Logging and monitoring policy

1. Purpose, Introduction, and Users

This policy details event logging and monitoring requirements to support information security.

This policy outlines implementation guidance on event logs recording user activities, exceptions, faults, and information security events that should be
produced, kept, and regularly reviewed.

Information Security Logging and monitoring are necessary to identify, respond to, and prevent security incidents, suspicious activity, and operational issues.

The information can be used for auditing, root cause analysis, and in case security events for forensic investigations.

This document applies to the entire Information Security Management System (ISMS) scope and all personal data processing activities.

Users of this document are employees of the IT and DevOps departments.

2. Reference documents

  • ISO/IEC 27001:2013 standard controls A.12.4, subcontrols 12.4.1 – 12.4.4
  • ISO/IEC 27701:2019 standard, controls 6.9.4, subcontrols 6.9.4.1 – 6.9.4.4
  • 5 Information Security Policy
  • 12.6 Resolver Risk Assessment-Threat & Vulnerability Management Standard
  • This document is based on Kroll’s Logging and Monitoring January 2023 edition.

3. Scope

The standard applies to Resolver’s on-prem Production servers (Active Directory (AD) DC servers), Cloud production environments, network firewalls, and cloud solutions. Security solutions should be monitored and events recorded.

The logs, where feasible, must be sent to the corporate centralized SIEM solution for log aggregation, monitoring, and alerting.

The log events must be retained per the retention period defined for the respective data sets based on compliance or industry-specific requirements.

To ensure Resolver’s information assets are kept secure at all times, it is necessary to monitor the activities of both authorized and unauthorized users to identify any actions that are not in keeping with the secure use of the facilities provided.

Such actions may include:

  • Unauthorised access attempts
  • Unusual use of privileged accounts, e.g., administrator
  • Attachment of unauthorized removable media devices
  • Unusual patterns of activity, e.g., late at night
  • Changes to system settings.
Sr NoField NameDescription
1Event id or idA unique identifier of the event/log entry
2Log SourceThe source location where the log originated from
3HostThe host where the log originated
4User idDetails to identify the user/actor
5ActionThe activity or action performed by user/actor
6LocationSource and/or destination details captured when doing the action
7TimestampThe timestamp of the event with the time zone details
Field/Event Exceptions
  1. Based on the type of logs being ingested from third party products or solutions, some of the expected fields might not be available or the fields might have unique values that might not convey the required information directly. For such scenarios, the data enrichment could be added at the SIEM level to add more context to the ingested logs so as to allow detailed investigations.
  2. In certain cases, the same set of logs might be ingested in different security solutions for their specific security use cases. In such scenarios, the decision to ingest duplicate data or to ingest the processed and actionable data, in the centralized SIEM, can be taken on a case to case basis.

4. Logging and monitoring policy

4.1 Monitoring and Review

It shall be the responsibility of the product or solution or server owners to ensure appropriate local logging, retention, and monitoring is in place. The information security logs must be forwarded to a centralized SIEM solution for aggregation and analysis.

Members of the InfoSec & Compliance team are required to log in to the SIEM daily and review the last 24 hours of activities on the main dashboards, including but not limited to:

  • Office 365 – Active Directory – Login Monitoring
  • Office 365 – Azure Active Directory – Login Failures
  • AWS CloudTrail Failed Login (Alert)
  • Crowdstrike – IP Threat Count (Alert)

4.2 Protection, Storage, and Retention of log information

Log files will be kept for at least six months or for a period specified according to other industry-specific Compliance regulations or standard requirements, will guide the maximum retention period of some data subsets; as such, the SIEM solution should be able to accommodate varying retention periods.

Strict permissions will ensure that the contents of log files cannot be altered after they have been written. Where possible, key events from log files will be copied to a central point and archived. Backups of log files will be taken daily.

The logs, where feasible, must be stored in immutable storage (no one, including admins, should not be able to edit the data) and must be sent to the corporate centralized SIEM solution for log aggregation, monitoring, and alerting.

The logs forwarded to SIEM must be available for search for at least 90 days. After which they can be archived to a cheaper storage.

In a cloud environment, particularly where personally identifiable information (PII) is recorded as part of logging activities, logs should be encrypted at rest, and appropriate access control must be in place to prevent such data from being used for any other purpose.

4.3 Production Servers

All servers/devices defined in scope should forward system audit logs. For Windows servers, the Application, System, and Security logs generated at the OS level need to be forwarded.

