Best practices for Application Log & Audit
Improve traceability, monitor sensitive activities
Why implement logging and auditing?
Logging and auditing work together to ensure that users only perform authorized activities (access control monitoring).
These features play a key role in identifying, stopping and preventing unwanted activities.
They also provide audit trails and analysis features to investigate incidents.
Besides human monitoring, suspicious behaviors or critical events should also generate an automatic alert that will be assessed and acted on.
Which applications and data should be monitored?
Some typical cases require active monitoring:
- Critical applications, handling valuable or sensitive information.
- Systems that were previously compromised
- Applications accessed by third parties, and/or from the Internet
Although it is recommended to carry out a risk assessment for each application to determine what level of monitoring is necessary, you may need to log at least:
- User and Terminal IDs
- Successful and failed attempts to access systems, data or applications
- Important business events and transactions
- Exceptions and other security-related events
- Date and time (for log on/off and other key events)
- Changes to security configurations
At any time, you should be able to answer the following questions:
- Who performed this activity?
- Under which circumstances (location, date…)?
- Which data were accessed / impacted?
- Who gave this user the right to do so?
- Right now, who else would perform the same
How to leverage the logs?
Logs are a great source of information, but only if you review them.
Simply logging events won’t provide any additional security.
You must analyze the data collected on a regular basis and investigate all issues detected:
- For the most critical applications, automated monitoring & alerts may be required on an hourly basis.
- High-volume and high-risk applications, such as an e-commerce Web server, may need daily checking to prevent high-profile break-ins.
- For other applications a weekly check usually suffices.
Even small applications can generate too much information to be reviewed manually.
This is where event viewers and graphs come in: they help filter relevant events, analyze what has happened and reveal suspicious activities.
Guard the guardians
A specific area of logging is often underestimated: administrator activities!
Administrators have powerful rights, and their actions need to be carefully recorded and checked as well.
No matter how extensive your logs, they are worthless if you cannot trust their integrity.
- The first thing most hackers will do is try to alter log files to hide their presence.
To protect against this, you should backup your logs on a remote server. This redundancy provides an extra layer of security, as you can compare the two sets of logs against one another -- any differences will indicate suspicious activity.
- It is also important to prevent administrators from having access to logs of their own activities. People in charge of reviewing logs should obviously be independent of the people, activities and logs being reviewed.
- Automated controls should be set to ensure there is ample space available for log storage.