- 08 January, 2023
- No Comments
Insufficient Logging & Monitoring
This week’s entry in the OWASP Top Ten series is Insufficient Logging & Monitoring. This is one of those things that organizations often don’t realize they are missing until it is too late. People sometimes overlook this one because it’s not an attack or a threat in the common usage of the term.
Logging should be done not only on endpoints, but also on network infrastructure, and pretty much everything else. When establishing what should be logged and what shouldn’t it is best to err on the side of caution and over log. You can always dial back on the logging later. Timestamps are crucial to logging. All log entries need to have timestamps and every device’s time should be synchronized with an NTP server. This allows correlations to be made after an incident.
We at Brackish are huge proponents of monitoring. Having a dedicated SOC team to monitor and respond to alerts is crucial in the modern Cybersecurity landscape. If you think your business is too small and you cannot afford a dedicated SOC, Brackish can help!
Open Source Tools
If you’re a small business and you can’t afford the LARGE price tag of some commercial products, here are some options for you to check out.
- Zeek (Formerly Bro): Zeek is a powerful network security monitoring tool. It offers flexibility in handling network data and is particularly known for providing extensive log files by default, which facilitates tracking a wide array of network events.
- Wazuh: An open-source Security Information and Event Management (SIEM) solution that offers log data analysis, vulnerability detection, and supports incident response. It’s designed to provide real-time correlation and context for security events, enhancing the overall security posture and compliance of IT systems.
- Snort: This is a well-known open-source network intrusion prevention system (IPS). It uses a rule-based language to detect malicious network activity. Snort is particularly adept at real-time traffic analysis and packet logging, making it valuable for intrusion detection.
- Security Onion: This is a Linux distribution tailored for security monitoring and log management. It integrates a suite of open-source security tools including Elasticsearch, Logstash, Kibana, Snort, Suricata, and others, providing a comprehensive environment for threat detection and response.
- Logwatch: It’s an open-source log analysis tool that automatically parses and analyzes log files from different services and applications on Linux or Unix-based systems. Logwatch presents log data summaries that help you to quickly identify system activities, security events, and potential issues.
Do not overlook Logging and Monitoring. It is crucial to detecting and responding to attacks. If you have any questions, reach out to us at Brackish and help make the bad guy salty!