CIS Control 08: Management of audit logs
Audit logs provide a rich source of essential data to prevent, detect, understand and minimize the impact of network or data compromise in a timely manner. Collection logs and regular review are useful for identifying baselines, establishing operational trends and detecting anomalies. In some cases, logging may be the only evidence of a successful attack. CIS Control 8 emphasizes the need for centralized collection, storage and standardization to better coordinate audit log reviews. Some industries have regulatory bodies that require the collection, retention and review of logs, so CIS Control 8 is not only important but in some cases also mandatory.
The Control is made up of twelve safeguards, mostly category IG2, with Protect Where Detect security features that all organizations with corporate assets should implement. Audit logs should capture detailed information about (1) the event that occurred, (2) the system on which the event occurred, (3) the time the event occurred ‘is produced and (4) which caused the event. Alerts should be set for suspicious or major events such as when users attempt to access resources without the proper privileges or the execution of binaries that should not exist on a system.
Audit logs are also a target for attackers looking to cover their tracks. Thus, audit logging should be configured to enforce access control and limit the users who can modify or delete log data.
CIS Benchmarks, available for many product families, are best practice security configuration guides that are mapped to commands and walk you step-by-step through configuration remediation.
Key takeaways for Control 8
At a minimum, an audit log management plan should implement processes to:
- Ensure that detailed and time-synchronized audit logs are collected on company assets.
- Make sure the logs are stored in a centralized location and retained for at least 90 days.
- Make sure that audit log reviews are performed on a weekly basis or more often to establish baselines and detect potential threats.
Safeguards for control 8
1. Establish and maintain an audit log management process
The description: Establish and maintain an audit log management process that defines business logging requirements. At a minimum, deal with collecting, reviewing, and maintaining logs for company assets. Review and update documentation annually or when significant changes within the business could impact this backup.
Remarks: This IG1 backup aims to protect company assets by ensuring that audit logs are collected, reviewed and retained in a systematic and repeatable manner. Audit logs should be complete and accurate. It may be necessary to schedule event simulations to verify that the desired logs are being generated. Tools may be needed to ingest and search logs. Log data may need to be normalized to enable fast and efficient analysis.
2. Collect audit logs
The description: Collect audit logs. Make sure that journaling, according to the process for managing company logs, has been enabled on company assets.
Remarks: This IG1 backup aims to support the detection of threats against company assets. This is basic cyber hygiene that should be implemented by all businesses.
3. Ensure adequate storage of audit logs
The description: Make sure that the logging destinations maintain adequate storage to comply with the process for managing corporate audit logs.
Remarks: This IG1 backup supports protection company assets and historical log retention, ensuring that any logging or compliance audit requirements are met.
4. Standardize time synchronization
The description: Standardize time synchronization. Configure at least two time sources synchronized across corporate assets, when supported.
Remarks: This IG2 backup supports correlation of log data by synchronizing timestamps.
5. Collect detailed audit logs
The description: Configure detailed audit logging for corporate assets that contain sensitive data. Even include the source, date, username, timestamp, source addresses, destination addresses, and other useful things that might help with a forensic investigation.
Remarks: This IG2 safeguard aims to support detection anomalies and data compromise by ensuring that detailed logs are collected, allowing us to reconstruct what happened during an event and establish the extent of assets affected.
6. Collect DNS query audit logs
The description: Collect DNS query audit logs on enterprise assets, if applicable and supported.
Remarks: DNS query logs can help locate misconfigured hosts or signs and the source of an intrusion or attack.
7. Collect audit logs of URL requests
The description: Collect audit logs of URL requests on enterprise assets, if applicable and supported.
Remarks: This IG2 Safeguard aims to detect Threats and abnormal events related to URL requests.
8. Collect command line audit logs
The description: Collect command line audit logs. Sample implementations include collecting logs from PowerShell, BASH, and remote administrative terminals.
Remarks: This IG2 Safeguard aims to detect unusual or threatening behavior at control consoles. Attackers can use a common set of commands ranging from reconnaissance to exfiltration or impact.
9. Centralize audit logs
The description: Centralize, where possible, the collection and retention of audit logs across all company assets.
Remarks: This IG2 backup aims to support other control safeguards within organizations that have increased operational complexity. Centralizing audit logs will simplify collection, retention and review. Tools exist to ingest, normalize, and analyze logs for effective research and analysis.
ten. Keep audit logs
The description: Keep audit logs on company assets for at least 90 days.
Remarks: This IG2 Safeguard aims to protect business assets by requiring that real-time log data be retained for a period of time to meet audit or compliance needs.
11. Perform audit log reviews
The description: Perform reviews of audit logs for detect anomalies or abnormal events that could indicate a potential threat. Perform exams on a weekly basis or more frequently.
Remarks: It is not enough to collect audit logs. This IG2 backup aims to detect unusual behavior by periodically reviewing the logs.
12. Collect logs from service providers
The description: Collect logs from service providers where they are supported. Example implementations include collecting authentication and authorization events, data creation and deletion events, and user management events.
Remarks: This IG3 backup supports detection threats and abnormal events relating to service providers.
Find out how simple and effective security controls can create a framework that helps you protect your organization and your data against known cyber attack vectors by downloading the CIS Controls Guide here.
Learn more about the 18 CIS controls here:
CIS Control 1: Inventory and control of company assets
CIS Control 2: Inventory and control of software assets
CIS 3 check: Data protection
CIS Control 4: Secure configuration of company assets and software
CIS 5 control: Account management
CIS Control 6: Access control management
CIS Control 7: Continuous vulnerability management
CIS Control 08: Management of audit logs