A data breach today takes 127 days to detect, according to the Ponemon Institute. Comprehensive visibility and real-time analysis of device and application log data provide an early warning of cybersecurity threats before damage occurs. Log monitoring and Security Information and Event Management (SIEM) decision makers sometimes make short-sighted financial decisions to reduce log sources, only to find that it impacts security decision making and incident response. You can balance advanced threat detection with simplicity and affordability as you protect your infrastructure and assets.

Log Monitoring 101

Logs are a crucial source of insight for security analytics like threat detection, intrusion detection, compliance, network security, insider vulnerabilities, and supply chain risks. Almost all devices and applications produce logs. A mid-sized organization may generate millions of logs daily, too many for manual review and correlation. We are often asked: which logs should I monitor? What are some log management best practices?

A SIEM solution correlates raw log data for crucial security analytics like threat detection, intrusion detection, compliance, network security, insider vulnerabilities, and supply chain risks.

We recommend that you monitor log sources that include infrastructure devices like routers, security devices like firewalls, application logs, web servers, authentication servers, and client devices like laptops. Other log sources include domain controllers, wireless access points (WAPs), and IPS/IDS tools.

Log monitoring is a topic of interest to both hands-on IT and security teams as well as business stakeholders, such as executives interested in risk management.

Log Monitoring Considerations and Best Practices

Here are some critical recommendations regarding log monitoring that provides insight into the health, compliance, and security of your systems, applications, and users:

• Align log management to any compliance requirements: Determine whether there are any security and log monitoring regulations that apply to your organization or end-user clients such as NIST 800-171 (U.S. government contractors), HIPAA (Health Insurance Portability and Accountability Act) , or PCI DSS (Payment Card Industry Data Security Standard). Some organizations view cybersecurity and SIEM as a “checkbox” activity and merely implement the most minimal logging, thereby reducing the visibility and effectiveness of this fundamental security tool.
• Monitor logs 24x7x365: Review logs in real-time with a combination of machine learning and SOC (Security Operations Center) analyst expertise to comply with audit requirements, detect actual threats and minimize false positives. Hackers don’t work 8:00 am – 5:00 pm, Monday through Friday, and you need “eyes on glass” 24/7. Small-and-medium-sized businesses (SMBs) facing a cybersecurity skills shortage want fewer, but higher quality cybersecurity alerts. A MSSP (Managed Security Service Provider) can augment your staff and skill set.
• Watch for hidden costs: Some log monitoring and SIEM vendors charge by data volume such as events per second (EPS). Variable pricing can serve to penalize organizations because more log sources and volume result in unpredictable costs. Look instead for a SIEM solution with transparent pricing based on devices and systems being monitored.
• Archive logs: Tailor log storage and archiving to each client organization’s requirements like HIPAA compliance mandates. Log storage for 365 days is an industry best practice that enables crucial forensics later to determine the impact of security incidents.
• Protect log data: Due to its importance in tracking both internal and external threats, you need to protect the confidentiality, integrity, and availability of log data. Threat actors often erase log data that would divulge their stealthy actions.

Getting Started with Log Management and Managed SIEM

Realize that you are not alone as you enhance your cybersecurity posture. There are steps you can take to minimize cybersecurity risks and visibility gaps while expanding your cybersecurity at your own pace. For those looking to evolve their capabilities with a managed security solution, SOC-as-a-Service (SOCaaS) or the more robust and flexible Co-Managed SIEM/SOC can deliver advanced threat protection.

The first step is to collect and archive event logs as an MSP, knowing that adversaries are targeting you and your supply chain. Use a crawl – walk – run approach with EventTracker SIEM from Netsurion to get started and build your understanding and expertise. Continue to enhance your cybersecurity maturity and familiarity with the comprehensive reports and dashboards.

* The original post can be found here: https://www.msspalert.com/cybersecurity-guests/avoid-log-monitoring-gaps-with-holistic-coverage/