OWASP Top 10 Part 10: Insufficient Logging and Monitoring

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
12 hours 57 minutes
Difficulty
Intermediate
CEU/CPE
13
Video Transcription
00:00
>> Here we are finally.
00:00
OWASP top 10,
00:00
number 10, insufficient logging and monitoring.
00:00
In this lesson, we're going to talk about
00:00
the risk impact and impact
00:00
of insufficient logging and
00:00
monitoring for web applications,
00:00
and then we're going to talk about techniques to
00:00
address insufficient logging and monitoring.
00:00
What's the problem with
00:00
insufficient logging and monitoring?
00:00
Well, first and foremost,
00:00
this is the inability of organizations to
00:00
detect threat actors or breaches is a key problem.
00:00
One of the limiting factors of incident response and
00:00
logging is the main way
00:00
that these incidents are detected.
00:00
If there aren't real monitoring related to login failures
00:00
or when anyone logs in or no warnings
00:00
when a suspicious activity is detected in the logs,
00:00
that really is a problem.
00:00
Then one other part problem with log monitoring is
00:00
that there needs to be a centralized storage for logs.
00:00
If logs are stored locally and not preserved,
00:00
the incident response in
00:00
the event of a breach will not be able to
00:00
really look back and determine what really happened,
00:00
so there has to be a sufficient logging
00:00
set up in the first place.
00:00
The best practices are to
00:00
really capture the right logs if
00:00
there are suspicious number of
00:00
failures or unusual activity,
00:00
you really want to configure your alerts
00:00
specific to your application to
00:00
notify you and have the ear security team investigate it.
00:00
One of the really important things is to establish
00:00
effective incident response based on your logging.
00:00
One of the main ways to ensure that you have
00:00
an effective baseline is when
00:00
you have a penetration test,
00:00
an active test done on your system,
00:00
make sure that your security team
00:00
is able to piece together and identify
00:00
the steps that the penetration tester
00:00
took by examining and reviewing your logs.
00:00
I can't stress enough how critical is
00:00
to have effective logging and monitoring.
00:00
Many organizations don't even detect that a breach has
00:00
occurred until 191 days on average.
00:00
Then that also varies on the level of maturity of
00:00
the organization and the sophistication of the threat.
00:00
However, it underscores how effective logging
00:00
and monitoring is essential to alert you early
00:00
to the fact that a breach has occurred or that
00:00
suspicious activity is under way for
00:00
you to effect a incident response process
00:00
to address that threat actors activity.
00:00
Quiz question. How long did it take
00:00
on average to identify a breach in 2016?
00:00
One, 150 days; two,
00:00
191 days, or three, 239 days.
00:00
If you said 191 days, you were correct.
00:00
That's an astonishing number for
00:00
all the amount of money that's spent
00:00
on security at organizations.
00:00
Many organizations don't really have
00:00
effective incident response set up.
00:00
I can hear about this all the
00:00
time when it comes to smaller organizations,
00:00
or those without dedicated security.
00:00
Even if you don't have a robust security in
00:00
place to really act or implement,
00:00
or if you are a one-person IT department,
00:00
the best thing you can do is set up effective logging and
00:00
monitoring to alert you to any suspicious activity.
00:00
In summary, we talked about the risks and
00:00
impacts of insufficient logging and monitoring,
00:00
and then we also talked about the methods to address,
00:00
that really creating a robust baseline
00:00
of typical logs you would expect using
00:00
the experience of penetration tests
00:00
to test your capabilities and what you can see,
00:00
the visibility you gained from your logs.
00:00
Make sure you have a place to store them and that
00:00
you configure alerts appropriately
00:00
so that you can kick off
00:00
the incident response process
00:00
if anything unusual were detected.
00:00
This completes the OWASP top 10.
00:00
I hope you've learned a tremendous amount
00:00
about the vulnerabilities and issues that affect
00:00
web applications and you feel
00:00
better prepared to enact many of
00:00
these best practices in
00:00
your organization when it comes to
00:00
the development of web applications.
00:00
I'll see you in the next lesson.
Up Next