Detect.
If you are following Cybersecurity news and trends you are likely recognizing that breaches are becoming numbingly commonplace. As the SEC increases requirements on companies and states scrutinizing businesses’ practices of collecting, retaining, and protecting data the stakes are getting higher. The burden of having intelligible and actionable alerts and network visibility is growing exponentially. So how do you know if something is awry in your environment? That is why Detect is called out in NIST Cybersecurity Framework 2.0.
This is why for the better part of my career I have argued against the practice of obfuscation. It is also why silos are so deadly in the information technology and cybersecurity space. Obfuscation is NOT security. Visibility is critical. Central logging is the easiest way to begin breaking down dark corners of your environment and to allow analytical members of your team the ability to build baselines, see anomalies, and raise alerts when something shifts.
Don’t you think this is your problem? Consider that Microsoft recently retraced its practice of charging for security logging and is making it free to customers. This is worth its weight in silver and gold. Beyond the security improvements are the operational benefits. Consider how many times in your career you have been included on a multi-team or enterprise-wide bridge call for a critical outage and the teams are struggling to trace errors due to decentralized and disparate logs. Consider the reduction in troubleshooting time if the logs were available to all your cyber and technical organizations.
To properly allow detection of events, logs must be shared, centralized, and viewable to your technical and cyber organization. All of them.
In addition, time to discovery is critical. Rarely do attacks such as ransomware propagate in the moment. More likely is the reality that compromise occurs and remains exploited for a rather lengthy time. Time and again, forensics of major incidents show attackers exploited networks and identities months before the execution of an attack while they performed reconnaissance, moved laterally, and finally, after extracting all the data and letting up all the dominoes, tip the first to implement the lockouts.
It used to be that people would ask, how can this be? That an attacker is within a network performing their mission without awareness. The answer lies in the lack of detection due to the siloes of teams, failure to keep infrastructure simple, and failure to share intelligence.
If you find yourself within an organization without central logging and detection, I encourage you to prioritize this function of cybersecurity. After all, … you must inspect what you expect.