International Partners Release Best Practices for Event Logging and Threat Detection

Yesterday, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), CISA, FBI, NSA, and international partners released a joint guide titled “Best Practices for Event Logging and Threat Detection.” The guide is designed to assist organizations in defining a baseline for event logging to mitigate malicious cyber threats. The new guidance outlines four overarching action items that represent the mentioned best practices and incorporates practical information and resources for each best practice making it easier for administrators to pursue implementation, including:

• Develop and implement an enterprise-approved logging policy,
• Prioritize a centralized log collection and correlation strategy,
• Implement secure storage and event log integrity practices,
• Implement a detection strategy for relevant threats.

CISA states: “The increased prevalence of malicious actors employing living off the land (LOTL) techniques, such as living off the land binaries (LOLBins) and fileless malware, highlights the importance of implementing and maintaining an effective event logging program.”

WaterISAC echoes these agencies in underscoring the importance of these security practices and encourages members to reference Fundamental 4 | Implement System Monitoring for Threat Detection and Alerting from WaterISAC’s 12 Cybersecurity Fundamentals for Water and Wastewater Utilities.

From Fundamental 4 | Implement System Monitoring for Threat Detection and Alerting:

“Continuous monitoring and threat detection is necessary for the visibility into both IT and ICS/OT networks. The ability to detect threats enables faster threat identification, satisfies regulatory or compliance requirements, and typically reduces adversary dwell time within the network(s). Effective monitoring and threat detection can prevent or minimize financial losses by identifying and mitigating threats before they cause substantial harm.”

The new joint guide also includes logging considerations for OT environments. Likewise, Fundamental 4 from WaterISAC’s 12 Cybersecurity Fundamentals for Water and Wastewater Utilities includes additional OT considerations such as the importance and practical application of independent monitoring of critical instrument values.

CISA encourages public and private sector senior information technology (IT) decision makers, operational technology (OT) operators, network administrators, network operators, and critical infrastructure organizations to review the best practices in the guide and implement recommended actions. For more information, access CISA.