If there is one inescapable fact that all organizations need to face in the changed circumstances, post-pandemic, it is this: putting in place a robust cyber defense system to protect their information assets is no more an option but an imperative. And that can be very daunting.
For one, there is no dearth of information, tools, and technologies for cybersecurity professionals on how to secure their information assets and infrastructure.
Then, there are myriad security requirements, standards, risk management frameworks, compliance regimes, and regulatory mandates that need to be met.
This whole process could be overwhelming and could lead to overlooking the imminent threats. The best way to avoid such situations is to look into CIS logs that come under the CIS control 8 of CIS critical security controls version 8.
The Center for Internet Security logs aka CIS logs help collect, review, alert and retain audit logs of cyber events that could help detect, understand and recover from a potential cyber attack.
However, before we could learn more about CIS logs, it’s important that we understand the structure and implementation of CIS controls that are referenced throughout the CIS benchmarks. (Don’t want to learn about CIS benchmarks and CIS controls structure yet? Skip to CIS logs).
CIS Benchmarks are frameworks that provide a set of configuration standards and best practices to ensure the highest standards of cybersecurity to protect the digital assets of an organization.
Over 100 such benchmarks are available to heighten the cybersecurity of your organization.
CIS Benchmarks are used to meet the security and compliance needs of your organization. Depending upon such needs, each recommendation of the CIS Benchmarks could be assigned 2 profiles:
Each CIS Benchmark uses CIS controls as CIS controls are referenced throughout the benchmarks.
This brings us to our next question.
CIS Controls are a set of clear and focused actions for organizations to strengthen their cybersecurity. These are separate programs by CIS, however, they are referenced throughout the CIS Benchmarks.
CIS Benchmarks focus on the cybersecurity of a specific system or product whereas CIS controls are implemented to the entire IT system.
CIS security controls version 8 provides 18 CIS controls. These controls could be categorized into the 3 categories:
Basic CIS Controls | Foundational CIS Controls | Organizational CIS Controls |
Provide general-purpose security controls that every organization must implement to fundamental cyber readiness. | Provide security controls that focus on technical best practices to target more specific threats. | Are more focused on people and processes. They provide long-term security maturity and must be adopted by organizations internally. |
The CIS controls could also be prioritized into Implementation Groups (IGs) based on the risk profiles and available resources of the organizations.
There are 3 such IGs and organizations must self-assess and then decide which IG they belong to and implement the sub controls accordingly.
Implementation Group 1 (IG1) | Implementation Group 2 (IG2) | Implementation Group 3 (IG3) |
Those organizations that have limited resources and low data sensitivity, need to implement the sub-controls under this IG. | Organizations with moderate resources and more sensitive data to handle, fall under this group. These organizations must implement IG1 and IG2 both. | These are bigger organizations with significant resources and high-risk exposure for critical data and assets. They must implement IG3 along with IG2 and IG1. |
There are 18 CIS controls and discussing all is beyond the scope of this article. We would discuss each control in detail, in another post.
In this post, we primarily focus on CIS control 8 which discusses CIS logs, and probably that’s what you are here for.
Let’s get this clear. Log collection and analysis are critically important to detect any potential malicious attack quickly and respond to them.
Often, the audit records are the only evidence that there has been an attack. And attackers know that organizations mostly use audit log management for compliance purposes only.
Logging records help you detect a potential threat, or whether an attack has happened; if so, when and how it happened; the extent of the attack, what information was accessed, whether any data was exfiltrated?
CIS logs play a critical role in safeguarding the security of your organization, yet, they are often overlooked.
Prioritization is the core of CIS Security Controls. Although many CIS controls could be implemented based on organizations’ cyber threat profiles, CIS control 8 is extremely important if you want to detect and analyze cyber-attacks.
CIS Security Control 8 guides on how to put in place a comprehensive Audit Log Management system.
It recommends 12 safeguards (very specific actions) that tell you how to establish an audit log management system, how to collect Audit Logs, how to store them securely, and how to review them.
There are 12 safeguards of CIS security control 8 implementations:
Based on your organization’s logging requirements, you might want to establish and maintain an audit log management process.
