What is the best template to use for a cybersecurity risk assessment, for Audit Logs?
In this video, I explain the best template to follow based on three different categories of cybersecurity requirements.
Want my recommendations on the best companies to quote for a cybersecurity risk assessment, SIEM, SOC, etc.? Click the button below and ask me today.
About Me
Mike Smith has been helping companies select the best telecom, WAN, security, and cloud services since 1999. He founded AeroCom in 2003, and has been the recipient of numerous business telecommunications industry awards, including being recognized as one of the top 40 business people in tech-heavy Orange County, CA. Follow Mike on YouTube, LinkedIn, Reddit and SpiceWorks.
Transcript
Your company needs a cyber security risk assessment and you’re wondering if your I.T. team can do it yourselves. But the first step that you’re thinking is, hey, is there a template out there that we can follow? Well, that would be a huge template. So what I’m doing is I’m making a video series on a cybersecurity risk assessment template, but I’m breaking it up into different segments and I’m going by the CIA’s framework and what a framework is when it comes to cybersecurity.
If you’re not aware of it, it’s essentially that. So just a fancy word for a template. So this video is going to be on the CIA’s framework control number eight, which is audit log management. So if you’re looking for a cybersecurity risk assessment template for audit log management, you’re at the right place. That’s what this video is about.
Which Cybersecurity Risk Assessment vendors should you quote?
Okay. But before I get too far into the video, if you start hearing all this information, you’re thinking there’s no way our I.T. team has the resources or expertise to do this on our own. Don’t worry. That’s actually my job. So if your company is looking for virtual CISO services like Virtual Chief Information Security Officer services, like the person who’s deciding on the type of risk assessments you guys need and making the big decisions and kind of telling you guys what you definitely need.
Or if your company is looking for an outsourced company to do the risk assessment, or if your company is looking for someone to implement a SIM software for you when it comes to log management and maybe a virtual SOC to take a look at all the logs coming in and get, you know, put their arms around all these logs that are coming in.
If you’re looking for anything like that, that’s my job. Reach out, call me (714.593.0011), send me an email. I’m happy to give you my recommendations on the best maybe two or three companies that your company should be quoting for that stuff based on your requirements. I’m a broker for all the major service providers out there who do that kind of thing, and that’s what I do for a living.
So don’t don’t hesitate. Reach out. Contact me. Don’t try to search it on the Internet. You’ll just find a bunch of companies and you won’t know which ones to choose. Just reach out, contact me. The nice thing is it’s absolutely free. And also, hey, don’t forget to like and subscribe to the channel.
Overview
Okay, so let’s create a cybersecurity risk assessment template for your company to take a look at your audit logs or manage your audit logs a little bit better. The first step in any cybersecurity risk assessment is going to be to decide on the framework that you want to follow in a framework, as I mentioned at the beginning of the video, is really just a fancy word for template for assessing your company’s cybersecurity requirements. So in this video, I’m going to be following the CIA’s framework.
And in the CIA’s framework, Audit log management falls under control. Number eight. And the cool thing about the security services framework is that it breaks down its recommendations or tips into different implementation groups. So implementation groups are just essentially three different categories of requirements that your company would fall into.
The Three Categories: IG1
The first category is called IG one, Implementation Group one. And in that category, it’s for companies who essentially don’t have any extremely sensitive data, but they can’t afford to be down very much. They can’t afford a lot of downtime. So for instance, if their company is down because their servers got hacked and their whole company is down for like, say, three days, it could be catastrophic to their company.
So although the data isn’t very sensitive, it’s just mainly employee data and some financial data about the company. If their servers get hacked and taken down, it’ll really affect their company and they can’t really afford the downtime that is IG one. So that’s kind of the entry point for the CIA’s model, The CIA’s framework. So if your company doesn’t even fit into that, say your company is like, Hey, we don’t have any sensitive data and we can afford to be down for a long period of time, it’s not going to be catastrophic to our company.
Then you’re not really in a category where, you know, you really have to be ultra aware of cybersecurity. I mean, everybody has to do some basic cybersecurity stuff. But good news is if you don’t even finish the IG one, your company really this isn’t a big concern for them. So you could probably, you know, do some minor things here and there and you’ll be fine.
The Three Categories: IG2 & 3
IG2 implementation. Group number two is for companies that do have sensitive information, but it’s not a public safety concern.
