TIPS #15: How can companies strike a balanced approach to log management?
Shane Shook
April 18, 2024
- Blog Post
- TIPS
Issue: Logging generates important data that informs threat detection, prevention, and response. However, log management operating expenses are often subject to budget cuts, leading to diminished security capabilities.
Logging is a fundamental building block in cybersecurity, providing timestamped records of events and activities including system changes and user access across IT systems and devices. Well-managed logs enable effective threat detection and response by supplying accurate and relevant incident data for intrusion detection systems and forensic analysis.
Today, companies must attempt to manage a massive volume of logs from numerous sources including web and mail servers, operating systems, network routers, firewalls, and applications. Logging has become a compliance concern as increasing impacts from breaches and compromises spur cybersecurity regulations and guidance. For example, the United States federal government’s May 2021 Executive Order on Improving the Nation’s Cybersecurity lists network and system log requirements as critical in “improving the federal government’s investigative and remediation capabilities.” In addition, security logging and monitoring is listed as one of OWASP’s top ten proactive controls that should be included in every software development project.
Log management and monitoring has become a high priority for organizations, with many categorizing log-related costs (including log transport, processing, and storage) as operating expenses with associated budget line items. However, the full costs of logging at scale aren’t apparent until bills from service providers are due, after which many companies choose to reduce high log-related costs with budget cuts.
Impact: When logging is cut or underfunded, companies face heightened risks from cyber threats.
Fundamentally, underfunded logging hinders a company’s ability to detect, prevent, and respond to cyber threats. Threat actors can operate unobserved within company networks if logs or log monitoring are disabled or under-utilized, increasing the risk of larger impacts from breaches and compromises.
MITRE’s Common Weaknesses Enumeration (CWE) outlines the potential impacts of insufficient logging in CWE-778, noting that “if security critical information is not recorded, there will be no trail for forensic analysis and discovering the cause of problems or the source of attacks may become more difficult or impossible.” In addition, CWE-778 points out that as companies increasingly utilize cloud storage resources which require logging configuration changes, they add new log-related costs. When companies are unwilling or unable to take on those costs, it can lead to further gaps in critical auditing.
Action: Make logging a risk management priority and focus security efforts more efficiently around attacks, breaches, and compromises.
1) Align logging with business needs to elevate it from an operating expense to a risk management priority.
Log management, like all security functions, should be aligned with strategic business goals. This reframes it from a cost center to a critical cybersecurity practice that protects companies from risks and enables business objectives. Direct alignment reduces the likelihood of harmful underfunding.
2) Fine-tune security tooling to effectively meet attack, breach, and compromise threats- and find a balanced logging approach.
The impulse to cut costs and the desire to capture as much log information as possible can both cause challenges. Most companies need a balanced approach to meet budgetary and risk management requirements. Logs from security tools across every level of digital environments- including network, endpoint, identity, data, and cloud- must be fine-tuned to improve efficiency without sacrificing security:
- Sift through the noise and focus on the important signals with SolCyber’s security log monitoring.
- Deflect identity-based attacks with Constella’s identity monitoring capabilities.
- Disrupt endpoint breaches and persistent threats with Huntress’ managed EDR and stop network threats with Lumu’s network security solutions.
- Prevent and investigate compromises in hybrid cloud environments with Uptycs’ unified CNAPP platform.