Overview of Control 6

00:00

everyone. Welcome back to the core. So in the last video, we talked about control number five again. That was secured. Configuration for hardware and software are mobile devices, workstations, laptops and servers.

00:10

In this video, we're to talk about control number six, which is maintenance monitoring, analysis of our audit logs. We're also going to talk briefly about the sub controls associated with this C I s control.

00:22

So as I mentioned, we're talking about the maintenance, monitoring and analysis of audit logs. Well, why do we even care about getting on? It loves. Why do we care about monitoring them? Why do we care about analyzing them and maintaining them? Well, number one is will be blind to attacks if we don't, right. If we just collect logs and we never look at them, there's no point

00:41

also helps us discover. Is there an attack? Right. So as we're auditing logs, we may actually notice an attack in a lot of times. That's what happens is

00:50

people will notice that Hey, there wasn't attacked three months ago. There was a breach.

00:54

Hey, let's see what else? It's affected, right? So a lot of times a criminal Attackers will get in and we will know we won't notice it for several several months. So that's why it's very important that we continuously audit and monitor these logs.

01:07

So sub control 6.1 here is mostly about synchronizing time. So that way we can make sure that we've got

01:14

verified timeframe. So date and time stamped on these logs. So utilizing three synchronized time sources to make sure that

01:22

if someone corrupts one of them or two of them, we still got additional per copy to say this was the actual time this transpire.

01:30

Now for your small business owner, you're probably not going to be grabbing a lot of log data. That's mostly for your enterprise level, as well as your larger enterprises.

01:40

Some control 6.2 is where we're talking about activating the audit, logging itself.

01:45

So just make sure that, you know, local logging has been enabled on all of our systems and network devices. So we're just capturing all that log data.

01:55

Self control 6.3 enabled the detail logging right, so

01:59

there are some instances where you may not do detail logging, but overall, look on all your systems. You should have some kind of detail lugging in place. But there may be some, uh, thoughts around. How much do you want to actually back up the detail logs, Right, So it really depends on your particular organization. You mostly see this around the

02:16

groups two and three, but also you should be turning on detailed logs

02:21

depending on your needs. In a small businesses. Well,

02:24

some control 6.4, ensuring that we've got adequate storage for our logs and making sure that we are performing appropriate backups.

02:32

And along those lines, we want to make sure that we're storing our logs in multiple places, Right? So let's say that our company uses both Azure Cloud and AWS, for example. We want to make sure backing up to both of those and not just one cloud provider, because what happens if his your goes down right? We want to make sure we have a backup

02:50

over logs also on AWS and that in that example,

02:57

some control 6.5 where we're talking about centralized in that log management so we don't want to go to 1000 different places to try to look at our logs. We want him to aggregate into one location that's easily visible. That's easily

03:08

that we have an easy ability to generate reports for different stakeholders that we can easily see what's actually going on with that data.

03:19

Some control 6.6 Deploying Simms or different log analytic tools across our network, so just make sure that we've got a way to capture that data that raw data and make sense of it in some capacity.

03:31

Some control. 6.7

03:32

As I mentioned before, we always want to regularly review logs. Make sure that we're actually looking at these logs, digesting the data, analyzing it and seeing if we're under attack or if there's a way to optimize the logs. Right. Maybe we need to write another script to capture certain information from the logs that we already have

03:53

some control. 6.8. That's where we want to continuously tune our sim right. I want to make sure that

03:59

we want toe. We want to make sure that we're able to better identify what's actionable events and maybe decreased the false alerts. Right, So that's where the fine tuning comes in place. It's a continuous process.