In the world of cyber security, details are everything: details about the security posture of software and hardware, details about data availability and encryption, and details about security events.
How do you ensure that you are collecting and analyzing all of the details you need? The answer is auditing. With the proper audit trail in place, you can stay on top of all of the details that power an effective security strategy.
Let’s take a look at what effective security auditing involves in practice, how to implement proper reporting, and how an audit trail helps to ensure compliance.
Part of the job of a security professional is to record unusual activities by creating reports based on logs and alerts. The purpose of a report is to help stakeholders understand incidents, and to help create an audit trail that demonstrates your security team’s commitment to announcing and investigating all suspicious activity.
The key thing when writing reports is to know the target audience and portray the correct information to them as clearly as possible. In addition, reports need to have the following characteristics:
- Reports must be easily read, timely, complete, clearly understandable, accurate and brief.
- They need to be actionable or at least give mitigations and suggest solutions.
- The report needs to be clear to both executive management and technical staff.
In terms of reporting methods, there are usually two variations:
Reporting by finding: Listing findings by severity score with technical details, usually based on automated tools that run after specific events. Sometimes the tools give potential mitigations if the information is sufficient.
Empirical reporting based on methodology: Here you rely on industry experience using tools, techniques and forensic methodologies to record observations for a specific area, using a testing strategy. You record the findings and the potential remediations. The advantage of this is that you can instill your thinking and experience on paper, and people can learn with the outcome. The downside of this is that it tends to be a longer report and harder to automate, as it relies on experience.
A good report should include:
- Screenshots and command-line executions
- All the affected items or areas
- A description of the issue and how it relates to the affected item
- Potential remediations
- A severity score for prioritization, ideally using a tool such as the CVSS calculator.
Your audit trail should also be constructed with compliance requirements in mind.
There are a number of different compliance frameworks that might apply to your organization, such as PCI DSS, ISO 27001, SOX, HIPAA, and GDPR. Creating the right audit trail and reports entails understanding the specific requirements of any compliance frameworks that affect you, and determining who will perform audits related to them and what that group’s expectations are.
Generally, computer security audits are performed by the following groups:
- State Regulators – certified accountants, CISA, etc. They act on behalf of the state/government.
- Internal Auditors – certificated accountants, CISA, Certified Internet Audit Professionals. etc, They act on behalf of the company and try to meet compliance criteria, or correct findings from past audits.
- External Auditors – specialize in areas related to technology auditing and not affiliated with their auditing clients. They act on behalf of their qualifications and reputation, and they have to maintain conformance.
Organizations need to be aware that auditors will have an agenda and they will be looking for specific things. Establishing good practices beforehand will help reduce the number of critical observations, and employees will not be surprised when management asks them to do their jobs.
Auditing Best Practices
It’s often said that auditing is a security measure and not an inconvenience. In order to meet compliance and support the highest level of operational performance, organizations need to introduce security auditing and reporting controls and be able to prove beyond a doubt that they truly use the security controls they advertise. Staying on top requires working proactively by adopting the following best practices:
- Start writing reports: Start writing reports that relate to security checks, and make sure controls are in place and are recorded in the system. The reports need to be in compliance with the existing regulations and technologies the organization uses.
- Train users to audit now and often: Train employees to actively report and record any important events during their daily activities. This will help catch unusual patterns or gaps and leave a clear audit trail of all work activities. Achieving compliance requirements will demand the efforts of all stakeholders that take part in the business—not just the security department.
- Start using compliance frameworks: Even if you don’t plan to meet a certain security certification for your organization, having an automated compliance management system like Twistlock Compliance Explorer certainly helps save time and money. As the technology domain changes constantly, so does legislation. Being proactive in regard to regulations is no small thing, especially if there are hefty costs for lack of compliance.
The final verdict? Organizations should not leave security as an afterthought. Therefore, it is critical to include auditing as part of a security plan, and it must be proactively introduced as a critical security control. Ultimately, we have to trust that there will be no security issues with our systems, and we need to work to verify that they do not exist.
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
5 Questions to Ask When Choosing a Cloud Native Security Platform for DevOpsRead the Blog
CVE-2018-1002105: Critical K8s VulnerabilityRead the Blog
Advanced runc Debugging for Fun and ProfitRead the Blog
Introducing Twistlock Support for AWS Lambda LayersRead the Blog
Cloud Native Security Intelligence: Integrating with AWS Security HubRead the Blog