Hold On to The Evidence: Why Securing System Logs is Essential for Cyber Incident Response

This blog post is part of a series of cyber incident top tips, you can view them all here.

So, you are likely exploring and investing in various breach detection technologies. From sophisticated network traffic analysis to advanced system log analytics, each tool promises to strengthen defences against potential threats. However, amid the hype and complex acronyms, there’s a crucial aspect often overlooked: how these technologies can also significantly aid incident response.

The importance of system logs

When evaluating cyber breach detection tools and services, it’s essential to understand that most solutions either monitor network traffic and behaviours or analyse system logs. Each approach has its strengths, which is why standards such as PCI DSS recommend using both to ensure complete coverage.

However, the true value of these technologies often becomes apparent during an actual cyber incident. Imagine your latest behavioural analysis software flags something suspicious. You decide to bring in expert investigators to dig deeper. The first and most critical question they will ask is, “Do you have system logs?”

Why system logs matter

For cyber incident responders, having access to secure copies of system logs can make their job much easier. System logs provide a detailed record of system activities, user actions, and network interactions. They are invaluable for reconstructing the events leading up to and during a breach. Here’s why keeping a secure, external copy of your logs is so important:

1. Ease of investigation: Investigators rely heavily on logs to piece together the timeline of an attack, identify the entry points, and understand the scope of the breach. Without these logs, the investigation becomes much more challenging, time-consuming, and costly.
2. Prevention of data loss: In the heat of a breach, hackers often aim to erase evidence of their activities. By having an external system logging protocol server (syslog) that is not directly connected to your network, you protect these critical logs from being tampered with or deleted.
3. Timely response: Quick access to accurate log data can expedite the incident response process. This allows your response team to secure systems, halt ransomware deployment, and mitigate damage before it escalates.

Practical steps to secure your logs

1. Implement an external logging server: Set up a logging server outside of your primary network environment, such as OpenSearch. This server should be configured to collect and securely store system logs in real time, ensuring they remain untouched even if your network is compromised. Note, it is common for hypervisor and SAN/NAS storage to be encrypted during a ransomware attack, an outbound device or cloud service is recommended for these situations.
2. Regular backups: Make sure that your syslog server is regularly backed up and that these backups are stored securely. This provides an additional layer of protection and gives you access to historical data when needed.
3. Automated alerts: Configure automated alerts for suspicious activities based on your log data. This helps in detecting and addressing potential breaches before they cause significant harm.
4. Increase your logging for investigation readiness: Microsoft Sysmon (no additional licencing required) is a must have, not only because it shortens investigation time, but it also provides much more accurate visibility of what has happened.

Conclusion

In the event of a cyber incident, the importance of securing and retaining system logs cannot be overstated. They are not just passive records but active tools that can make a significant difference in the efficiency and effectiveness of your incident response. By maintaining an external syslog server and ensuring your logs are secure and accessible, you enhance your organisation’s ability to quickly respond to and recover from cyber threats.

Remember, in the chaotic moments following a breach, the insights provided by your logs can be the key to identifying vulnerabilities, stopping attackers in their tracks, and ultimately protecting your organisation from further damage. So, hold on to your evidence – it might just be the lifeline you need.

Need some help?

Need assistance with your incident response strategy? Contact us today to learn more about how we can help you secure your logs and strengthen your overall cyber security posture.

This blog post is part of a series of cyber incident top tips, you can view them all below:

• Tip 01: Taking advantage of ransomware’s biggest secret!
• Tip 02: Securing your backups from vulnerabilities
• Tip 03: Beware of automated response dangers!
• Tip 04: The importance of disconnecting yourself during a breach
• Tip 05: How to integrate your anti-virus protection with SIEM
• Tip 06: Ensure that your insurance covers cyber incidents
• Tip 07: Preparing for the worst – rebuilding after a major ransomware attack
• Tip 08: Who you should call first during a cyber breach
• Tip 09: Hold onto the evidence – why securing system logs is essential for cyber incident response
• Tip 10: What you need to know to make sure your penetration testing is effective
• Tip 11: Why tabletop exercises are crucial for incident response
• Tip 12: Famous last words – misconceptions before a major cyber breach