And then IG three implementation group number three or companies that have sensitive data and if they’re hacked, it’s an immediate public safety concern. And IG three companies are those companies that are frequently targeted for attacks. So they’re targeted by highly sophisticated hackers who are trying to hack into their company, specifically to create a public safety problem. That’s IG three.
So everything with the case control all the different procedures and safeguards that they recommend are categorized into things that IG one companies should be doing versus IG two companies should be doing versus IG three companies should be doing. So that’s what we’re going to be talking about today. So if your company falls into implementation group number one, what is the template for a cybersecurity risk assessment that you should be following?
Step 1
So step number one is establish a written process for how you’re going to manage your audit logs. EH, Which logs are collected? How do we enable that type of thing? Be Do we review the logs? If so, how often? See where does our company save our audit logs and how long do we save them for? And d Review the procedures or plan for audit logs at least once a year or after major company changes if it’s less than a year.
So for instance, if you guys acquire a new location or add a new location, acquire another company and you’re adding more assets into the system, that’s another time to reevaluate the procedures in the process.
Step 2 & 3
The second step is to enable the logs on all the assets that you determined you’re going to collect logs from in step one.
And number three, as you might have guessed, store the logs as you had planned.
So those are the three steps. Those are the three kind of template steps to follow. If you think your company is in IG one, meaning that you don’t really have sensitive data, but your company can’t really afford to be down or have major downtime for a lengthy period of time, like a few days to a week. So those are the three steps that you should follow in terms of a template.nSee how your company compares to that, and that is your risk assessment.
IG2
All right. So what if your company falls into implementation group number two, meaning that you do have sensitive data within the company, meaning you might have to abide by some different compliances and things like that, some different standards. And on top of that, you’re not really a public risk, meaning that if you do have a cyber attack, it’s not a public risk, but obviously it’s something you don’t want your company to have to experience because there’s obviously large fines if you’re not in compliance or if you have a breach.
So that would be implementation. Group number two. What is the template that you should follow for a cybersecurity risk assessment? I’m going to continue with the numbering for implementation group number one, because you definitely have to do those things to start with and some extra stuff. So you want to look at some extra different steps.
Step 4 – 10
number four, you want to establish time synchronization. You want to have everything timed up with at least two times sources synchronize time sources within the company. Why do you do that? Obviously, you want to make sure that all of your logs match in terms of the exact time that things are happening. You want to have two different time sources if this is available within your assets capabilities have two different time sources that are pulling time and synchronizing that everything else is synchronizing with those time sources.
Number five, you want to identify the assets that have sensitive data and make sure you are collecting specific information on your audit logs from those assets. That includes a the date be the source, see the username d the timestamp e source addresses, F, destination addresses, and G. Anything else that you think will be useful in a forensic assessment.
So if there is ever an incident, if there’s any other information that you want to be able to collect that’s available with the logs on those assets with sensitive information on it, collect that as well. Number six, collect DNS query audit logs. Number seven, collect your L request audit log. Number eight, collect command line audit logs. Number nine is to centralize the audit logs.
Obviously, you’re going to be getting all these different audit logs. Well, you don’t want to have to be checking all types of information in order to get those out of logs. Obviously, you want to centralize them with some type of a software. So obviously the most common software for this is SIM software not only collects all the audit logs from different data sources from different assets within your company, it also runs different security measures for those audit logs.
Step 11
It obviously checks for abnormality is and some unusual behavior going on with the audit logs and might give you some alerts there. You can also use a AI to check for abnormalities. And even taking that a step further, it might have the ability to compare your audit log activity versus global incidents that might be going on, global security incidents and matching that up that, hey, you’re audit logs have similar activity to these large global incidents that are taking place and give you alerts on that number ten, you want to maintain and save the audit logs for at least 90 days.
And number 11, you want to review all of the audit logs at least once a week, if not more, for anomalies or abnormalities. Now, that’s a big ask, right? I mean, if you’re running a lean i.t team, that’s a lot of audit logs to go through, which is why you might want to look at a sim software and possibly outsourcing all of that audit log auditing and review to a virtual sock.
vSOC
A virtual soc is a security operations center that is going to have experts in security who are looking at the alerts coming from your SIEM software and they can quickly go through it. Some of them actually guarantee you a zero false positive alert when they sift through it and hand the alerts to you. So they’ll kind of go through all the alerts that are taking place on your SIEM software and narrow it down to only the alerts you need to be concerned about, which is a big help, because we all know what happens when you get too many alerts, right?
