Updated 29 April 2024
With an increasing number of systems and applications hosted in the cloud, auditing plays a pivotal role in understanding who is accessing, and what changes are occurring, within the cloud system. But it’s tricky to get auditing right.
Below, we will discuss some of the most common auditing pitfalls, as well as solutions to ensure that auditing is effective for the system environment.
Challenge #1: Defining Auditable Events
Defining what is being audited is as critical as turning auditing on in the first place. For example, it is important to have both auditing and logging turned on when adding and/or deleting users or tables in a database. If one or both are off, critical actions may be missed, especially if malicious activity is occurring.
That said, auditing every action could diminish valuable storage space for crucial events such as account activity and deleting/adding tables, etc. it is important to have the systems owner, administrators, operations, and management in sync on what events should be auditable within the system environment. As the potential threat landscape changes, periodic reviews should occur to determine if auditing needs to increase and/or decrease in certain areas.
For our clients dealing with FedRAMP compliance, minimum events that must be captured on system components are: successful and unsuccessful account login events, account management events, object access, policy change, privileged functions, process tracking, and system events for web applications. For Web applications: all administrator activity, authentication checks, data deletions, data access, data changes, and permission changes must be captured.
Challenge #2: Failure to Audit All Systems Within the Environment
Once auditable events are defined, the second most important step is to ensure that all systems are being audited. Aggregating logs with a Security Information and Event Management (SIEM) tool helps to collect all logs in one place to ensure that all systems report in.
With the SIEM tool, reports can be generated displaying which systems are forwarding logs. This report can be compared against host discovery scans or inventory spreadsheets to ensure all systems are logging required events for each system component.
This is especially important for incident response because hackers or even insider threats will use methods to cover their tracks. A common attack technique is to maliciously turn off logging or deleting/modify logs. These types of actions should be flagged as incidents, and alerts should be sent to security personnel.
Additionally, if auditing is not occurring on all systems, hackers could exploit this, causing potential harm within the environment. It is critical to have processes in place as new system components are installed, such as having logging enabled and forwarding all logs to a SIEM tool for log aggregation. Potential threats from log aggregation can then be investigated in real-time or near-real time within dashboards of the SIEM ensuring the information system is in a secure state.
Challenge #3: Failure to Configure Logging Correctly
A key component of logging is to ensure that logs are detailed and formatted correctly, so that they can be traced back to a person or action, how the event occurred, when the event occurred, and on what system component. Logs, especially when a SIEM is being used, may become garbled. Adjustments need to be made from either the SIEM tool or from the system component to ensure proper formatting.
Most SIEM tools allow you to configure what type of log source you are ingesting logs from so that the logs are formatted correctly. Having who, what, where and why is crucial for incident response. If you cannot determine all of those “w’s” within the log file, then auditing configuration needs to change.
Challenge #4: Failure to Sync All System Components to the Same Time Source
Setting the correct time source for all logs helps with log analysis across multiple components. If system components are syncing to different time sources and time zones, or not syncing system clocks at all, then event times are inconsistent and thus it is harder to determine when an event occurred. Government systems usually sync to Naval or NIST time servers. NIST guidance for syncing time can be found here. Naval NTP servers can be synced by time zone and can be found here.
The most secure setup is to have dedicated Network Time Protocol (NTP) servers sync time to an official time source. Then all servers within the information system sync with the NTP servers so not all system components must reach out over the internet for syncing.
NTP is typically setup on domain controllers. However, NTP servers can also be stand-alone servers. All system components can then be configured to do a time sync at the desired interval. Having all information system components synced to the same NTP servers ensures that event times are accurate and consistent across the environment.
Challenge #5: Protecting Audit Information from Unauthorized Modification
Who has access to audit logs & can modify or delete them? This is often overlooked, both on the system component level as well as the SIEM tool. Permissions or role-based access needs to be clearly defined and enforced to ensure that deletion or modification of logs is restricted.
Achieving this depends on how access management is enforced within the environment. For example, Active Directory can be configured to only allow certain permissions for who can delete or modify logs locally. As for the SIEM tool, I recommend configuring one account (an emergency use only, “break glass” type) with access to delete or modify logs from within the SIEM tool. The key is to strictly limit the ability of users to mess with log data.
