Insufficient logging and monitoring is number ten on OWASP’s list of most critical web application and internet security risks. OWASP states that insufficient logging and monitoring is the bedrock of nearly every major incident. Attackers rely on insufficient logging, detection, monitoring, and response weaknesses to avoid detection.
What is insufficient logging and monitoring?
According to OWASP: Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to attack systems further, maintain persistence, pivot to more systems, and tamper, extract or destroy data. Most breach studies show time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.
Logging and monitoring include:
- Log collection: this includes log enrichment such as parsing of logs, converting logs, and filtering logs.
- Log management: keeping shards and indexes, keeping data retention policies for better performance, implementing access control as logs contain sensitive information, etc.
- Log monitoring/analysis: visualization, alerting, reporting.
Example
A cybercriminal scans your network, looking for users with a common password. The scan results in one false login attempt per account. The attacker can then scan on another day, using another common password. Insufficient logging and monitoring allow this activity to continue, increasing the odds that the attacker will access your network or applications.
Why is logging and monitoring considered important?
Logging and monitoring allow companies or product owners to see who has accessed what and when so that if a vulnerability is detected, there can be some accountability. This is essential for securing data and preventing breaches. This also acts as an effective deterrent.
- Prevents downtime on your sites and servers.
- Log management tools analyse logs and find problems within them,
- allowing your site reliability engineers to spend more time problem-solving and less time searching for them or responding in emergencies.
- Can save your business time and money.
Conclusion
Insufficient logging and monitoring is the most common reason why businesses fail to deal with a security breach effectively. Organisations must be equipped by logging the entire activity, or it could be difficult for the organisation to find the attacker. Not being able to detect an early stage attack may further lead to the continuation of breaches and significant losses. To stay compliant and well informed, taking appropriate measures and having in place logging and monitoring is essential.
How to Prevent Insufficient Logging and Monitoring
To prevent insufficient logging and monitoring, you can:
- Back up logs & sync to another server. The cybercrime should not be able to clear all the logs after hacking the server and, by doing so, preventing any forensics. The integrity of the log collection system is the core of any forensic investigation.
- Ensure sensitive actions are logged. This would include logins, high-value transactions, password changes, and so on. This is valuable when investigating a hack afterward.
- Regularly check & automate the most critical logs. There should be systems in place that alert you if a specific warning has been triggered or if a certain warning threshold has been reached so that you can take necessary measures.
Penetration testing is carried out by cybersecurity firms and simulates network and application attacks to discover weaknesses. By identifying insufficient logging and monitoring, components with known vulnerabilities, and injection risk, you can take action to strengthen your network and application security.
OmniCyber Security can conduct pen tests for your company, ensuring you are PCI cybersecurity compliant.
