Insufficient logging and monitoring for beginners
Hello and welcome to this last episode of the OWASP Top 10 series. Today’s subject is about Insufficient logging and monitoring.
The world of information security is an ever-changing landscape. Every day, new vulnerabilities emerge and new exploits get published. However, this is just the tip of the iceberg. In fact, there are so many unknown vulnerabilities which are currently exploited by cybercriminals. Therefore, you can’t be sure that your systems are totally immune even when applying the latest patches and updates.
You need to have a way to detect when and how your assets are being compromised. This is where having efficient logging and monitoring measures comes into play. They are like the immune system of your body so to speak.
What is Insufficient logging and monitoring?
Let’s first understand what is logging and monitoring before discussing how they help in security.
What is logging?
Logging is the process of keeping track of system activities and their interactions. It’s a critical piece of your infrastructure. In fact, it allows you to record when events occur, who initiates them, from where, and what actions have been performed. This had two advantages:
- Firstly, you are building a database which you will use to define metrics and alerts based on specific events, like the number of login attempts.
- Secondly, you can use the logged data for any further investigations should any security incident happen.
What is monitoring?
Monitoring consists of constantly observing the logs of a system and searching for anomalies. There are many approaches to monitoring. From defining manual thresholds and metrics to leveraging Artificial Intelligence algorithms. The goal is to spot any malfunctions or deviations from your normal system’s activity.
The lack of proper logging and monitoring in your systems is a bad practice. In fact, when attackers infiltrate a target, they usually generate logs which don’t correspond to your normal system activity. If you can’t monitor and detect such deviations, you are creating a blind spot for attackers to take advantage of.
Insufficient logging and monitoring attack
There are many insufficient logging and monitoring example breaches. One of the big recent incidents affected the giant firm Citrix. In fact, attackers found a weak password as a result of a password spraying attack. Unfortunately, they haven’t been aware until notified by the FBI about a breach which led to 6TB of stolen data.
Insufficient logging and monitoring impact
As you saw in the attack examples section above, insufficient logging and monitoring give enough room for cybercriminals to cause the biggest damage possible. In other words, they can breach your perimeter, pivot inside your networks, steal data, persist their existence, spy on you and get away with it. The worst part is that you will probably never detect the attack. Think of this as your systems suffering from HIV, any threat can be deadly.
How to prevent Insufficient logging and monitoring?
There are many things you need to implement for efficient logging and monitoring:
- Invest in a logging and monitoring solution.
- Define security metrics which trigger an alert if a certain threshold is met. For instance, if you receive too many login requests from a user, your monitoring system should raise an alert.
- Make sure you dedicate enough human resources to handle the reported alerts. Otherwise, you will not benefit from your investment.
- Test your logging and monitoring systems during a penetration testing to verify if you can detect and understand what the penetration testers are doing.
- Keep testing and enhancing your alerts and incident handling processes.
- If you choose to implement your own logging and monitoring features, make sure you don’t introduce security vulnerabilities.
You can read more on OWASP Insufficient logging and monitoring cheat sheet and proactive controls.
As usual, here is the video tutorial: