Executive Summary
This publication defines a baseline for event logging best practices to mitigate cyber threats. It was developed by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) in cooperation with the following international partners:
- United States (US) Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI) and the National Security Agency (NSA).
- United Kingdom (UK) National Cyber Security Centre (NCSC-UK).
- Canadian Centre for Cyber Security (CCCS).
- New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team (CERT NZ).
- Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and Computer Emergency Response Team Coordination Center (JPCERT/CC).
- The Republic of Korea National Intelligence Services (NIS) and NIS’s National Cyber Security Center (NCSC-Korea).
- Singapore Cyber Security Agency (CSA).
- The Netherlands General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD).
Event logging supports the continued delivery of operations and improves the security and resilience of critical systems by enabling network visibility. This guidance makes recommendations that improve an organization’s resilience in the current cyber threat environment, with regard for resourcing constraints. The guidance is of moderate technical complexity and assumes a basic understanding of event logging.
An effective event logging solution aims to:
- Send alerts to the network defenders responsible for monitoring when cyber security events such as critical software configuration changes are made or new software solutions are deployed.
- Identify cyber security events that may indicate a cyber security incident, such as malicious actors employing living off the land (LOTL) techniques or lateral movement post-compromise.
- Support incident response by revealing the scope and extent of a compromise.
- Monitor account compliance with organizational policies.
- Reduce alert noise, saving on costs associated with storage and query time.
- Enable network defenders to make agile and informed decisions based on prioritization of alerts and analytics.
- Ensure logs and the logging platforms are useable and performant for analysts.[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from All CISA AdvisoriesRead the original article: