Why the auditor is asking this question:
Let us walk through an example of an attack of a system to understand why log data needs to be protected and why an auditor may ask this question.
We have just described a potential attack. At many points there may have been suspicious activity that could have been detected through adequate log monitoring using a SIEM solution, but what if there was no monitoring in place? Without protecting the integrity of the log there would be no verifiable evidence and potentially no means of even understanding how the compromise occurred or how it can be stopped in the future.
It is often very difficult to verify the integrity of logs stored on the host system (if possible at all). The system may have been compromised and cannot be trusted.
A proven method in ensuring your log integrity is to copy or send the logs to a log management and preferably a SIEM technology. Your SIEM and log management technology should be treated as a highly sensitive asset and needs appropriate logical and physical security to provide the integrity and assurance around the logs collected. A properly deployed and mature technology will certainly demonstrate in an audit that the log data is protected and forensically secure.
Want to learn how AccelOps can help you protect your log information? Contact us; we’re here to help.