Answer yes if your organisation records and stores user activity logs for its IT production systems, network devices and endpoint devices.
What is the control?
Maintaining logs of user activity allows you to not only trace back the actions of individual accounts/users on your systems should you need to, something essential in the case of an incident, but potentially detect incidents by proactively analysing and/or correlating those logs.
Why should I have it?
Having comprehensive logging (both in terms of systems covered and the detail of those logs) throughout your environment increases the likelihood of catching of malicious activity.
Note that the more log sources you have available, the more likely you are to actually able to detect incidents. This comes from being able to correlate log events that could seem innocuous or hard to understand on their own but paint a clearer and perhaps malicious picture when taken together.
Having this information is invaluable in helping detect a breach, stopping it before significant damage is incurred, or investigating a breach that did occur.
The latter is essential if we are to attribute the attack, determine the scale of the impact (in order to be able to scope the clean-up efforts), and determine the root cause(s) so that we can prevent it from happening again in the future.
Firstly, create a policy requiring all systems maintain activity logs. If possible, this policy should be explicit as to the kinds of data that should be logged to ensure the right information is captured. Your policy should also state that logs be sent to also be sent to a central system such as your SIEM for safekeeping and correlation purposes (if present).
Once you have a policy, ensure it is applied by all your teams for their respective areas. For example, a Network team would configure the logging parameters on routers and firewalls, while Operations teams may do so on servers (and their various services), and yet another team may do so on desktops.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email firstname.lastname@example.org. Contributors will be recognised on our contributors page.
Please do not submit your answer on the knowledge base.