It seems like a day doesn’t go by without hearing about a new breach. Most recently, Equifax experienced a massive compromise that impacted hundreds of millions of consumers. If you were one of those affected, the unfortunate aspect of this incident is that you are not the customer, but the product. Compromises do not happen by black magic. Hackers must have the time and patience to exploit a flaw to achieve their objective. Logging and monitoring are invaluable during the attack life cycle as it helps organizations scope the depth of an incident.
Without any visibility, there is little hope that you can detect a breach has even occurred in the first place.
To Log it All or Not to Log it All? That is the Question…
One option for logging is the “boil the ocean” approach, which is ill-advised, at best. Logging everything to the most granular detail seems effective, but is not realistically attainable, nor advisable. Nonetheless, this is a common approach in Information Security. What are better practices? Try selective logging with these four steps:
- Focus on what you are trying to protect. This is the first step in an efficient, cost-effective, prudent approach as it prioritizes what is most precious to the organization. This is also known as the Crown Jewels Analysis or a Risk Assessment Report.
- Once you establish priorities, look at your organization as an attacker might, and not just with a penetration or pentest. Conduct a threat modeling session to examine:
- Who your adversaries are
- What their motives might be
- What the damage to the organization would be if they achieve their objectives
- What they will be their likely targets.
Deeply analyze these answers, exhausting all possibilities.
- Look at your regulatory requirements. If your budget allows, working with 3rd IT security advisors can be very beneficial to your team.
- Incorporate frameworks, such as the NIST Cyber Security Framework.
Each of these areas will be unique to your business, and there is no “one size fits all.”
Deciding on a Platform
Not all platforms are created equal, but that does not mean one is necessarily superior over another. As a result, choosing the wrong platform is not very likely to happen. With limited resources (both financial and personnel), managing a platform that requires constant maintenance or tuning is not a feasible option. Hybrid support models
can alleviate the upkeep burden, but these might go beyond the budget for smaller companies. Beyond the upkeep, the most important question to ask is how well can the platform scale? Put another way, can this platform keep up with your business growth or expansion? Does the platform become budget prohibitive after a certain threshold is met? Does it allow monitoring of diverse hosts, networks, and cloud environments?
Empowering the Wizards
Finally, allowing your staff to choose what works, or motivates them, can greatly benefit the organization’s current endeavors and future success. Nothing is more motivating than a tool that improves work for your employees. To keep its shine, empowering the staff who will support the platform. This will keep interest and establishes pride in the work performed. When negotiating a platform, especially one new to the company, have an upfront discussion with the vendor about (hopefully included) training. Often, a free or limited capability version of the platform is available for your team to build labs, get their hands dirty, and learn the intricacies of the system without experimenting in a production environment.
Unfortunately, the Equifax breach will not be the last a major IT security incident. The losses faced by the company serve as a learning opportunity for other organizations. At a minimum, these events bring up questions that may otherwise go unasked. When it comes to logging and monitoring, especially on a limited budget, prioritizing what is important is like boiling the pot of water you need instead of the ocean. Start small, prove and show value, and then expand from there. A platform is only as good as the support team behind it. Checking a compliance box should be the last reason for getting a tool deployed within an organization. Instead, it should be considered an opportunity to catch the adversaries trying to put you out of business.
About the Author:
Matt Hosburgh is a passionate security practitioner, currently working as a Cyber Threat Hunter. He has over 14 years of experience in a variety of security disciplines, which includes experience supporting systems and networks for the Intelligence Community and as a Senior Security Analyst for United States Citizenship and Immigration Services (USCIS).
Matt holds a graduate degree from the SANS Technology Institute, and maintains several GIAC Certifications, to include the GSE.