Logging and Monitoring Failures

Author: Prabu Karuppiah

After now covering examples, mitigations, and potential tools for both secure code and infrastructure, we move on to logging and monitoring.This is often an overlooked piece of the puzzle but by no means any less critical. To fully understand the true extent of this statement, let's take a look at IBM's 2022 report, which states that it takes an average of 9 months to first detect that a breach has occurred. There is no telling the damage that could occur in even a fraction of this estimate in regards to an application and its users.?

Logging and monitoring are essential mechanisms in understanding how users interact with your application. While logging and monitoring can provide you critical insight into how your application is being used/not used from a functional perspective, it is equally as critical from a security perspective. Without proper logging and monitoring your security can be severely compromised. With proper logging and monitoring you will have a better understanding and awareness of when threat actors are using the application in a way that wasn’t intended, and give you precious advanced warning to remediate these issues.

Security Logging and Monitoring Failures:

This OWASP vulnerability was originally number 10 on the list but was promoted to 9th position as of OWASP Top 10: 2021, signaling the increasing risk of this category as breaches can happen anytime, with more complex attacks occurring year after year, demonstrating the acute need to have a system in place that can detect these breaches. Otherwise, it is akin to trying to see in the dark, as you cannot react to something you cannot even see.?

Let's explore some examples of an application failing to implement proper Logging and Monitoring mechanisms (the full list can be found in the article):

• Applications that don't have real-time or near real-time monitoring and logging capabilities. In this case, threat actors can try to penetrate the system without worrying about detection until engineers manually audit log files. This generally won’t happen until after a breach has occurred, or a problem has been reported (e.g. a system has become unavailable).
• Applications that don't log auditable events like password change, high-value transactions, failed logins, or will only log it after a certain number of threshold attempts have occurred.?
• Applications that don't transport the logs to a central storage location but instead keep them localized in the original host machine. Resulting in a high risk of losing the logs if the instance goes down. Additionally it is an operational nightmare to sift through log files across multiple systems in a distributed environment.

There is only so much anyone can do to safeguard an application without proper logging and monitoring systems in place. The best way to handle and fix a breach is to first detect that an application has been breached. The more time it takes for an engineering team to detect a breach or an attempted breach, the greater the potential damage that an application and its users might be exposed to. Logs play a significant role in accountability, visibility, and digital forensics and should always be taken into account when developing an application. In the next post, we will look at ways to deal with common logging and monitoring issues.

Please find the full article here, to see the full list of?Logging and Monitoring Failures.

I hope you enjoyed this article, and please subscribe for the upcoming articles!

The Archimydes team