Well, in today’s post it is all about the logging. In a future post it will be all about the alerting.
Sensitive data. What is it?
While there are some obvious types of data that should be considered sensitive (bank account information, social security numbers, dates of birth, private health records), most companies are expanding that population of classified sensitive data to include financial information, intellectual property records and other designated data that would represent a risk if exposed.
Sensitive data is typically managed and stored in applications. In our new connected world, users are connecting to those applications from a variety of devices that may or may not be inside the corporate network. And they are typically connecting via a web browser. Literally the most common application available in our internet driven world.
Bottomline, those applications are now open to a much larger population of users . They are also exposed to any potential bad actor with a web browser.
And adding to the challenge, many of those applications that house sensitive data were designed and deployed back in the pre-internet days, when access was limited to a few select individuals behind the walls of the corporate network. Security controls back then didn’t account for opening those applications to the world.
But the end goal hasn’t changed. Data needs to be protected. Sensitive data really really needs to be protected.
The key to protecting that population of sensitive data is applying controls that limit access to that data to only those individuals that need to see it, and only when they need to see it.
The question becomes, how do you monitor the effectiveness of those controls? And how do you respond in a timely manner when those controls are subverted or bypassed?
This is where effective logging comes into play. And by effective, I mean comprehensive and tailored to formats that enable easy searching and investigation.
Let’s focus on access activity logging. What are some key components of an effective application access logging strategy?
- Utilize an easily configurable logging framework that 1) contextually understands all components of the access transactions, and 2) offers a comprehensive set of capturable tokens representing all those components.
- Utilize a framework that offers flexible output options that allows for specific and granular logging around definable access activities such as high privilege logins, failed login attempts and sensitive data exposure.
- Utilize a framework that allows for log storage in customizable formats to support designated SIEM (Security Information Event Manager) platforms such as Splunk, ArcSite and/or QRadar. In the absence of a SIEM, the framework should support storage in SYSLOG or CSV formats.
Introducing an effective logging framework is a key component in an application security strategy. It is especially critical when dealing with legacy applications where the built-in logging capabilities are limited and not very configurable.
Reach out to firstname.lastname@example.org and let us show you how Appsian can help bolster your application logging capabilities.