CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

Home  »  Blog  »  Cyber Security  »  CIS Control...

By Bill Minahan   |   February 5, 2021   |   1 Comment

CIS Control 13

CIS Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

What is CIS Control 6?

CIS Control 6 focuses on collecting, managing, and analyzing audit logs of events that could help your team detect, understand, as well as recover from an attack.

The CIS controls are a set of actions that protect your organization from the most pervasive cyber attacks. There are 20 total critical controls that prioritize the most essential actions your organization can take in order to gain the highest pay-off results.

Specifically, this control focuses on establishing, implementing, and then actively managing the process by which your logs are monitored and analyzed.

Why is this CIS Control Critical?

The CIS Controls are based on actionable guidance from today’s biggest threats, formed by the consensus of the world’s leading experts across a variety of sectors.

CIS Control 6 is critical because deficiencies in security logging and analysis can allow attackers to hide their location, malicious software, and activities on victims’ machines. The longer an attacker is on your device undetected, the more damage they are capable of wreaking. Furthermore, even if the victims are aware of an attacker on their system, without protected and complete logging records you can be blind to the details of the attack.

Without solid audit logs, an attack may go unnoticed indefinitely and the damages done may be irreversible.

In some cases, logging records are the only evidence of a successful attack. Many organizations keep audit records for compliance purposes. However, attackers rely on the fact that such organizations rarely examine audit logs, and therefore, do not know that their systems have been compromised.

In short, if log analysis processes are poor or nonexistent, then attackers can sometimes control victim machines for months or years without anyone in the organization realizing it. Although there is evidence of the attack, often times the only records are in unexamined log files.

Therefore, it is important to establish, implement, and manage the processes your team has for monitoring security logs.

How to Implement CIS Control 6

Sub-Control

Asset Type

Security Function

Control Title

Control Descriptions

6.1

Network Detect Utilize Three Synchronized Time Sources  

Use at least three synchronized time sources from which all servers and network devices retrieve time information on a regular basis so that timestamps in logs are consistent.

6.2

Network Detect Activate Audit Logging  

Ensure that local logging has been enabled on all systems and networking devices.

6.3

Network Detect Enable Detailed Logging  

Enable system logging to include detailed information such as an event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.

6.4

Network Detect Ensure Adequate Storage for Logs  

Ensure that all systems that store logs have adequate storage space for the logs generated.

6.5

Network Detect Central Log Management  

Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.

6.6

Network Detect Deploy SIEM or Log Analytic Tools  

Deploy Security Information and Event Management (SIEM) or log analytic tools for log correlation and analysis.

6.7

Network Detect Regularly Review Logs  

On a regular basis, review logs to identify anomalies or abnormal events.

6.8

Network Detect Regularly Tune SIEM  

On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise.

 

 

Implementing CIS Controls

If your team is struggling to implement CIS Control 6 and could use the assistance of a third-party security provider, aNetworks is here to help. Our team of experts can assist with whatever level of service you require from consulting to complete implementation.

If you are interested in learning more about CIS Controls, view our comprehensive list here.

If you are interested, then please contact us below.

Contact Us

If you are looking for more resources, then please check out our resource center.

Finally, you can always find us on TwitterLinkedIn, and Facebook.


Category: Cyber Security



Comments

Eric

March 1, 2021 | 1:34 pm

Great articles on CIS Controls. Thank you