The process involves:
Asset Type it impacts | Security Function | Implementation Groups |
Network | Protect | IG1, IG2, IG3 |
Any dependencies to execute this process?
You want to make sure that logging has been enabled across the organization’s assets. Collecting audit logs is significant and every vulnerable part of your organization needs to be monitored and logged.
Asset Type it impacts | Security Function | Implementation Groups |
Network | Detect | IG1, IG2, IG3 |
Any dependencies to execute this process?
Dependent upon:
It’s a nightmare for any organization to think that any malicious activity on their organization’s assets is being logged, only to find that due to insufficient storage, data was not logged and there is no way to know what happened (until sufficient damage is done) and how it happened. Scary!
Hence, ensure that the logging destinations have adequate storage to comply with the organization’s audit log management process.
Asset Type it impacts | Security Function | Implementation Groups |
Network | Protect | IG1, IG2, IG3 |
Any dependencies to execute this process?
Dependent upon:
Asset Type it impacts | Security Function | Implementation Groups |
Network | Protect | IG2, IG3 |
Any dependencies to execute this process?
Dependent upon:
Detailed audit logging for the enterprise assets containing sensitive information must be configured.
In order to help with forensic investigation, detailed audit logging could include, but is not limited to:
Asset Type it impacts | Security Function | Implementation Groups |
Network | Detect | IG2, IG3 |
Any dependencies to execute this process?
Dependent upon:
Organizations are vulnerable to network attacks. Digging deeper into DNS query logs could give insightful information about any attacks. You should collect DNS query audit logs for your enterprise assets.
Asset Type it impacts | Security Function | Implementation Groups |
Network | Detect | IG2, IG3 |
Any dependencies to execute this process?
Collecting URL requests audit logging could help you find the source of intrusion if any.
Asset Type it impacts | Security Function | Implementation Groups |
Network | Detect | IG2, IG3 |
Any dependencies to execute this process?
Dependent upon:
Command-line access in the wrong hands could be fatal. This gives a great deal of control to attackers to your enterprise assets. These audit logs give you a heads up of such possible intrusion.
To implement this, you may want to collect audit logs from PowerShell®, BASH™, and other remote administrative terminals.
Asset Type it impacts | Security Function | Implementation Groups |
Devices | Detect | IG2, IG3 |
Any dependencies to execute this process?
Dependent upon:
Centralize the audit log collections and retention across the enterprise assets, to the extent possible.
Asset Type it impacts | Security Function | Implementation Groups |
Network | Detect | IG2, IG3 |
Any dependencies to execute this process?
Dependent upon:
Retain audit logs across enterprise assets for a minimum of 3 months.
Asset Type it impacts | Security Function | Implementation Groups |
Network | Protect | IG2, IG3 |
Any dependencies to execute this process?
Dependent upon:
Conducting reviews of audit logs helps detect anomalies or abnormal events that could indicate a potential cyber threat. Conduct reviews as frequently as possible.
Asset Type it impacts | Security Function | Implementation Groups |
Network | Detect | IG2, IG3 |
Any dependencies to execute this process?
Collect service provider logs, where supported. Example implementations are:
Asset Type it impacts | Security Function | Implementation Groups |
Data | Detect | IG3 |
Any dependencies to execute this process?
Dependent upon:
Building a sound cyber defense can be very challenging for organizations. It is even more challenging to have a system in place to monitor and analyze online activities.
This demands proper log implementation and analysis for any potential cyber threats. The CIS logs from CIS security control 8 is the answer.
However, due to a lack of cyber knowledge, constrained by small budgets and limited human resources, a lot of organizations shy away from implementing CIS controls.
The good news is; with Cyvatar’s CSaaS subscription (fixed monthly price) model, cybersecurity is always affordable for SMBs and SMEs.
A quote by Wes Whitteker (Author: Leading effective cybersecurity with critical security controls) will help you set your foot in the right direction.
We can help you find the right solution for your cybersecurity problems. Talk to our cyber experts now.
Circa Las Vegas
Thurs. Aug 5th
Cybersecurity Reunion Pool Party at BlackHat 2021