Global Cyber Agencies Unveil New Logging Standards
Logging Best Practices Guidance Aims to Enhance Global Detection and ResponseMore than a dozen global cyber authorities endorsed guidance aimed at establishing baseline standards for logging and threat detection, responding to the rising threat from foreign adversaries and malicious actors who increasingly use "living off the land" techniques.
See Also: The Duality of AI: Enhancing and Securing Gen AI Models
The event logging guidance calls for enhanced cybersecurity monitoring to better detect critical software configuration changes and other modifications that could signal the presence of malicious activity or potential security breaches. Recent examples of high-profile cyber incidents - from the SolarWinds supply chain attack to the Colonial Pipeline ransomware hack - are evidence that robust event logging could have mitigated widespread fallout by detecting early signs of compromise and enabling a faster, more effective response.
The Australian Signals Directorate's Australian Cyber Security Center published the joint guidance Thursday along with the U.S. Cybersecurity and Infrastructure Security Agency, the Canadian Center for Cyber Security and the U.K. National Cyber Security Center, among others. It urges senior information technology decision-makers and operational technology operators in cloud environments to log all control plane operations, including API calls and end-user logins.
The guidance also recommends configuring control plane logging to capture any administrative changes, authentication events and read and write activities.
The cyber agencies identified a wide range of event details that should be included in an organization's logging policy, including the event type, command executed and user identification, and it seeks to ensure that logs and logging platforms are usable for analysis. It also calls on network administrators to "properly organize logged data into 'hot' data storage that is readily available and searchable."
International cybersecurity authorities have launched recent security initiatives to help the public and private sectors better protect their networks and sensitive data. CISA launched a free open-source log management solution in 2023 called "Logging Made Easy," which provides under-resourced organizations with threat identification and remediation support.
Chad Poland, product manager for cyber shared services at CISA, told Information Security Media Group at the time that one of the agency's top goals with the new initiative "is to drive the implementation of measurably effective cybersecurity investments which includes providing cybersecurity capabilities and services that fill gaps" for target-rich, resource-poor organizations (see: CISA Launches Logging Tool for Resource-Poor Organizations).