Challenge #6: Devices that Don’t Log
Sometimes audit log configuration is only partially configured locally on the component or application, or not all logs are being forwarded to the SIEM tool. Once the auditable events are defined by the organization, or by FedRAMP parameters, they need to be configured locally within the system component or application to log those events.
Once logging is established on the component, then ensure that all logs are forwarded to the SIEM. Logs collected for defined audible events are crucial to maintaining compliance for auditing within the system boundary.
Wrapping Up
Contact 38North and we can help you evaluate and improve your auditing processes to achieve compliance and enhance security.
Frequently Asked Questions
1. How can organizations effectively balance the need for comprehensive auditing with the potential storage limitations and resource constraints?
Effectively balancing the need for comprehensive auditing with storage limitations and resource constraints requires a strategic approach. Here are some key considerations:
- Prioritize Auditable Events: Focus on auditing events that are most critical for security, compliance, and operational purposes. Conduct risk assessments to identify high-priority events that must be audited, considering factors such as regulatory requirements, security threats, and business impact.
- Implement Data Retention Policies: Define clear data retention policies to manage the storage of audit logs effectively. Determine the required retention period for different types of audit data based on regulatory requirements, operational needs, and security considerations. Archiving older logs or implementing log rotation strategies can help optimize storage usage.
- Optimize Logging Levels: Fine-tune logging levels to balance the need for detailed audit information with resource constraints. Adjust logging levels based on the criticality of systems and applications, ensuring that essential events are logged at a sufficient level of detail while minimizing unnecessary log volume.
- Utilize Log Compression and Encryption: Implement techniques such as log compression and encryption to reduce the storage footprint of audit logs without compromising data integrity and confidentiality. Compressing log files can significantly reduce storage requirements, while encryption ensures that sensitive audit data remains secure.
- Explore Cloud-Based Logging Solutions: Consider leveraging cloud-based logging solutions that offer scalable storage options and flexible pricing models. Cloud-based logging platforms can provide cost-effective storage solutions while offering features such as automatic log management, real-time analysis, and archival capabilities.
- Invest in Log Management Tools: Deploy robust log management tools and Security Information and Event Management (SIEM) systems that offer features for log aggregation, analysis, and storage optimization. These tools can help organizations efficiently manage audit logs, identify security incidents, and streamline compliance reporting.
- Regular Monitoring and Review: Continuously monitor and review audit log storage utilization to identify trends, anomalies, and areas for optimization. Conduct regular audits of logging configurations, retention policies, and storage infrastructure to ensure compliance with organizational policies and regulatory requirements.
By adopting a proactive approach to auditing and implementing strategic measures to optimize storage usage, organizations can effectively balance the need for comprehensive auditing with storage limitations and resource constraints.
2. Are there specific strategies or best practices recommended for ensuring that all systems, particularly newly installed components, are consistently audited and integrated into the overall auditing system?
Absolutely, ensuring consistent auditing across all systems, especially newly installed components, is crucial for maintaining security and compliance. Here are some recommended strategies and best practices:
- Standardize Auditing Configuration: Develop standardized auditing configurations and policies that align with organizational security requirements and regulatory compliance standards. This includes defining which events should be audited, the level of detail for audit logs, and retention periods.
- Automate Auditing Deployment: Implement automated auditing deployment processes to ensure that newly installed components are automatically configured to generate audit logs according to the standardized configuration. This could involve using configuration management tools or scripts to deploy auditing settings consistently across all systems.
- Incorporate Auditing into System Deployment Workflows: Integrate auditing configuration steps into system deployment workflows to ensure that auditing is enabled during the installation or provisioning of new components. This ensures that auditing is not overlooked or neglected during the deployment process.
- Utilize Configuration Management Tools: Leverage configuration management tools such as Puppet, Chef, or Ansible to enforce auditing configurations across all systems within the environment. These tools allow organizations to centrally manage and enforce auditing settings, ensuring consistency and compliance.
- Implement Continuous Monitoring: Deploy continuous monitoring solutions that can detect and alert on changes to auditing configurations or deviations from the standardized settings. This ensures that any unauthorized changes or misconfigurations are promptly identified and remediated.
