Best Practices for Event Logging and Threat Detection

Event Logging Best Practices for Cyber Threat Mitigation This guidance defines best practices for event logging to enhance cyber security and network visibility, addressing challenges such as living off the land techniques used by malicious actors. Four Key Factors for Effective Logging - Enterprise-approved Event Logging Policy: Establishes a consistent approach to logging across environments. - Centralized Event Log Access and Correlation: Allows for efficient monitoring and analysis of event logs. - Secure Storage and Event Log Integrity: Preserves the integrity and accessibility of event logs. - Detection Strategy for Relevant Threats: Focuses logging on identifying malicious activities and indicators of compromise. Event Log Quality - High-quality logs provide detailed information on security events, aiding in incident identification and threat detection. - Relevant considerations for LOTL detection include capturing logs on specific commands and tools used by malicious actors. Captured Event Log Details - Logs should contain sufficient information for network defenders to investigate and respond to incidents, including timestamps, event types, and system identifiers. - Using key-value-pairs for data formatting simplifies log analysis. Operational Technology Considerations - OT devices often have limited logging capabilities, requiring supplemental solutions or out-of-band log communications. Consistency and Synchronization - Consistent log formats and timestamps across systems facilitate log search and correlation. - Accurate time sources assist in identifying connections between events. Additional Resources - ASD's Information Security Manual: Provides guidelines for event log recording. - CISA's M-21-31 Guidance: Outlines priorities for log collection. - NIST's OT Security Guide: Addresses OT-specific event logging considerations.