In this seventh blog in the series which builds upon every stage of the NCSC's 10 Steps to Cyber Security, we look at Event Log Monitoring. In our previous blog, User Privileges, Passwords and the Human Firewall, we outlined how good user management and the appropriate allocation of rights, permissions and privileges can help reduce the likelihood and impact of a cyber-attack.
In this blog we outline how you can potentially reduce or stop a cyber-attack by spotting signs of malicious activity and unauthorised access to systems, services and assets. This includes actively monitoring the environment for signs of reconnaissance, preventing further reconnaissance when identified, and preparing your team to respond effectively in the event of a subsequent attack.
Identifying and understanding the value of your school’s assets is essential in order to have an effective defence in place. An asset can have a tangible or intangible value to a school. Assets such as end-user equipment, printers, servers and infrastructure devices all have a relatively easy quantifiable value. Whereas the loss or destruction of data, the theft of intellectual property or the effort required to recover from the effects of a ransomware attack are harder to quantify.
Before we go any further, ask yourself the following questions...
The following steps focus on digital assets only, although some of the principles could be applied to hard copy data and non-technical systems.
This could be on-premise servers, network storage devices (NAS/SAN), end-user devices, cloud services, systems and services or on removable media such as backup tapes, portable devices or USB drives. This information should be available from your school’s Records of Processing Activity (RoP) or data maps. If not, these activities should be combined.
Categorising your data is vital in determining the appropriate security and logging required to protect each asset. Security should be applied appropriately and proportionally. Generally, the classification falls into the below high-level categories:
Learn more about cyber crime in schools in 9ine's latest on-demand webinar presented by Ian Hickling, UK Cyber Protect Officer of the UK Cyber Crime Special Operations Unit.
Check the application or software solution, operating systems, appliance interface and productivity platforms for their ability to monitor, log, audit, and where possible, alert. In general, the main types of logs available are security logs, system logs, application logs and firewall logs. Each log type has a primary function; however, they can contain very similar information. If one system does not provide the logs or events you need you may need to look at a third party tool or put in place compensating security controls.
As log files can contain valuable evidence, an adept attacker will try and sanitise these logs. Taking steps to protect the integrity of these log files is crucial when preserving evidence and allowing you to create a complete timeline of events. One way of doing this is to push/pull all logs into a central repository that is locked down and does not allow modification of events. You will need to determine how far back you want to go as logs build up exponentially and defining a time period will stop excessive build up of logs.
Whether implementing a mechanism for collating and analysing logs or sourcing an appropriate third party solution such as a Log Management System (LMS) or Security information and event management (SIEM), you should consider the following:
There are many solutions to choose from and the NCSC provides a list of publicly available, open-source tools. The NCSC has not formally tested these products, and neither 9ine nor the NCSC recommend a particular one, however the solution needs to meet your functional requirements, technical skill knowledge and be within your allocated budget.
You must get what you need from your system logs and alerts, and to do that you first need to baseline the outputs. There is often a high percentage of informational events captured in monitoring logs and events. Some isolated errors and events will be systems or users going about their day-to-day routines with occasional failures (false positives). It is this white-noise that you need to understand (baseline) and then filter from your analysis to find anomalies that might indicate there is an issue or a malicious user. Some of the key items you want to look at are:
Once you are confident that you have set up and configured the logging to meet your needs, the next step is to proactively review the captured information for signs of malicious activity or threats. Following the above will help your teams become more proactive in the identification of malicious attack or suspicious behaviour and provide invaluable information in any post-incident investigations.
Using the above steps as a guideline you will be on your way to building solid foundations when effectively determining the monitoring and logging your school requires. By ensuring that the IT department monitors and reviews new and historical event logs, you are providing another layer of security in your defence-in-depth strategy. Ultimately strengthening the school's defences and better protecting the confidentiality, availability and integrity of the school's assets.
ABOUT THE AUTHOR:
Dan Cleworth has worked in education for over 20 years. He is a Senior Technical Consultant and certified GDPR practitioner. Dan heads up 9ine's cyber security team and currently works with schools in the UK, Europe and the Middle East to evaluate and secure systems and services to meet data protection and cyber security compliance.