CIS Control 8: Audit Log Management

The nonprofit Center for Internet Security (CIS) has a set of critical controls organizations can use to achieve greater security maturity. For those without a formal security strategy or baseline, it’s a great place to start implementing controls to improve an organization’s overall security posture.

Known as the CIS Top 18 (formerly the SANS Top 20), they also map to industry regulatory and compliance frameworks like PCI DSS, CMMC, NIST and HIPAA to ensure alignment.

What Does CIS Control 8 Entail?

While Blumira helps with many different controls, which you can view a full list of here, our main focus is on CIS 8.0 Audit Log Management and many of the sub-requirements listed below it. Here’s a summary of how we can help:

8.0 Audit Log Management – Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

Blumira’s platform integrates broadly across on-premises and cloud systems and applications to collect, centralize and retain audit logs of security events. Designed to automatically review events for indicators of an attack in progress, Blumira alerts organizations on how to respond quickly to limit damage.

8.2 Collect Audit Logs – Ensure that logging, per the enterprise’s audit log management process, has been enabled across enterprise assets.

Blumira provides broad coverage for audit log collection and recommendations for best practices on what you should log and how to easily turn on advanced logging features for greater visibility.

8.5 Collect Detailed Audit Logs – Configure detailed audit logging for enterprise assets containing sensitive data. Include event source, date, username, timestamp, source addresses, destination addresses, and other useful elements that could assist in a forensic investigation.

Blumira’s platform gathers and correlates data across your entire environment (that’s configured for logging), then populates this data with every alert. That includes detailed information such as source, date, username, timestamp, source and destination addresses and more to help with forensic investigations. Additionally, Blumira’s reporting provides up to one year of log retention history available on-demand to assist with investigations.

8.6 Collect DNS Query Audit Logs – Collect DNS query audit logs on enterprise assets, where appropriate and supported.

We highly recommend enabling Sysmon for Windows logging and integrating with Blumira to track and analyze DNS traffic to detect malicious remote access tools, security misconfigurations and command and control traffic. Install it easily using Poshim, or manually — see How to Enable Sysmon for Windows Logging and Security. 

Cisco Umbrella filters DNS requests, keeping a record of all malicious websites to help prevent users from accessing known malicious websites, protecting against phishing and ransomware. Blumira integrates with Cisco Umbrella to analyze its logs for threat detection and response.

8.7 Collect URL Request Audit Logs – Collect URL request audit logs on enterprise assets, where appropriate and supported

Blumira tracks URL requests for web applications like email servers, web servers and other internet-facing services for indicators of brute-force or enumeration attacks. Blumira can also track indicators of attacks against certain hosts or threat actors conducting discovery on your network. Learn more in What to Log in a SIEM.

8.8 Collect Command-Line Audit Logs – Collect command-line audit logs. Example implementations include collecting audit logs from PowerShell®, BASH™, and remote administrative terminals.

By collecting and analyzing command-line audit logs, Blumira can detect and notify you of PowerShell execution policy bypasses and other execution activity that could be linked to an attacker downloading or executing malicious code, moving laterally in your network or escalating an attack.

8.9 Centralize Audit Logs – Centralize, to the extent possible, audit log collection and retention across enterprise assets.

Blumira’s platform collects and centralizes logs from your enterprise assets into one cloud repository. It correlates events across firewalls, endpoint security, servers, identity management and authentication systems, databases and more to quickly identify, notify and provide playbooks for response to critical security findings. 

By retaining your logs offsite (in a cloud repository), they can’t be deleted or time-stamped like onsite repositories, meaning you can ensure the integrity of your logs are kept intact for an accurate audit log history.

8.11 Conduct Audit Log Reviews – Conduct reviews of audit logs to detect anomalies or abnormal events that could indicate a potential threat. Conduct reviews on a weekly, or more frequent, basis.

Blumira’s platform reviews all collected and centralized logs for suspicious activity that could indicate potential threats in your environment — this significantly cuts down on the time and headcount required for manual security log review, providing an affordable alternative to a security operations center (SOC).

To learn more about how you can get SOC capabilities on a budget, download our guide.

8.12 Collect Service Provider Logs – Collect service provider logs, where supported. Example implementations include collecting authentication and authorization events, data creation and disposal events, and user management events.

Blumira’s platform integrates natively with many third-party service providers to collect and analyze logs, notifies you of suspicious activity and provides response options for all events related to authentication, authorization, data creation and disposal, and user management.

Blumira For Easy, Effective CIS Auditing and Logging

Meeting compliance controls like the CIS top 18 is easy with Blumira’s detection and response platform that collects and centralizes your logs, retaining them for one year, while analyzing, notifying and helping you respond to threats faster.

• Fastest time to security – IT admins can deploy Blumira’s platform in minutes to hours for broad on-premises & cloud coverage.
• Reduce noise, focus on critical threats – Prioritize your team’s time with Blumira’s behavior-based detections, fine-tuned to reduce noisy false-positive alerts.
• Faster, effective response – 3-step rapid response: Block threats with automated response, follow our playbooks or contact Blumira’s SecOps team for support
• Predictable, per-user pricing – Blumira is 40% more affordable than the industry average and doesn’t charge based on data volume

Sign up for free to start protecting your Microsoft 365 application today, no credit card or sales conversation required.

Sign Up For Your Free Account Today

Get your free account with Blumira and secure your Microsoft 365 environment in minutes. No credit card required.