to keep it around longer.
5. Central Log Management
Description: Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.
Notes: I like the word “appropriate” in the description of this requirement. You probably don’t need every log that Windows can generate sent to your logging server. You can use log aggregators to filter out the disinteresting events and only send “valuable” events up to a more expensive logging server or SIEM.
6. Deploy SIEM or Log Analytic Tools
Description: Deploy Security Information and Event Management (SIEM) or log analytic tool for log correlation and analysis.
Notes: This is a critical security control. The intelligence of your environment is going to be stored in your SIEM or Log Management tools. Without this, you are leaving your best detection mechanism on the sidelines.
7. Regularly Review Logs
Description: On a regular basis, review logs to identify anomalies or abnormal events.
Notes: The SIEM should be doing a lot of the heavy lifting for you here. The SIEM though is a force multiplier. Without anyone looking at the logs, you’re just multiplying by zero.
8. Regularly Tune SIEM
Description: On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise.
Notes: When first implementing a SIEM, this is going to be tough to do. You need a mature security organization to be able to tune your SIEM. I would rather see this requirement be moved to Control 19, where the incident response team can drive updates to the SIEM based on their findings.
See how simple and effective security controls can create a framework that helps you protect your organization and data from known cyber attack vectors by downloading this guide here.
Read more about the 20 CIS Controls here:
Control 20 – Penetration Tests and Red Team Exercises
Control 19 – Incident Response and Management
Control 18 – Application Software Security
Control 17 – Implement a Security Awareness and Training Program
Control 16 – Account Monitoring and Control
Control 15 – Wireless Access Control
Control 14 – Controlled Access Based on the Need to Know
Control 13 – Data Protection
Control 12 – Boundary Defense
Control 11 – Secure Configuration for Network Devices, such as Firewalls, Routers, and Switches
Control 10 – Data Recovery Capabilities
Control 9 – Limitation and Control of Network Ports, Protocols, and Services
Control 8 – Malware Defenses
Control 7 – Email and Web Browser Protections
Control 6 – Maintenance, Monitoring, and Analysis of Audit Logs
Control 5 – Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
Control 4 – Controlled Use of Administrative Privileges
Control 3 – Continuous Vulnerability Management
Control 2 – Inventory and Control of Software Assets
Control 1 – Inventory and Control of Hardware Assets
You can also learn more about the CIS controls here.