By Rami Altalhi and David Roman.  

Logs are fundamental to strengthening an organization's digital defenses. Many logs within an organization contain records related to computer security.  

These computer security logs are generated by many sources, including security software, workstations, servers, antivirus software, EDRs, firewalls, and intrusion detection and prevention and networking equipment.   

Many organizations face different challenges in collecting, reviewing and managing logs. As the adoption of digital technologies increases, the volume of log data grows, which makes it challenging for cybersecurity teams to identify which logs are most valuable when investigating and analyzing threats. 

To simplify companies logging challenges, and bolster incident response planning, the Talos IR team will soon offer Log Architecture Assessment, as part of the services available through the Cisco Talos Incident Response Retainer Service. The Log Architecture Assessment can help companies analyze, collect and prepare their logs to be better equipped for any potential threats. On top of things like an incident response plan, having strong log policies and understanding those policies enhances the company’s incident response data points/references to make better-informed decisions on future incidents. 

During a Log Architecture Assessment, Talos IR will look at customers’ environments to determine what, if any, logs are being collected, processed and correlated and how they can be better identified and sorted to spot potentially malicious events. This enables the company to create a timeline of events more easily during any future incidents. 

Customers do not need to come prepared ahead of time with anything for a Log Architecture Assessment — Talos IR will work with the customer to: 

  1. Determine metadata being logged in their environment and any basic configurations in place.  
  2. Run a few scripts to grab important metadata from the logs generated in their environment currently to answer pertinent questions such as: 
    • How long are logs stored?  
    • Are they just in the default configurations?  
    • Do logs roll over after a certain period? 
  1. Provide a detailed report, post-analysis, of the organization’s logging infrastructure inclusive of workstations, servers and network equipment to ensure both thoroughness and efficiency.  

Our goal is to give the customer more visibility over their environment. For example, we can map logs to the MITRE ATT&CK Framework so that, if an incident occurs, it’s easier to identify the lifecycle of the attack or breach.  

As we’ve discussed many times, logging is vital to incident response and proper network hygiene for a variety of reasons: 

  • Incident detection and response: Security incidents are bound to happen. When one occurs, logs become invaluable. They offer a detailed trail of events leading up to and following the incident. Having this data can lead to quicker detection and effective incident containment. 
  • Forensic analysis: Post-incident logs play a significant role in understanding the nature and impact of a cyber security breach. They help identify vulnerabilities exploited, determine the extent of data exposure and provide insights to prevent future attacks.  
  • Compliance and audits: Various regulations such as GDPR, HIPAA and PCI-DSS mandate logging and regular reviews. Logs help demonstrate compliance, protect your organization from potential legal ramifications, and provide auditors with the necessary data.  
  • Operational insights: Logs provide insights into the health and performance of systems which offer a clear picture of system behaviors, helping IT teams optimize performance and scalability. 

Please contact your Cisco Account Team representatives or directly email Talos IR if you are interested or have questions regarding the Cisco Talos Incident Response Retainer Service or the availability of the Log Architecture Assessment service component.