It is impossible to stop undetectable items in every phase of an attack.
As a result, an effective log centralisation policy is essential. Specifically, this involves collecting and keeping logs of your servers, workstations, equipment and potentially other items in one or more centralised and secure locations. This can be local storage, storage with an external service provider or storage to a cloud service.
The idea is to be able to have easy access to this information even when attacked or compromised.
If the company has the means, log monitoring can be implemented in a Security Information & Event Management (SIEM) solution, alert use cases can be implemented, and a Systems Operations Centre (SOC) can be rolled out to obtain a centralised overview of what is happening in IT infrastructure.
This is usually the last step in a security process, given that these tools are not the easiest to set up or the cheapest.
SIEM
Security Information & Event Management (SIEM) solutions are designed to detect and respond to events or incidents within an IT environment. They collect and bring together logs across the whole IT infrastructure and perform analyses to track and detect anomalies in real time.
SOC
A Systems Operations Centre (SOC) is a central IT control centre that monitors and manages a company’s systems and networks. It is a platform for monitoring system performance, detecting and resolving problems in real time, and ensuring business continuity.
It is worth bearing in mind that SOCs or SIEM solutions are useful as long as someone is monitoring and responding to the alerts generated by these tools.
—
Definition of “log”: A “log” is a file which keeps an automatic record of events affecting a system or software. This makes it possible to analyse the internal activity of a process.