The US and its allies this week released joint guidance on how organizations can define a baseline for event logging.
Titled Best Practices for Event Logging and Threat Detection (PDF), the document focuses on event logging and threat detection, while also detailing living-of-the-land (LOTL) techniques that attackers use, highlighting the importance of security best practices for threat prevention.
The guidance was developed by government agencies in Australia, Canada, Japan, Korea, the Netherlands, New Zealand, Singapore, the UK, and the US and is meant for medium-size and large organizations.
“Developing and implementing an enterprise approved logging policy improves an organization’s chances of detecting malicious behavior on their systems and enforces a consistent method of logging across an organization’s environments,” the document reads.
Logging policies, the guidance notes, should consider shared responsibilities between the organization and service providers, details on what events need to be logged, the logging facilities to be used, logging monitoring, retention duration, and details on log collection reassessment.
The authoring organizations encourage organizations to capture high-quality cyber security events, meaning they should focus on what types of events are collected rather than their formatting.
“Useful event logs enrich a network defender’s ability to assess security events to identify whether they are false positives or true positives. Implementing high-quality logging will aid network defenders in discovering LOTL techniques that are designed to appear benign in nature,” the document reads.
Capturing a large volume of well-formatted logs can also prove invaluable, and organizations are advised to organize the logged data into ‘hot’ and ‘cold’ storage, by making it either readily available or stored through more economical solutions.
Depending on the machines’ operating systems, organizations should focus on logging LOLBins specific to the OS, such as utilities, commands, scripts, administrative tasks, PowerShell, API calls, logins, and other types of operations.
Event logs should contain details that would help defenders and responders, including accurate timestamps, event type, device identifiers, session IDs, autonomous system numbers, IPs, response time, headers, user IDs, commands executed, and a unique event identifier.
When it comes to OT, administrators should take into consideration the resource constraints of devices and should use sensors to supplement their logging capabilities and consider out-of-band log communications.
The authoring agencies also encourage organizations to consider a structured log format, such as JSON, to establish an accurate and trustworthy time source to be used across all systems, and to retain logs long enough to support cyber security incident investigations, considering that it may take up to 18 months to discover an incident.
The guidance also includes details on log sources prioritization, on securely storing event logs, and recommends implementing user and entity behavior analytics capabilities for automated incident detection.
Related: US, Allies Warn of Memory Unsafety Risks in Open Source Software
Related: White House Calls on States to Boost Cybersecurity in Water Sector
Related: European Cybersecurity Agencies Issue Resilience Guidance for Decision Makers
Related: NSA Releases Guidance for Securing Enterprise Communication Systems
