Security Logging and Monitoring Failures

Welcome back to our ten-part blog series on the OWASP Top Ten list of 2021. In the ninth instalment, we continue to deliver a high-level overview of the key threats that organisations face in the digital world. Today’s focus is on Security Logging and Monitoring Failures.​

Understanding Security Logging and Monitoring Failures?

Previously ranked tenth in the OWASP Top Ten 2017 and now ninth in 2021, Security Logging and Monitoring Failures are a growing concern. The related issues occur when activities within a system are not sufficiently recorded or monitored. A real-world example would be like an electronic security system being switched off in a highly sensitive area.

Picture any busy airport full of passengers. Each of the passengers and the actions they take are like transactions and events in a digital system. If everything is working as intended, a security team (the monitoring system) would notice and investigate these activities, noting anything unusual or suspicious. Surveillance cameras (the logging system) would capture and record these events, providing the ability to review them later.

However, what if these systems fail? If the cameras aren’t recording, or the security personnel are not paying attention or spread too thin, anything could happen without detection. In the digital world, inadequate logging and monitoring mean that malicious activities and attacks, such as unauthorised access to systems or data breaches, can occur without being detected, recorded, or addressed. This lack of oversight can eventually lead to significant security breaches, possibly carrying severe consequences.

Just like how a lapse, gap or failure in airport security can compromise the safety of the entire facility, failures in logging and monitoring can leave an entire digital infrastructure vulnerable to exploitation.

Common Risks Associated with Security Logging and Monitoring Failures

1. Inadequate Detection of Suspicious Activities:
   Without comprehensive monitoring and logging, abnormal or unauthorised activities within the system might go unnoticed.
2. Delayed Incident Response:
   Insufficient logging can lead to slower or less effective responses to security incidents, increasing the potential for damage.
3. Compliance Issues:
   Failure to meet legal or regulatory standards for logging and monitoring can result in fines and legal consequences.
4. Data Breaches:
   Insufficient logging and monitoring can allow data breaches to occur and persist undetected, leading to significant data loss.
5. Ineffective Logs Description:
   If the implemented logging system produces minimal, unclear, or confusing logs, it makes the whole system ineffective as a line of defence.

Strategies to Mitigate Security Logging and Monitoring Failures

1. Implement Comprehensive Logging and Monitoring Systems:
   Ensure that all significant activities within the system are logged and monitored effectively around the clock.
2. Regular Review and Analysis of Logs:
   Use automated tools and manual reviews to continuously analyse logs for signs of suspicious activity. If possible, establish a baseline of normal operations that can be used to compare potentially malicious actions against.
3. Continuously Ensure Compliance with Regulatory Standards:
   Regularly update any logging and monitoring practices to comply with legal and industry standards.
4. Regular Security Training for Staff:
   Educate employees and staff about the importance of logging and monitoring in maintaining security and ensure that a plan is in place that can be followed in the event of an incident.
5. Establish Incident Response Protocols:
   Develop and maintain clear procedures for responding to incidents identified through logs.
6. Ensure Secure and Long-Term Log Storage:
   Store logs securely and for a sufficient duration to support effective forensic analysis. It is recommended to not store logs in a single place, and instead to keep copies in a secure location possibly off-site.

Final Thoughts

Security Logging and Monitoring Failures in the wild can be a major security concern that should be at the forefront of the minds of anyone in the digital space. It is highly recommended to establish a strong system for monitoring and logging, as if understood and implemented correctly it will be a massive boon when responding to a cyber incident.