Security Monitoring and Reporting Best Practices

Security Monitoring and Reporting

As a follow up to the security auditing and logging article, security monitoring and reporting is an essential part of a robust information security program. Adequate procedures should be in place to monitor any log-in attempts to information systems and access to information assets including PII, cardholder data, protected health information (PHI), etc. Automated systems should be deployed throughout the organization’s environment to monitor key events and to analyze system logs.

Security monitoring is a continuous process

To maintain a strong security posture, security monitoring is a continuous process. The moment you stop monitoring is the moment you expose yourself to significant risk. With that being said, logs for all system components should be reviewed at least daily. Log reviews should include those servers that perform security functions like intrusion detection/prevent system (IDS/IPS) and authentication servers. Access monitoring activities should abide by all applicable legal requirements.

Automated tools should be employed to continuously monitor workstations, servers, and mobile devices with anti-virus, anti-spyware, personal firewalls, and host-based IPS functionality. Automated systems deployed throughout the environment should be used to monitor key events and analyze system logs, the results of which are reviewed regularly. Automated systems should be used to review monitoring activities of security systems (e.g., IPS/IDS) and system records on a daily basis. Automated systems should support near real-time analysis and alerting of events (e.g., malicious code, potential intrusions) and integrate intrusion detection into access and flow control mechanisms. Auditing and monitoring systems should support audit reduction and report generation. The information system should be able to automatically process audit records for events of interest based on selectable criteria. Alerts should be generated for technical personnel to analyze and investigate suspicious activity or suspected violations.

Secure log-on procedures should be implemented that include:

  • a warning notice;
  • limits the number unsuccessful attempts;
  • records the number of unsuccessful and successful attempts; and
  • does not display the password when being entered.

The logon procedure for the OS should minimize the opportunity for unauthorized access by:

  • disclosing the minimum amount of information about the system;
  • limiting the number of unsuccessful logon attempts to three (3) and enforcing the disconnect of the data link connections;
  • sending an alarm to the system console;
  • setting the number of password retries commensurate with the minimum length of the password and value of the information protected;
  • limiting the maximum and minimum time allowed for the log-on procedure;
  • not transmitting passwords in clear text over the network;
  • not displaying system or application identifiers until the logon process is successfully completed;
  • not proving help messages during the procedure;
  • validating the long-on information only on completion of all input data; and
  • not indicating which part of the logon was incorrect if an error condition arises.

All applicable legal requirements related to monitoring authorized access and unauthorized access attempts should be met. Notice should be provided that the personnel’s actions may be monitored, and that the personnel consents to such monitoring. Privileged operations, authorized and unauthorized access attempts, and system alerts or failures should be monitored. Monitoring includes inbound and outbound communications and file integrity monitoring. Unauthorized remote access connections to the network and information systems should be monitored and reviewed at least quarterly. Appropriate action should be taken when unauthorized connections are discovered.

All traffic leaving the organization should be monitored to detect any unauthorized use of encryption, terminate the connection and take corrective action. Network boundary devices, including firewalls, network-based IPS, and inbound and outbound proxies, are configured to verbosely log all traffic (both allowed and blocked) arriving at the device, which at a minimum should include the full packet header information and payload of the traffic destined for or passing through the network perimeter. Enterprise access from VLANs with BYOD systems or other untrusted devices are treated as untrusted. Filtering and auditing should be performed on this access accordingly.

To help identify covert channels exfiltration of data through a firewall, the built-in firewall session tracking mechanisms included in many commercial firewalls should be configured to identify TCP sessions that last an unusually long time. Alerts should be sent to personnel about the source and destination addresses associated with these long sessions.

Network-based DLP solutions should be used to monitor and control the flow of data within the network. Any anomalies that exceed the normal traffic patterns should be noted and appropriate action should be taken to address them. The network-based DLP solutions should also be used to monitor for sensitive information (e.g., personally identifiable information), keywords, and other document characteristics to discover unauthorized attempts to exfiltrate data across network boundaries and blocks such transfers while alerting information security personnel.

Each users typical account usage should be profiled by determining normal time-of-day access and access duration. Penetration testing accounts should be controlled and monitored to make sure they are only being used for legitimate purposes, and are removed or restored to normal function after testing is over. Audit records should be analyzed and correlated across different repositories and correlates this information with input from non-technical sources.

Any discrepancies between permitted access and denied access should be logged and reported. Sensitive systems should be configured to monitor privileged operations, authorized access, unauthorized access attempts, and system alerts or failures. The logging parameters should be set, but not be limited to, the following:

Network Logging Parameters:

  • Account Logon – Success and Failure Auditing
  • Account Management – Success and Failure Auditing
  • Directory Service Access – Failure Auditing
  • Logon Events – Success and Failure Auditing
  • Object Access – Success and Failure Auditing
  • Policy Change – Success and Failure Auditing
  • Privilege Use – Success and Failure Auditing
  • Process Tracking – Failure Auditing
  • System Events – Success and Failure Auditing

A System Log (or SysLog) server should be implemented that can collect all the audit logs from different sources such as internal servers and routers. The SysLog server will aggregate information and produce reports to show suspicious activity or behavior.  The SysLog will allow write access from different sources, but read-only access to workforce members to view to prevent any unauthorized manipulation of event logs. Events of interest should be based on selectable criteria, and automated systems should be configured to process these events through their audit records. Audit records should be analyzed across different repositories (such as physical access control and/or surveillance systems) and this information should be correlated with non-technical sources (such as visitor logs).

As part of a risk management strategy, these logs should be reviewed on at least a weekly basis or when any unusual activity is suspected. The security staff should be responsible for reviewing these logs. Monitoring systems should be configured to generate alerts for technical staff and suspicious activity (or suspected violations) should be analyzed/investigated appropriately.

Security systems such as intrusion detection/intrusion prevention solutions (IDS/IPS) will have their activities monitored, recorded, and reviewed on a daily basis.  In addition, automated systems that are utilized to monitor system activities should be configured with real-time analysis and alerting of events.  All inbound and outbound communications should be monitored and systems should maintain file integrity. Logs will be readily available for the past thirty (30) days and then archived. Log archives should be kept available and maintain consistent with other retention requirements.

For more information and details on how we can help, contact us today!