Control 6 Mapping to the NIST Cybersecurity Framework

00:00

Hey, everyone, welcome back to the course. So in the last video, we took a brief overview of control number six, which again is maintenance, monitoring and analysis of audit logs.

00:09

And this pretty well take a look at how CIA's control number six maps to the NIST cybersecurity framework.

00:15

So some control 6.1. This is where we want to make sure we utilize at least three synchronized times horses for our audit logs. Make sure we've got the accurate dating time on those.

00:25

This doesn't have a direct 1 to 1 match in the cybersecurity framework, but

00:30

it is covered a little bit. There

00:32

some control. Six point to this where we're talking about activating audit logging. So we want to make sure that were

00:39

documenting implementing our audit logs and also reviewing them according to our company policies. And this matches up to P. R P T Dash. Born in the next cybersecurity framework.

00:50

Some control 6.3 is where we're talking about enabling detail, logging. So it's not enough just to say yes, we had an I P address come through. What happened, like what happened before That will happen after that. Where did that packet go to what happened with that packet. So we want to make sure that we're enabling detailed logging. Now,

01:07

there's a flip side of that because if you have too much detail loving,

01:11

you're gonna be in non native with logs. So this is where we talk about things like automation, etcetera,

01:18

some control 6.4, ensuring adequate storage for luck. So making sure that we've got enough capacity to actually store all these logs were taking in. And if you're a larger enterprise out there, you've got a lot of logs coming in and you're gonna be looking at terabytes and terabytes of storage.

01:34

Some control 6.5 when we're talking about centralizing our log management, right? So we want to make sure that we can look basically in one dashboard or just a limited number of dashboards and see all the information on our logs, right? So it's not enough to look at a whole bunch of stuff. But there's a lot of tools out there

01:49

like Splunk, for example, and some others that you can aggregate all those logs and really make sense of the data because that's all the matters at the end of the day's. Can we look at this data

01:59

and have it make sense to us to help us either improve our network optimizer network, Forget, protect or defend against attacks?

02:07

Whatever we're trying to do, which is really all of those?

02:09

How can we do that more efficiently? In the best way to do that is some type of system that allows us to aggregate those logs and make sense of the data.

02:20

Some control 6.6 is where we talk about deploying Seymour log analytic tools. So again, I had mentioned Splunk before. That's one of the Sims out there you can use

02:30

and some control. 6.7. This is regularly review the log, so it doesn't mean you have to manually review the logs. But it is something where you want to put some automated tools in place to look at

02:39

the

02:40

what's wrong, right? Like what doesn't work, what doesn't what stands out on these logs and that's gonna help you a lot better. Is that 100%? No, because if you think about it, you've established a baseline. And if someone was already attacking you

02:53

while you establish that baseline, you may never know that they're still in your network, at least through just looking at the locks. Right? But But for the most part, reviewing the logs through some type of automation tool will be fine. Practice to do

03:07

some control. 6.8. This is where you want to regularly tune the SIM, right? So if we talk about something like Splunk for a sample, I may bring in some data some raw data make sense of it, and then realize that I need to customize some scripts to really maximize the ability for me to take all this raw data and presented in a way that

03:27

maybe gets me a bigger budget right from my sock team. Or that maybe saves us some money because we didn't get breeds for saves our organizations data, whatever it is. But we want toe continuously find tune that sim tool that we're using to make sure that we understand what actually is an incident

03:45

and how can we improve upon preventing against, like, that incident from occurring in the future? Right?

03:52

So in this video, we just took a look at control number six and how it maps up to the new cybersecurity framework again, just recapping control. Number six is maintenance, monitoring and analysis. A lot of logs.