According to Gartner, 45% of companies worldwide will have suffered a cyberattack by 2025. Nowadays, a cyberattack occurs every 39 seconds. In this context where cyberattacks are on the rise and even more complex, logging of information systems turns out to be a central solution for cybersecurity. Logging enables to be responsive to security incidents but also to be prepared and prevent them from happening.
At international scale and in accordance with the ISO 27002 standard, synchronising clocks of an entire information system is paramount for ensuring that events are recorded and generating evidence.
In France, the French National Agency for the Security of Information Systems (ANSSI) highlights the importance of implementing an efficient logging strategy.
Importance of logging
Within an information system, each action carried out is a security event that needs to be recorded, especially when there is the need to guarantee traceability of actions, modification of files, data access, and so on. This recording takes the form of log files containing all the actions carried out, the identity of people or entities performing these actions, as well as the exact moment when the action was performed.
These logs provide a solid basis for investigating and responding to incidents that have occurred. As such, collected data are used for:
- Detecting incidents.
Logs enable to identify suspicious activities, often indicative of a cyberattack attempt.
- Analysing the post-incident phase.
What is referred to as forensic analysis consists in analysing logs in order to understand the sequence of events, to identify exploited vulnerabilities and attack vectors.
- Regulatory compliance.
Some data must be stored (or are useful to be stored) in a regulatory context: for example, archiving the conditions of access to some databases turns out to be useful in the case of a GDPR appeal (General Data Protection Regulation).
Best practices for secure and efficient logging
In France for example, the ANSSI (French National Agency for the Security of Information Systems) offers detailed recommendations for managing logging, including:
- Log integrity.
It is recommended to implement solutions for encrypting and digitally signing logs. Indeed, the first thing hackers do is generally modifying logs in order to hide traces of their misdeeds. The fact of being equipped with appropriate logging tools allows preventing hackers from erasing anything. Best practices start with choosing a synchronisation protocol, such as the use of NTS in the NTP protocol.
- Log configuration.
It is recommended to have a reasonable, sufficient granularity to meet all needs, without creating a mass of data that would be quickly impossible to analyse.
- Log storage.
It is necessary to implement a reasoned policy for cleaning up logs. This includes a retention period compatible with legal obligations and the storage capacity of an organisation.
- Ongoing supervision.
It is suggested to analyse logs in real time in order to trigger alerts during attacks, and thus be proactive. To do so, it is recommended to be equipped with a security information and event management tool (SIEM).
Implementing action logs in the information system will never prevent an organisation from being the target of cyberattacks. However, it allows avoiding a large number of these attacks, understanding thwarted attacks in order to avoid them again, and also catching the culprits.
Eventually, to strengthen the implementation of a logging system, the ANSSI also recommends using an internal NTP time server.
The essential role of time servers in logging
Within the information system, the time server plays a key role in logging. Indeed, it synchronises clocks of all information system equipment. As such, it acts as a time reference and guarantees the accuracy and consistency of all timestamps indicated in logs. The accuracy of these timestamps is paramount for detecting anomalies occurring on the network but also for preventing time drift.
As a matter of fact, the clocks of any equipment naturally drift over time. After a few weeks, this drift can be measured in seconds or even minutes, which can lead to logging failures.
With its own time base, a local NTP time server ensures the consistency of timestamps and correlates events in order to reconstruct sequences of actions.
A posteriori, analysts will be able to understand how an attack has been carried out, which is the first step in implementing corrective measures. Eventually, timestamps are essential to guarantee the validity of logs as part of a legal proceeding.
As leader in time management and present in more than 140 countries, Bodet Time is a major French leader in time synchronisation and time frequency. Netsilon NTP time servers synchronise all equipment present on a network and provide accurate timestamping, guaranteeing event logging.