How to avoid security blind spots when logging and monitoring

Cybersecurity involves a balancing act between risk aversion and risk tolerance. Going too far to either extreme may increase cost and complexity, or worse: cause the inevitable business and compliance consequences of a successful cyberattack. The decisions that need to be made around logging and monitoring are no exception.

logging monitoring

Capturing all data from every device on the network can create bottlenecks, overwhelm log management, and obfuscate signs of network penetration, or malicious activity. Not capturing all the critical log data can result in monitoring that fails to identify attacks before they do damage or assist in forensics after the incident.

Getting logging and monitoring right is so important that it is listed among the Center for Internet Security’s critical security controls.

Failing to log creates blind spots

Failing to activate logging creates security blind spots in your network that will only become apparent after the fact (i.e., when an attack is successful). Every component of your extended infrastructure — on premises and remote — should be configured to generate appropriate audit events. These components include operating systems, system utilities, servers, workstations, networking equipment, and security systems (which include anti-malware, firewalls, intrusion detection and prevention systems, and VPNs).

This applies whether you run your own security information and event management (SIEM) solution for log management or use a managed SIEM with SOC-as-a-Service for 24/7 monitoring, alerting, and reporting. The SIEM relies on log data feeds to provide protection. It can’t see alerts on what’s not being logged. Responsibility for making devices and apps visible often falls outside of the security organization.

For example, failure to activate logging can happen if there is a “set it and forget it” mindset. The reality is that networks are always changing. New endpoint devices are continually being added and removed due to personnel changes, addition of new locations, flexible work programs that let employees work from home, new mobility solutions, and the like.

Assuming that new apps and devices — including new cloud infrastructure…