6: Maintenance, Monitoring and Analysis of Audit Logs
Threats Addressed:
Control Statement
Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.
[csf.tools Note: For more information on the Critical Security Controls, visit the Center for Internet Security.]
Subcontrols
6.1: Utilize Three Synchronized Time Sources
Use at least three synchronized time sources from which all servers and network devices retrieve time information on a regular basis so that timestamps in logs are consistent.
6.2: Activate Audit Logging
Ensure that local logging has been enabled on all systems and networking devices.
6.3: Enable Detailed Logging
Enable system logging to include detailed information such as a event source, date, user, timestamp, source addresses, destination addresses, and other useful elements.
6.4: Ensure Adequate Storage for Logs
Ensure that all systems that store logs have adequate storage space for the logs generated.
6.5: Central Log Management
Ensure that appropriate logs are being aggregated to a central log management system for analysis and review.
6.6: Deploy SIEM or Log Analytic Tools
Deploy Security Information and Event Management (SIEM) or log analytic tool for log correlation and analysis.
6.7: Regularly Review Logs
On a regular basis, review logs to identify anomalies or abnormal events.
6.8: Regularly Tune SIEM
On a regular basis, tune your SIEM system to better identify actionable events and decrease event noise.