Logging and auditing of your user and device activity provides important evidence of the events occurring on your network. It is important to collect and understand these events so you can normalize or baseline the activities of your organization’s compute environment. This is critical so that you can detect actions that are outside the normal operation window. Your network security auditing tools will contain key indicators of compromise, command and control communications, evidence of exfiltrated data, authentication and authorization events, and much more.
This post is part of our on-going review of CISA’s Targeted Cyber Intrusion Detection and Mitigation Strategies and how ConsoleWorks helps you enforce and go beyond those strategies.
What is an Audit Log
An audit log is an archived record of system activity both by system and application processes and by user activity of systems and application. The audit log can be collected and maintained from all components of the IT spectrum, but for the purpose of this discussion we are going to only focus on network logging.
Collecting the audit logs from network devices, such as routers, switches and firewalls, an organization has a higher chance of detecting vulnerabilities or threats within the communication stream. The frequency at which the organization reviews its network devices’ audit logs will determine the likelihood of being impacted by an undetected attack.
Additionally, collecting and storing these audit logs within a retention schedule deemed appropriate to the organization provides the opportunity to go back and review what occurred in the event of an intrusion, or for the potential of a future forensics investigation.
In many cases, regulatory requirements such as NERC CIP, PCI-DSS, HIPAA, etc. have a requirement for the retention and review of these audit logs. These regulations were imposed by the governing bodies because of the extremely important value these audit logs provide. By retaining these logs, the organization can meet compliance but will also improve its reliability.
Increasing Your Logging and Auditing Capabilities
Your network security auditing tools should log firewalls, proxies, DNS, IDS, packet captures, flow data from routers and switches, and host and application logs. These logs give you a picture of what is happening across your network and help you pick up on any signs of infiltration.
In providing an example of a specific audit log we will pick on the logging of DNS, or Domain Name Service lookups. Due to the severity of the most recent cyber threats, logging Domain name resolution activities has become a very important.
The Cybersecurity and Infrastructure Security Agency (CISA) says this about DNS threats and logging for detection: “most malware uses domain name-based C2 servers, it is essential for network defenders to have full awareness of DNS requests throughout the enterprise. ICS-CERT recommends that organizations deploy host level granularity in DNS logging to give network administrators the ability to identify which internal host (by hostname or IP address) originated a specific DNS request and to identify hosts that have connected to malicious domains.” This will help you identify one of the best indicators of a compromise.
It’s important that you retain these logs for at least a year or more. Your most sophisticated threats may infiltrate and then maintain their presence within your network for some time. You will want to have the forensic trail from your logging and auditing to help you track what happened and when.
Network Security Auditing Tools for a Strong Defense
Your network auditing tool needs to have a few important features in order to adequately protect you:
- It needs to capture system events and logs and retain or correlate the events in a record for retention
- It needs to be able to establish an endpoints’ normalized event behavior, known as a baselines, and alert you to when activities have occurred or changed that are outside the baseline
- It needs to detect when a hash has changed in a file. Changes to MD5 hashes are a key indicator that you have a bad actor present
- A common clock to accurately construct a coherent forensic story across your network of what happened when
ConsoleWorks is purpose built for these types of controls. ConsoleWorks will collect all your IIOT, OT, and IT device events through a native connection, collecting the raw log, and store these in their individual repositories where it then can be normalized and acted upon. It will also retain all interactive remote access and key authentication and authorization events that have occurred at each endpoint.
Using ConsoleWorks’ ability to collect logs, retain them, and provide automated alerting, an organization both accomplishes its compliance requirements, such as NERC CIP-007 Requirement 4, and establishes a good detective measure. This also includes the ability to have at their disposal the ability to review key forensic data and construct a moment-by-moment picture of the “crime scene.”
ConsoleWorks not only provides a detective control but will also give the organization the ability to implement a preventative measure based on identified events and established thresholds. With its Role Based Access, security profiling, and conditional access based on risk scoring, ConsoleWorks can utilize the captured logs to determine what predetermined preventative measures to take.
Some of these actions can be things such as locking a user out of the remote interactive access session based on unauthorized command usage or providing a workflow for Privileged Identity Management (PIM). It can also be setup to control which activities the user can perform once these thresholds are reached.
One of the challenges with other log aggregation systems and network security auditing software is that they use the device timestamps from the asset itself and only monitor what is happening on the asset. This is not ideal. It results in muddy data and an incomplete forensic story in your audit log. While the asset may have a clock, these clocks are prone to drifting. A drifting clock results in hazy data, leaving you struggling to understand what alert or alarm happened first and accurately determining how it occurred. Here we begin to see how the fidelity in logging from these point solutions is lacking in clarity as they simply look at traffic on the wire. This creates an incomplete forensic story. These data aggregation or network security auditing tools merely see the results of what an actor has done.
With ConsoleWorks tracking more than your assets, but also your people, now your forensic data is telling a story of what happened first and by whom. ConsoleWorks adds metadata from its own common clock to sort this information accurately beyond the millisecond. ConsoleWorks also verifies your baselines regularly. If the endpoint’s configuration has changed in any way, you not only have the records of the changes happening, but which user accessed and changed the configuration.
Beyond Network Security Auditing
These features combined give you control over your users, insight into what they are doing on your network and how your endpoints are being affected, while also catching if any endpoint configurations have been changed from their baselines.
If you want to learn more about how ConsoleWorks can help with your auditing, logging and baseline configuration management challenges, you can start the conversation with us here.