November 15, 2023 at 04:37AM
Organizations are struggling to implement adequate logging measures, which makes it difficult for defenders and incident responders to identify the cause of information security attacks. In many cases, organizations lack the necessary telemetry logs to analyze events properly. Cybercriminals often disable or wipe logging capabilities to evade detection and attribution. Insufficient logging is often due to resource constraints and limited IT capabilities. Proper logging is crucial for detecting, investigating, and understanding security incidents, as well as for performance monitoring and resource access control. Organizations should implement strict access controls, regular backups, SIEM systems, and immutable logs to prevent log wiping.
Key Takeaways from Meeting Notes:
1. Many organizations are failing to implement adequate logging measures, making it difficult for defenders and incident responders to identify the cause of information security attacks.
2. In 42 percent of incident response cases analyzed, organizations did not have the necessary telemetry logs to properly analyze an event.
3. Cybercriminals are often at fault for disabling or wiping telemetry and logging capabilities to evade detection, identification, and attribution.
4. In nearly a quarter of cases, organizations experiencing a security incident did not have appropriate logging available for incident responders.
5. Resource constraints and limited IT and data capabilities are common reasons for organizations lacking adequate logging measures.
6. Logging is essential for building a strong security posture and enabling fast recovery from attacks.
7. Logs provide crucial insights into network and system activities, aiding in the detection, investigation, and understanding of security incidents.
8. Logs are also valuable for areas outside of cybersecurity, such as investigating performance issues and managing resource access.
9. Organizations should implement strict access controls, regular backups, SIEM systems, and immutable logs to prevent logs from being wiped.
10. Microsoft offers free logging for customers, and there are other free and open SIEM solutions available, such as Logging Made Easy.
11. Logs are particularly useful in investigating ransomware attacks and can reveal compromised systems.
12. Ransomware attacks are becoming faster, with dwell times measured in hours rather than days.
13. Increasing friction for attackers can add valuable time to respond to an attack and prevent data exfiltration.
14. Organizations with continuous monitoring and managed detection and response (MDR) capabilities are better equipped to detect and halt attacks early.
15. Without attacker innovation, defensive strategies do not need to change drastically.