New guidance on event logging: Global collaboration to improve threat detection

Leading international cybersecurity agencies have issued a detailed guide on enhancing security across various technological environments.

This guide provides valuable strategies for event logging and threat detection, ensuring enhanced security measures. This comprehensive guidance can benefit individuals in the cybersecurity field, IT management, OT operation, network administration, and network operation roles within medium- to large-scale organisations.

Event logging plays a vital role in ensuring the security and reliability of essential systems. It provides network visibility and aids in effectively responding to incidents.

it stresses the critical need for enterprises to clearly communicate and enforce an approved event logging policy, centralise log access for efficient correlation, ensure secure storage to maintain log integrity, and develop a well-defined strategy for communicating and detecting relevant threats.

Enhancing threat detection capabilities

Develop an enterprise-approved logging policy

It is crucial for organisations to implement a standardised logging policy throughout all their environments. A comprehensive policy should specify the specific events that require logging, set up efficient monitoring procedures for the logs, and establish the suitable timeframe for their retention.

The Australian Cyber Security Centre (ACSC) emphasises that “an effective event logging solution aims to send alerts to network defenders when critical software configuration changes are made or new software solutions are deployed”. It is crucial to closely monitor all critical activities and promptly address any irregularities.

Centralise log collection and correlation

Consolidating logs in a secure and easily accessible location enhances threat detection and incident response, leading to improved efficiency. The Cybersecurity and Infrastructure Security Agency (CISA) emphasises that “centralised event logging enables network visibility, allowing organisations to detect and respond to cyber threats more efficiently.”

This approach enables a comprehensive analysis and quicker identification of potential hazards.

Maintain log integrity

To prevent any unauthorised access, tampering, or deletion, it is of utmost importance to ensure the security of event logs during transmission and storage. The implementation of encryption and access controls ensures data security.

The guidance emphasises that preserving the integrity of event logs is of the utmost importance and requires ensuring their security. Maintaining log integrity is key for conducting precise forensic analysis and meeting regulatory obligations.

Develop a detection strategy for relevant threats

Organisations must establish a comprehensive approach to identify and address potential risks, such as advanced persistent threats (APTs) and the use of techniques like living off the land (LOTL).

It is critical to utilise tools such as Security Information and Event Management (SIEM) systems for log analysis and anomaly detection. To enhance threat detection, the ACSC emphasises the importance of effectively detecting malicious activity, behavioural anomalies, and compromised networks, devices, or accounts.

More on cybersecurity: Securing the future: ANZ’s cybersecurity innovations and standards

International cybersecurity collaboration

This publication was created in collaboration with various international partners, including:

  • United States (US) Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA)
  • United Kingdom (UK) National Cyber Security Centre (NCSC-UK)
  • Canadian Centre for Cyber Security (CCCS)
  • New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team (CERT NZ)
  • Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and Computer Emergency Response Team Coordination Center (JPCERT/CC)
  • The Republic of Korea National Intelligence Services (NIS) and NIS’s National Cyber Security Center (NCSC-Korea)
  • Singapore Cyber Security Agency (CSA)
  • The Netherlands General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD).

By following these recommended guidelines, organisations can strengthen their cybersecurity measures and guarantee the protection and durability of vital systems.

This post was also published on Public Spectrum. See here.

Share
Comms Room Staff
Comms Room Staff
A new knowledge platform and website aimed at assisting the communications industry and its professionals. Contribute your op-ed, press releases, how-to articles, videos and infographics at media@commsroom.co