CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
By Bill Minahan | February 5, 2021 | 0 Comments
CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs
What is CIS Control 6?
CIS Control 6 focuses on collecting, managing, and analyzing audit logs of events that could help your team detect, understand, as well as recover from an attack.
The CIS controls are a set of actions that protect your organization from the most pervasive cyber attacks. There are 20 total critical controls that prioritize the most essential actions your organization can take in order to gain the highest pay-off results.
Specifically, this control focuses on establishing, implementing, and then actively managing the process by which your logs are monitored and analyzed.
Why is this CIS Control Critical?
The CIS Controls are based on actionable guidance from today’s biggest threats, formed by the consensus of the world’s leading experts across a variety of sectors.
CIS Control 6 is critical because deficiencies in security logging and analysis can allow attackers to hide their location, malicious software, and activities on victims’ machines. The longer an attacker is on your device undetected, the more damage they are capable of wreaking. Furthermore, even if the victims are aware of an attacker on their system, without protected and complete logging records you can be blind to the details of the attack.
Without solid audit logs, an attack may go unnoticed indefinitely and the damages done may be irreversible.
In some cases, logging records are the only evidence of a successful attack. Many organizations keep audit records for compliance purposes. However, attackers rely on the fact that such organizations rarely examine audit logs, and therefore, do not know that their systems have been compromised.
In short, if log analysis processes are poor or nonexistent, then attackers can sometimes control victim machines for months or years without anyone in the organization realizing it. Although there is evidence of the attack, often times the only records are in unexamined log files.
Therefore, it is important to establish, implement, and manage the processes your team has for monitoring security logs.
How to Implement CIS Control 6
Sub-Control |
Asset Type |
Security Function |
Control Title |
Control Descriptions |
6.1 |
Network | Detect | Utilize Three Synchronized Time Sources |
Use at least three synchronized time sources from which all servers and network devices retrieve time information on a regular basis so that timestamps in logs are consistent. |
6.2 |
Network | Detect | Activate Audit Logging |
Ensure that local logging has been enabled on all systems and networking devices. |
6.3 |
Network | Detect | Enable Detailed Logging |
Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements. |
6.4 |
Network | Detect | Ensure Adequate Storage for Logs |
Ensure that all systems that store logs have adequate storage space for the logs generated. |
6.5 |
Network | Detect | Central Log Management |
Ensure that appropriate logs are being aggregated to a central log management system for analysis and review. |
6.6 |
Network | Detect | Deploy SIEM or Log Analytic Tools |
Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation and analysis. |
6.7 |
Network | Detect | Regularly Review Logs |
On a regular basis, review logs to identify anomalies or abnormal events. |
6.8 |
Network | Detect | Regularly Tune SIEM |
On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise. |
Implementing CIS Controls
If your team is struggling to implement CIS Control 6 and could use the assistance of a third-party security provider, aNetworks is here to help. Our team of experts can assist with whatever level of service you require from consulting to complete implementation.
If you are interested in learning more about CIS Controls, view our comprehensive list here.
If you are interested, then please contact us below.
If you are looking for more resources, then please check out our resource center.
Finally, you can always find us on Twitter, LinkedIn, and Facebook.