August 23, 2024 at 08:03AM
The US and its allies released a joint guidance document, “Best Practices for Event Logging and Threat Detection,” focusing on defining a baseline for event logging in organizations. The guidance emphasizes the importance of security best practices, sharing responsibilities, capturing high-quality cyber security events, and structured log formats to support incident investigations. It also includes recommendations on log sources prioritization, securely storing event logs, and implementing user and entity behavior analytics capabilities for automated incident detection.
Based on the meeting notes, the key takeaways are:
1. The US and its allies have released joint guidance on defining a baseline for event logging in organizations.
2. The document “Best Practices for Event Logging and Threat Detection” focuses on event logging, threat detection, and details on living-off-the-land (LOTL) techniques used by attackers.
3. The guidance is developed by government agencies from Australia, Canada, Japan, Korea, the Netherlands, New Zealand, Singapore, the UK, and the US, and is intended for medium-size and large organizations.
4. It emphasizes the importance of developing and implementing an enterprise approved logging policy to improve organizations’ chances of detecting malicious behavior and enforcing consistent logging methods.
5. Logging policies should consider shared responsibilities between the organization and service providers, details on what events need to be logged, logging facilities, monitoring, retention duration, and log collection reassessment.
6. Organizations are encouraged to capture high-quality cybersecurity events and focus on the types of events collected rather than their formatting.
7. Capturing a large volume of well-formatted logs and organizing them into ‘hot’ and ‘cold’ storage is advised. Specific logging considerations for operating systems are highlighted.
8. Event logs should contain details to aid defenders and responders, including accurate timestamps, event type, device identifiers, session IDs, IPs, user IDs, and a unique event identifier.
9. Organizations should consider resource constraints of devices for operation technology (OT) and use sensors to supplement their logging capabilities.
10. The document recommends structured log formats such as JSON, retaining logs long enough to support incident investigations, and implementing user and entity behavior analytics capabilities for automated incident detection.