SANS Critical Control 14: Audit Logs

Each issue, an expert provides analysis on one of the SANS Top 20 Critical Security Controls. 

By Duane Elbrecht, Solutions Architect

Whenever I think of audit logs, I think of the great Clifford Stoll and how he uncovered an espionage ring while working as a systems administrator at the Lawrence Berkeley National Laboratory. One of my favorite books, The Cuckoos Egg, details his story.

In this true story, a former astronomer takes on the position of sys admin when grant money runs out. One of his new responsibilities in this role was accounting for billing time on the university mainframe and assigning the cost to the correct department. One day while reviewing system access logs (really a mish mash of custom scripts that cross referenced various accounting information), he discovered a very small discrepancy of only a few minutes of unaccounted time on the system. And thus begins his story of digital forensics and tracking a Soviet hacker through the early years of a burgeoning internet.

Since then, audit logs have dramatically matured along with the SIM platforms that manage them and provide valuable forensic information and real time insight. So, why do audit logs matter and how can you make sure they are working effectively?

The first part of that last question seems to have an obvious answer, but let’s take a closer look.

Audit logs create an (1) accountability factor. The information that is logged can tie specific events with specific accounts thus creating a digital finger print. If enough of these “finger prints” are collected, we can then (2) reconstruct a time line of events that occurred before and after the event of concern. This is crucial when understanding what action needs to be taken to address the event. Is the event simply a restart of a service through normal maintenance activities or more importantly, did someone intentionally turn off the service to hide their activity and identity while doing something malicious? Thus, logs provide (3) intrusion detection and insight into what might be considered unusual activity. That activity may present itself as: failed login attempts (someone trying to hack an account password), high memory utilization (malware running in the background), or scans being run to detect open ports (someone looking for a hole to exploit). Audit logs also provide information for problem detection and root cause analysis, another critical piece when troubleshooting difficult problems.

How can you make sure your audit logs are working effectively?

This can be a tough one to get correct and it often takes several attempts to adjust what the logs are reporting. Many logging systems these days are reporting exactly what they need to report on, right out of the box. Things have come a long way since Clifford Stoll’s early days and in most cases, simply “checking the correct box” enables the correct logging. However, sometimes these logs need to be customized for the system. In short, are the logs you are looking at collecting and reporting the information you need to know? “Who, what, and when” are very important questions to ask in this effort. Securing access to the logs on a hardened system, thereby ensuring their integrity, is paramount to maintaining confidence in the information being analyzed.

Some things that should be considered to make sure you are getting the most out of your audit logs are:
(1) What are the compliance requirements for your business, such as SOX, HIPAA, PCI-DSS, ITAR, etc? Though there is often significant overlap with these standards, it is important to understand which are vital to your business.
(2) How long are you keeping the logs versus how long are you required to keep the logs? These are often different and the reasons for this varies. Sometimes, logs are kept longer than needed because of the fear of “what if?” Trending analysis is another reason to keep logs for an extended time. What ever the reason for keeping them, remember the more logs you gather, the more resources it takes to perform an analysis. This may become costly, so there is often a cost benefit tipping point that management must buy into to support this effort.
(3) What is your log analysis process? What good are logs if they are not being reviewed on a regular basis? Alerting must be tied to events that are considered critical, and a process for handling critical events must also be in place to give them the proper visibility and response.

As SANS Critical Security Control 14 points out, “Because of poor or nonexistent log analysis processes, attackers sometimes control victim machines for months or years without anyone in the target organization knowing, even though the evidence of the attack has been recorded in unexamined log files.”