How Enhanced Logging Enables Better Breach Investigation, Remediation, And Security

Every time a major data breach makes the headlines, the company in question almost always struggles to answer the most important question: Why did it take so long to detect the breach, and what exactly did the attackers steal? Even though companies maintain transactions logs, investigators need to look at log entries that could run into the millions to find out what was accessed by whom and when. This affects the investigation, remediation, and calls the company’s data security practices into question.

Connecting The Dots With Multiple Log Files Is A Challenge

When asked how the U.S. government missed the SolarWinds and Microsoft Exchange Server hacking for so long, National Security Agency Director Gen. Paul Nakasone said, “It’s not the fact that we can’t connect the dots — we can’t see all the dots.” This is a very significant statement and highlights a serious problem with breach detection and remediation.

Many companies use legacy applications like PeopleSoft or legacy versions of SAP for their business operations. They store vast amounts of sensitive and confidential data that is essential to facilitate day-to-day transactions. However, once the user gains access, these applications offer limited monitoring and logging capabilities – creating blind spots that allow intruders to stay undetected for months.

According to the 2020 IBM Cost of a Data Breach Report, it takes 280 days, that’s more than nine months, to identify and contain a breach. Even with robust monitoring and logging capabilities in place, the volume of raw log information generated makes it virtually impossible to determine any meaningful insights to make a timely impact.

In fact, it is routine for incident detection teams to end up sorting through more false positives than malicious activities that are the real threat. Considering the volume of log data, it is rare for security teams to spot potentially malicious behavior in time to take preventive measures. And should a breach occur, investigation and forensics teams are confronted with a mountain of log entries that need to be analyzed to estimate the damage.

How Logging And Detection Can Be Enhanced

Logging and monitoring are important security measures that enable both prevention and detection of threats. Logging allows you to understand user behavior, trace malicious activity, and react to incidents enabling faster detection. In the event of a breach, logs allow forensic investigators to reconstruct events, determine the extent of data exposure, and take effective steps to remediate the problems that led to the breach. Here are some of the ways companies can enhance their logging capabilities to detect and prevent threats.

Granular Activity Logging

Most applications offer some degree of monitoring and logging, but security teams need to decide if the recorded log data is granular enough. In many cases, applications provide limited visibility into user activity once access has been granted. Transaction details like what data was accessed, by whom, from where/what device, and why are crucial to determining context and risk. These details enable faster detection and allow administrators to run reports and perform audits.

Access Checkpoints

Users perform multiple transactions and access a variety of data every day, including PII and confidential data. Using dynamic data masking and creating checkpoints like Click-to-View and Step-Up MFA to access specific data fields within your ERP ecosystem ensures that data isn’t needlessly exposed and access to sensitive data is always logged. This also creates an audit trail that aids investigation and remediation efforts.

Real-Time Monitoring

Monitoring and logging are essentially two sides of the same coin for the simple reason that you cannot monitor what you’re not logging. A real-time monitoring and analytics tool that draws insights from the vast volume of logs that are generated every day enables security teams to get detailed information on transactions and data access, failed login attempts, and potential brute force attacks. Such tools also provide administrators and auditors with detailed reports and visually rich dashboards that show trends in behavior and usage.

As attacks increase in frequency and sophistication, companies and government departments are trying to find ways to detect attackers faster and initiate remediation to prevent future attacks. The 2020 SolarWinds attack was a stark reminder of the extent of damage hackers can cause. It even prompted the U.S. President to issue an Executive Order which asks federal departments to strengthen their cybersecurity defenses and improve investigative and remediation capabilities.

While logging is vital for breach investigations and remediation, it can also be used as a tool for proactive and preventative security. By enhancing logging and monitoring capabilities, companies can not only bring down the dwell time but also derive insights that enable active detection and reduce potential security incidents.

Monitoring And Logging With Pathlock

Pathlock enables you to enhance your logging capabilities by capturing granular transaction details within your ERP applications. Controlled by a configurable rules engine, Pathlock lets you add click-to-view features to log exposure of specific data fields and enforce step-up authentication for sensitive transactions. Appsian360, a visibility and analytics solution, provides the most powerful, real-time view into your ERP data access and usage while maintaining complete visibility of sensitive business transactions.

Schedule a demo with our ERP security experts to get a first-hand look at our enhanced logging and monitoring solutions.