Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Government

US, Allies Release Guidance on Event Logging and Threat Detection

Government agencies in the US and allied countries have released guidance on how organizations can define a baseline for event logging best practices.

The US and its allies this week released joint guidance on how organizations can define a baseline for event logging.

Titled Best Practices for Event Logging and Threat Detection (PDF), the document focuses on event logging and threat detection, while also detailing living-of-the-land (LOTL) techniques that attackers use, highlighting the importance of security best practices for threat prevention.

The guidance was developed by government agencies in Australia, Canada, Japan, Korea, the Netherlands, New Zealand, Singapore, the UK, and the US and is meant for medium-size and large organizations.

“Developing and implementing an enterprise approved logging policy improves an organization’s chances of detecting malicious behavior on their systems and enforces a consistent method of logging across an organization’s environments,” the document reads.

Logging policies, the guidance notes, should consider shared responsibilities between the organization and service providers, details on what events need to be logged, the logging facilities to be used, logging monitoring, retention duration, and details on log collection reassessment.

The authoring organizations encourage organizations to capture high-quality cyber security events, meaning they should focus on what types of events are collected rather than their formatting.

“Useful event logs enrich a network defender’s ability to assess security events to identify whether they are false positives or true positives. Implementing high-quality logging will aid network defenders in discovering LOTL techniques that are designed to appear benign in nature,” the document reads.

Capturing a large volume of well-formatted logs can also prove invaluable, and organizations are advised to organize the logged data into ‘hot’ and ‘cold’ storage, by making it either readily available or stored through more economical solutions.

Advertisement. Scroll to continue reading.

Depending on the machines’ operating systems, organizations should focus on logging LOLBins specific to the OS, such as utilities, commands, scripts, administrative tasks, PowerShell, API calls, logins, and other types of operations.

Event logs should contain details that would help defenders and responders, including accurate timestamps, event type, device identifiers, session IDs, autonomous system numbers, IPs, response time, headers, user IDs, commands executed, and a unique event identifier.

When it comes to OT, administrators should take into consideration the resource constraints of devices and should use sensors to supplement their logging capabilities and consider out-of-band log communications.

The authoring agencies also encourage organizations to consider a structured log format, such as JSON, to establish an accurate and trustworthy time source to be used across all systems, and to retain logs long enough to support cyber security incident investigations, considering that it may take up to 18 months to discover an incident.

The guidance also includes details on log sources prioritization, on securely storing event logs, and recommends implementing user and entity behavior analytics capabilities for automated incident detection.

Related: US, Allies Warn of Memory Unsafety Risks in Open Source Software

Related: White House Calls on States to Boost Cybersecurity in Water Sector

Related: European Cybersecurity Agencies Issue Resilience Guidance for Decision Makers

Related: NSA Releases Guidance for Securing Enterprise Communication Systems

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights