Control of the Month: Logging and Monitoring Security Events
This article is part of our Control of the Month series where we discuss information security controls. This series is brought to you by the Tugboat Logic Labs team. They have a combined 100+ years of information security experience as previous auditors from the Big 4 (Deloitte, EY, PwC and KPMG) and consultants across industries. The goal? To help you easily understand, implement and maintain each control. And even impress your auditor! Today, we’re unpacking Logging and Monitoring best practices.
Are you preparing for any kind of security audit? Hoping to level up your information security game? Or, protect yourself from data breaches? No matter what your InfoSec (information security) goals are, you need to log and monitor security events.
Logging and monitoring security events is one of the most important controls in any information security audit. This includes (but is not limited to) audits for these popular security frameworks: SOC 2, ISO 27001, GDPR, HIPAA, NIST CSF, CCPA, PCI DSS, CMMC 2.0, ITGC, FFIEC, Microsoft SSPA, NIST 800-171, NIST 800-172, and NIST 800-53.
In this piece, you’ll learn what this foundational control entails and some best practices for logging and monitoring, with and without compliance automation.
What Are Security Events?
Before we go over logging and monitoring, let’s define security events.
Security events are really any activity that occurs within your security environment. Emails, intrusion attempts, reported incidents, logins, changes in application permissions or roles, and security configurations are all examples of security events.
What Is Logging and Monitoring Security Events?
Simply, logging is when your business tracks, collects and organizes data. For example, when you track all your employee app permissions changes in a certain spreadsheet. You’re logging that data.
Monitoring is the reviewing of that data to find trends, discrepancies, or issues. This can be done manually in a spreadsheet or with a tool.
Expert Quick Tip: if your organization logs certain data but never looks at it, it is not a control. It is what you do with the logs or the data that determines its worth and importance as a control, especially to an auditor.
Why Is Logging and Monitoring Security Events Important?
Logging and monitoring best practices are essential to the secure management of any organization. Well-kept logs show an auditor that your organization is continuously compliant and meeting security standards.
Logs that show who has authorization and access to your applications and data sets are especially important for any organization. No matter what your security goals are.
They provide a comprehensive view of who or what can access some of your business’s most valuable assets. Along with when they were accessed. Monitoring these logs also makes sure your access control systems and procedures are working effectively and as intended.
Logging and monitoring security events is a detective measure or safeguard for your business. It allows you to identify issues of non-compliance or data breaches early. Before they turn into bigger issues with your auditor, or even customers.
What Security Events Should I Be Logging and Monitoring?
Logging and monitoring security events is very important, but that doesn’t mean you should log and monitor every security event.
Countless security events are happening at your organization every day. So, logging each and every one of them would be extremely overwhelming and ineffective.
Logging and monitoring security events should give you meaningful insights you can use to improve your business operations. Not produce heaps of data stored in a spreadsheet graveyard.
So, what should you be logging and monitoring for best practice? You may not like this answer. Like many things in information security, the answer isn’t one-size fits all. It really depends on the particularities of your business and goals.
What security events you log and monitor should be based on your business’s unique tolerance, scope, risks, and daily operations.
Expert Quick Tip: Asking an auditor “what should I be logging?” is a huge red flag. The onus is on you to determine which security events to log and monitor.
Why? Because it shows your auditor you understand your business and its unique security risks. This is why completing a risk assessment that accounts for every risk associated with your business is foundational in passing any security audit.
How to Log and Monitor Security Events
So, how do we do this? In order to implement this control and meet security requirements some businesses use compliance automation software and others do this on their own. We’ll go over strategies for both.
The greatest differences between using a compliance automation software for logging and monitoring security events and doing this on your own is guidance and time.
Without compliance automation, you’ll have to complete your risk assessment on your own. You can use a spreadsheet to list all the risks associated with your business. Be sure not to miss any risks (this will result in a failed audit if you do).
Without Compliance Automation
To get started on this on your own you should:
- Determine which data sets you should be log and monitor based on your risk assessment.
- Provide justifications and describe what will be done with the log.
- Create a process for responding to alerts or issues.
- State who has access to the logs, who is responsible for them, where you store the logs, and how long you retaine them.
- Determine a cadence to monitor and review each log to find trends or discrepancies. You can determine the frequency of your monitoring by the sensitivity and function of the logged data or security requirements.
With Compliance Automation
Compliance automation software will give you all this information. It will guide you through this process to ensure you don’t miss anything. The software will provide you guidance on what data to log and monitor, who should have access, and how often the logs should be monitored. This is based on the standard’s requirements and the nature of the control.
It is important to note that compliance automation software is not a logging and monitoring tool. It rather gives you a road map for logging and monitoring and makes it easy to prove this control is working as intended for your audit.
Important Considerations for Logging and Monitoring Best Practice
No matter which option you choose, you’ll have to log and monitor your data in a location of your choice. You can make this entirely manual and use spreadsheets for logs and calendar reminders for monitoring. Or, use a SIEM tool for scanning the logs and sending alerts when a security protocol is triggered.
Changes occur at businesses everyday. Think about how much an application’s access changes at a growing company, for example. For a security audit, you don’t just have to log that change, you have to show evidence of it.
Without software, this is done in the form of screenshots.
With compliance automation, you can rest easy knowing the software will automatically collect evidence of logging and monitoring and any changes and attach it to the right control.
“You need to track everything for SOC 2 (or any InfoSec audit). Without compliance software, this tracking is not automatic. So, if someone makes an update and forgets to note it, it’s very challenging to go back and say who made that change, when and why.” – William Floyd, Chief Technology Officer at Futu US
This is why you need a designated support staff to do this manually. However, even the best project manager would find this challenging.
This is actually the reason Tugboat Logic founders created compliance software. To have a centralized location that will monitor your security program and ensure controls just like this one are working as intended.
Logging and Monitoring with Tugboat Logic
No matter what road to compliance you choose, logging and monitoring is crucial. Still have questions about what this entails for you? Our team of experts is always here to help.
Ready to start automating your logging and monitoring? See how compliance software will speed this up for you and grab a free trial of our platform.