The United States and its allies have released a joint cybersecurity information sheet that provides best practices for event logging and threat detection in cloud services, enterprise networks, mobile devices and operational technology networks.
The National Security Agency, the Cybersecurity and Infrastructure Security Agency and the cybersecurity centers in Australia, the United Kingdom, Canada, New Zealand, Japan, South Korea, the Netherlands and Singapore co-authored the CSI to help senior information technology decision makers, operational technology operators, network administrators and network operators ensure continued operations delivery and improve the security and resilience of critical systems.
According to the document, an effective event logging solution enables network visibility by providing alerts to network defenders regarding critical software configuration changes, identifying events that may indicate a cybersecurity incident, supporting incident response by revealing the scope and extent of a compromise, and monitoring account compliance with organizational policies.
The CSI states that captured event logs should contain sufficient detail to aid network defenders and incident responders. It advises network administrators and operators to assess the logging capability of OT devices software to ensure they can handle the level of logging in a way that does not affect operations.
According to the document, failure to deliver data relevant to security diminished the effectiveness of a logging solution as a cyber incident detection capability.