Cyber Security Monitoring and Logging needs to be taken more seriously warns CREST

Research published by CREST, the not-for-profit accreditation body that represents the technical information security industry, warns that organisations need to focus more effort and resources on monitoring and logging to help detect potential cyber security attacks, respond to incidents and meet compliance requirements. The free report points to the exponential growth in users and devices connected to the Internet combined with the increasing volume of log files generated by disparate IT systems as major challenges facing information security professionals.

“Organisations seldom have an adequate cyber security logging and monitoring capability,” says Jason Creasey, author of the CREST report. “They often suffer from a lack of budget, resources, technology or recognition of the type and magnitude of the problem; additionally, organisations often put blind trust in the monitoring tools they have purchased, giving them a false sense of security.”

The CREST report focuses on the need to combine cyber security monitoring with analysis of cyber security-related events generated by both internal and external logs - such as Cloud and MSSP logs – along with threat intelligence information, including reconnaissance data and suspicious threat agent activity, to bring context to the monitoring process.

“While you are unlikely to achieve utopia in cyber security monitoring and logging, by prioritising and managing myriad event logs and building an effective monitoring process, it is possible to identify potential indicators of compromise (IOC) at an early stage, investigate them effectively and take appropriate action to reduce the frequency and impact of cyber security incidents,” says Creasey.

The research brought together leading industry experts and senior infosecurity professionals and in a detailed survey, only 41% of respondents said that the level of maturity for identifying suspected or actual cyber security incidents was high or very high. It was also clear that for many organisations a key driver for monitoring and logging lies in adhering to contractual or certification standards (e.g. ISO 27001) and compliance requirements (e.g. PCI DSS or FCA).
“Compliance does not equal security,” says Ian Glover, President of CREST. “Being fully compliant with standards will still leave you exposed to cyber security incidents and some senior management do not appreciate the rationale and importance behind monitoring and logging – yet they are unlikely to install a CCTV system and not point the camera in the right direction or record the video.”
The CREST Cyber Security Monitoring and Logging Guide provides practical advice for building an effective cyber security monitoring and logging capability, as follows:

Identify and investigate anomalies in cyber security-related events
Recognise that detail is important
Prioritise cyber security and monitoring and logging activities
Correlate suspicious events with cyber security intelligence
Consider building or buying a Security Operations Centre (SOC)
Find the right cyber security monitoring and logging tools
Seek the right kind of support from expert external suppliers
Keeping an eye on future requirements.

“We are not just looking for a needle in a haystack; we have to find the right haystack,” says Creasey, Managing Director of consultancy Jerakano who conducted the research on behalf of CREST and a recognised information governance and cyber security expert. “A careful, realistic and well thought through plan based on a risk assessment approach is vital. It is also important to understand all the surrounding processes and skills required before buying a solution; companies need to avoid putting too much focus on products, rather than using them to support applications such as intrusion monitoring, change management, incident response and business continuity.”