The OWASP Top 10: Security Logging and Monitoring Failures

Recently, we explored the Open Web Application Security Project (OWASP) Top 10 (Allergic to Bees? Don’t Get Stung by the OWASP Top 10) by looking at what it is and why it matters.  Then we took a closer look at one area of the Top 10 – Security Misconfiguration. Next in line for a deeper dive is Security Logging and Monitoring Failures.  This particular category is in place to help detect, escalate, and respond to active breaches.

Logging is one of the most important factors for an organization to be able to detect breaches.  Security logging allows an organization to tell a story from beginning to end.  If proper logging and security monitoring is in place, a complete story can be told pertaining to a breach that would include everything needed for a full investigation. 

In many organizations, proper logging and monitoring is not occurring, which could result in the inability to retrace a breach to find out how it occurred, how to prevent it, and other important information.  Insufficient logging and monitoring can consist of:

• Auditable events, such as logins, failed logins, and high-value transactions, are not logged.
• Warnings and errors generate no, inadequate, or unclear log messages.
• Logs of applications and APIs are not monitored for suspicious activity.
• Logs are only stored locally.
• Appropriate alerting thresholds and response escalation processes are not in place or effective.
• Penetration testing and scans by dynamic application security testing (DAST) tools (such as OWASP ZAP) do not trigger alerts.
• The application cannot detect, escalate, or alert for active attacks in real-time or near real-time.

How to Prevent Insufficient Logging and Monitoring:

Here are the controls needed in place in order for proper logging and monitoring:

• Make sure all logins and access control are logged with enough information that malicious logins and suspicious activity can be analyzed
• Make sure logs are in a format that solutions such as SIEMs can properly read
• Ensure controls are in place to prevent attacks on logging systems
• Make sure the organization has a proper IRP (Incident Response Plan) in place to ensure a prepared and organized response occurs.

Attack Scenario:

A major retailer gets infected with malware.  Over time, this malware is able to make its way into the point-of-sale systems across 500 stores.  As credit card transactions occur, malware is monitoring and recording each credit card that is processed for purchases.  Over the period of a year, 50 million credit cards are recorded, stolen, and sold on the black market.  Because proper logging was not in place, the malware resided inside the company network for nearly a year, undetected.

As you can see, proper logging and monitoring is one of the key components to detecting suspicious activity.  Without it, a complete breach could occur with no traces left behind, creating a mystery with facts untold.

Source: https://owasp.org/www-project-top-ten/

CC by 3.0

Mike Miller is a cybersecurity professional with 25 years of experience throughout the IT industry.  He has focused on security, specializing in the areas of Virtual Chief Information Security Officer services, Governance, Risk, and Compliance, PCI, SOC, Intrusion Detection, Penetration Testing, and Incident Response.  In 2011, Mike founded Cyber Protection Group, which was acquired by Appalachia in 2022.  Mike is passionate about mentoring and assisting aspiring cybersecurity professionals and can be found regularly sharing insight on his LinkedIn profile.  When he isn’t fighting cyber crime, Mike loves spending time with his wife and kids, often boating in the Ozarks.