You just start ignoring them. It’s kind of like when way back in the day when you first set up your email on your cell phone and you had it alerting you every time an email came in that lasted for about a day because after all, stop looking at them, right? Or on outlook for me, every time I get an alert that I should be on a conference call and it just goes right past me because I just start ignoring them after a long time.
IG3
So that’s why it’s a good idea to outsource that. Now, what if your company falls into implementation group number three, meaning your company deals with sensitive data and you have to meet different compliance standards. And on top of that, if you do have an incident or a breach, it could be a public safety concern. So what template should your company be following when it comes to a cybersecurity risk assessment?
Well, you should be doing all of the stuff I mentioned before for implementation group one and two. And in addition to that, number 12, if possible, you should try to collect service provider audit logs. Now what’s included in that? A authentication and authorization logs be data creation and disposal events and see user management events. So that’s a lot of information, but what’s my recommendation?
Well, IG three is really the only category of company that typically has their own security staff. So, you know, that’s the only category company that actually has a whole staff dedicated to cybersecurity.
So although that’s a good template to follow to execute it correctly in order to make sure that you guys are doing the best job that you can for cybersecurity protection,
My Recommendations
If your company is in implementation groups of one or two, you heard all that information, right? So that’s just a lot for your team to do on their own without the expertise. I recommend outsourcing it. It’s not that much more expensive, you know, And in terms of trying to hire on staff, they can do all that stuff. Well, that stuff’s going to cost a lot of money and you’re going to have turnover because they’re very valuable to other companies as well.
So keeping all those folks hired, trained and paid is going to cost your company a lot of money. So instead of doing that, my recommendation is to outsource that stuff to go and get a virtual C so you can help advise on some of this stuff or go and get a, you know, a an outsourced SIM solution with a virtual SOC that’s overseeing and reviewing all the log information coming in.
It can just filter down to your I.T team, the stuff you need to know because I haven’t met very many lean i.t groups that are actually reviewing their logs weekly and have all this stuff dialed in. It’s just too hard. You guys are too busy. You’re doing too many things. So really my recommendation is for IG one and IG two to outsource and go get a virtual sim, go get a virtual soc and have them handle your audit logs.
Contact me for my recommendations
That seems to me to be a much better, much cleaner solution and they’ll do a great job with your cybersecurity. So that being said, where do you find a good SIEM provider or a good SOC provider? Well, that’s my job. Reach out and contact me. Send me an email, give me a call (714.593.0011). I’ve been a broker for all these service providers for over 20 years, so I really know the landscape of the whole marketplace really well and I’ll ask your company a few questions about your requirements and based on your answers, all pair you up with the best 2 to 3 vendors that I think you should be quoting, and I’ll introduce you to the
right people at those service providers oversee the quoting process to make sure that everything’s quoted at the lowest pricing possible. I’ll make sure we arrange, schedule some demos and some presentations on their solutions. I’ll kind of oversee the whole process. And the nice thing is, is you won’t have to pay me anything. The service providers will pay me my broker fee.
So there’s absolutely no excuse not to at least reach out and ask me for my opinion and see what I have to say. So I hope the video was helpful. If so, reach out to me. Ask me for some quotes. That’s how you could repay me first and foremost for the video. But at the very least, hey like and subscribe to the channel so you don’t miss the next video.
I put these videos out at least once a week, so to make sure you don’t miss the next one like and subscribe to the channel. Thanks again for watching and I’ll catch you on the next one.
Related Content
Network Infrastructure Management | Cybersecurity Risk Assessment Template
What is the best template to use for a cybersecurity risk assessment, for Network Infrastructure […]
Cybersecurity Risk Assessment Template: Data Recovery
What is the best template to use for a cybersecurity risk assessment, for Data Recovery?
In this video, […]
Cybersecurity Risk Assessment Template: Malware Defenses
What is the best template to use for a cybersecurity risk assessment, for Malware Defense?
In this […]
Cybersecurity Risk Assessment Template: Email and Browser Protection
What is the best template to use for a Cybersecurity risk assessment, for email and browser […]
Cybersecurity Risk Assessment Common Findings: Continuous Vulnerability Management
What are the most common findings of a cybersecurity risk assessment, within the CIS Framework, Control 7: […]
Cybersecurity Risk Assessment Common Findings: Access Control Management
What are the most common findings of a Cybersecurity Risk Assessment, in terms of CIS Control 6: Access […]