- Provide Training and Awareness: Educate system administrators, operations teams, and other relevant stakeholders about the importance of auditing and the organization’s auditing policies and procedures. Training sessions and awareness campaigns can help ensure that all personnel understand their roles and responsibilities regarding auditing.
- Regular Auditing Assessments: Conduct regular audits and assessments of auditing configurations and practices to identify gaps, inconsistencies, or areas for improvement. This includes verifying that all systems are consistently audited and integrated into the overall auditing system.
- Establish Documentation and Documentation Standards: Maintain detailed documentation of auditing configurations, deployment processes, and monitoring procedures. Establish clear documentation standards to ensure that auditing practices are well-documented and easily accessible to relevant personnel.
By implementing these strategies and best practices, organizations can ensure that all systems, including newly installed components, are consistently audited and integrated into the overall auditing system, thereby enhancing security posture and regulatory compliance.
3. What are some common indicators or red flags that might suggest unauthorized modification or tampering with audit logs, and what steps can organizations take to detect and prevent such incidents?
Detecting unauthorized modification or tampering with audit logs is crucial for maintaining the integrity of security monitoring and compliance efforts. Here are some common indicators or red flags that might suggest such incidents, along with steps organizations can take to detect and prevent them:
Indicators or Red Flags:
- Spike in Log Deletions or Modifications: A sudden increase in the number of log deletions or modifications, especially for critical audit events, could indicate unauthorized tampering.
- Anomalies in Log File Sizes or Timestamps: Discrepancies in log file sizes or timestamps, such as gaps in log entries or timestamps that do not align with expected activity patterns, may suggest tampering or manipulation.
- Unexpected Changes in Logging Configuration: Unauthorized changes to logging configurations, such as disabling auditing for critical events or altering log retention settings, could indicate attempts to evade detection.
- Abnormal Access Patterns to Log Files: Unusual access patterns to log files, such as unauthorized access attempts or access from unfamiliar IP addresses or user accounts, may indicate unauthorized tampering with log files.
- Mismatch between Log Content and System Activity: Discrepancies between the content of audit logs and actual system activity, such as missing or altered log entries corresponding to known system events, could indicate tampering.
- Alerts from Intrusion Detection Systems (IDS) or Security Information and Event Management (SIEM) Tools: Alerts generated by IDS or SIEM tools indicating suspicious activity related to log manipulation, such as attempts to modify or delete audit logs, should be investigated promptly.
- Evidence of Access by Unauthorized Users or Privileged Accounts: Unauthorized access to log files by users or accounts not authorized to view or modify audit logs, especially privileged accounts, is a clear indication of potential tampering.
Steps to Detect and Prevent Incidents:
- Implement Access Controls: Enforce strict access controls to ensure that only authorized personnel have permission to view, modify, or delete audit logs. Use role-based access control (RBAC) and least privilege principles to limit access to log files.
- Enable Logging of Log Modifications: Configure systems to log modifications to audit logs themselves, including changes to log files, timestamps, or logging configurations. Monitoring these logs can help detect unauthorized tampering.
- Encrypt and Sign Log Files: Use encryption and digital signatures to protect audit log files from unauthorized modification. Implementing cryptographic measures ensures the integrity and authenticity of log data, making it more difficult for attackers to tamper with logs unnoticed.
- Regularly Monitor and Review Logs: Conduct regular reviews and analysis of audit logs to identify anomalies, discrepancies, or suspicious patterns indicative of tampering. Implement automated log monitoring and alerting systems to facilitate timely detection of unauthorized activities.
- Store Logs Securely and Offsite: Store audit logs securely in tamper-evident repositories or offsite locations to prevent tampering or destruction in case of a security breach. Implementing backups and redundant storage mechanisms ensures the availability and integrity of log data.
- Establish Change Management Processes: Implement robust change management processes to track and approve any changes to logging configurations or systems that could impact auditability. Regularly review and audit changes to ensure compliance with established policies and procedures.
- Conduct Forensic Analysis: In case of suspected tampering or security incidents, conduct forensic analysis of audit logs and related artifacts to determine the extent of unauthorized access or modifications. Preserve log data in a forensically sound manner to support investigations and legal proceedings.
By implementing these measures, organizations can enhance their ability to detect and prevent unauthorized modification or tampering with audit logs, thereby strengthening their security posture and compliance efforts.