For Linux machines, the logs in /var/log folders that capture the audit information must be forwarded.

These logs must contain at least the below minimum fields that could be used for analysis.

Sr NoField NameDescription
1User IdDetails to identify the user/actor
2Log SourceThe source location where the log originated from
3HostThe host where the log originated
4IP address/LocationThe source and destination IP addresses of the requests
5ActionThe activity or action performed by user/actor
6TimestampThe timestamp of the event with the time zone details
Field/Event Exceptions
  1. Certain event codes might be blacklisted to reduce the high- volume events that might not be used for Security analysis. These can be considered on a case-to-case bases as the SIEM license is limited.
  2. The event format is defined by the Operating system, as such certain fields might be missing for different events/event codes. The field list is an indicative list as to what is expected and useful but will depend on the OS flavour and the logging settings on each server.

4.4 Network Firewalls

All the firewalls in the environment should forward the traffic and IPS/IDS logs to the centralized SIEM.

These logs must contain at least the below minimum fields that could be used for analysis:

Sr NoField NameDescription
1Log Source/HostThe source location or the host details where the log originated
2IP address/LocationThe source and destination IP addresses of the requests
3SignatureSignature details for IPS/IDS events
4ActionThe activity or action performed by user/actor
5TimestampThe time of the event with the time zone details
Field ExceptionsThe field list might vary based on the event codes and Firewall vendor. The list is an indicative list and the real data/fields ingested could vary.

4.5 Cloud Solutions/Cloud Service Providers

Cloud providers provide services where the Resolver’s infrastructure or applications are hosted. These Cloud services generate logs for actions performed on their portals. Several additional types of logs are generated based on the services in use. The logs that contain audit or relevant security-related events should be ingested in the SIEM solution where feasible.

The logs must contain at least the below minimum fields that could be used for analysis:

Sr NoField NameDescription
1Event id or idA unique identifier of the event/log entry
2Log SourceThe source location where the log originated from
3Log TypeDetails related to the type of the logs that would provide details related to the service that generates the logs
4User idDetails to identify the user/actor
5ActionThe activity or action performed by user/actor
6LocationSource and/or destination details captured when doing the action
7TimestampThe timestamp of the event with the time zone details
Field ExceptionsHigh volume could be generated by certain log types, as such a decision can be taken to ingest only the required subset of events in the SIEM that is relevant for Security use cases. The decision can be taken on a case-to-case basis.

4.6 Security Solutions

The team manages and uses the different Info Sec tools (VPN) to generate logs based on their use case.

These logs should be ingested in the SIEM solution where feasible so all the required information for security analysis is available centrally.

Below are the minimum fields from the Security Tools that could be used for analysis. Based on the use case of the Info Sec tool, certain additional fields will be required for analysis:

Sr NoField NameDescription
1User IdDetails to identify the user/actor
2Log SourceThe source location where the log originated from
3Log TypeDetails related to the type of the logs that would provide details related to the service that generates the logs
4IP address/LocationThe source and destination IP addresses of the requests
5ActionThe activity or action performed by user/actor
6TimestampThe timestamp of the event with the time zone details
Field/Event ExceptionsIf there is an intersection in the capabilities related to log ingestion and processing with any other Info Sec tool, that the Info Sec team has, with what the SIEM has to offer, a decision can be taken to ingest only the processed alerts from the Security Tool instead. This can be considered based on the use case and the overall Info Sec Team requirement

4.7 Clock synchronization / NTP server settings.

Where possible, all systems will synchronize their date and time either with a single internal source or an appropriate external time source. This is important so that events on different systems can be correctly compared during incident investigation without considering differences in system times.

Within Resolver, the following convention will be used:

  • All Corporate Windows OS-based client desktop computers and domain controllers will use the windows.com NTP server for clock synchronization.
  • All macOS-based devices will use the apple.com NTP server for clock synchronization.
  • All AWS-hosted cloud services must be obtained from the cloud service provider (CSP) regarding the time source used within their cloud environment.
  • Resolver’s production environments will use Amazon Time Sync Service for time synchronization. Please refer to https://aws.amazon.com/about-aws/whats-new/2017/11/introducing-the-amazon-time-sync-service/

5. Validity and document management

This document is valid as of September 2023.

The owner of this document is an InfoSec & Compliance team who must check and, if necessary, update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • Log sources unavailable in central systems: SOC, SIEM, or Netwrix.

EFFECTIVE ON: September 2023

REVIEW CYCLE: Annual at least and as needed