Too Many Logs?

There are too many logs. Logs are boring. I hate reviewing logs. Sound familiar?

As an MSSP, should you spend time on log collection and review (LCR)? Is LCR required even if your end-user client doesn't answer to a third-party regulatory authority?

Based on the MITRE ATT&CK framework, which is primarily focused on understanding adversary tactics, techniques, and procedures (TTPs), here's what can be inferred regarding the importance of collecting IT audit logs for analysis, review, documentation, and remediation:

• Indicator Removal (T1070): One of the techniques in the MITRE ATT&CK framework involves adversaries potentially deleting or modifying audit logs to cover their tracks. This underscores the importance of audit logs in detecting malicious activities since adversaries know their value for forensic analysis and incident response.

• Impair Defenses (T1562): Adversaries might attempt to disable or modify logging mechanisms to avoid detection. This technique highlights why organizations must ensure robust logging practices, including the integrity and immutability of logs, to prevent tampering and ensure that security events are captured for analysis.

• Audit, Mitigation (M1047): While not a direct technique, this mitigation strategy from MITRE's D3FEND (a complementary framework focusing on defensive cybersecurity techniques) emphasizes performing audits or scans of systems to identify potential weaknesses. Collecting audit logs is a fundamental part of this process, enabling organizations to detect misconfigurations, unauthorized changes, or signs of intrusion.

• Data Source - Application Log (DS0015): The framework recognizes application logs as a key data source for detecting various adversary techniques. Collecting and analyzing these logs helps in understanding what actions have been taken within applications, which is crucial for security investigations.

• Data Source - System Log (DS0017): Similarly, system logs are vital for capturing system-level activities, which are essential for identifying system changes, failed logins, and other potentially malicious activities.

From these points, MITRE Defense, through the ATT&CK and D3FEND frameworks, implicitly supports the requirement for [all?] organizations to collect, analyze, review, and document IT audit logs:

• Security: Logs are essential for detecting, responding to, and documenting cybersecurity incidents. They help in reconstructing events, understanding the scope of breaches, and planning remediation.

• Compliance: Many regulatory requirements mandate the collection and retention of audit logs for proving compliance with security standards and for demonstrating due diligence in cybersecurity practices.

• POAM: The process of creating Plans of Actions and Milestones (POAMs) for remediation of security issues can be informed by the analysis of audit logs, which highlight where vulnerabilities or incidents occurred.

While MITRE doesn't explicitly state "all organizations must collect logs," the framework's structure and focus on adversary behaviors, coupled with defensive strategies, make a compelling case for why such practices are indispensable in modern cybersecurity.

Collecting and reviewing logs is akin to regular exercise or eating well; it's tempting to neglect when life gets hectic or you're exhausted, but doing so only invites more serious issues later on. Merit Cyber (an affiliate of Trusted Cyber Advisors) is your source for multi-tenant logging for MSSPs