_By Rami Altalhi and David Roman. _
Logs are fundamental to strengthening an organization's digital defenses. Many logs within an organization contain records related to computer security.
These computer security logs are generated by many sources, including security software, workstations, servers, antivirus software, EDRs, firewalls, and intrusion detection and prevention and networking equipment.
Many organizations face different challenges in collecting, reviewing and managing logs. As the adoption of digital technologies increases, the volume of log data grows, which makes it challenging for cybersecurity teams to identify which logs are most valuable when investigating and analyzing threats.
To simplify companies logging challenges, and bolster incident response planning, the Talos IR team will soon offer Log Architecture Assessment, as part of the services available through the Cisco Talos Incident Response Retainer Service. The Log Architecture Assessment can help companies analyze, collect and prepare their logs to be better equipped for any potential threats. On top of things like an incident response plan, having strong log policies and understanding those policies enhances the company's incident response data points/references to make better-informed decisions on future incidents.
During a Log Architecture Assessment, Talos IR will look at customers' environments to determine what, if any, logs are being collected, processed and correlated and how they can be better identified and sorted to spot potentially malicious events. This enables the company to create a timeline of events more easily during any future incidents.
Customers do not need to come prepared ahead of time with anything for a Log Architecture Assessment – Talos IR will work with the customer to:
Our goal is to give the customer more visibility over their environment. For example, we can map logs to the MITRE ATT&CK Framework so that, if an incident occurs, it's easier to identify the lifecycle of the attack or breach.
As we've discussed many times, logging is vital to incident response and proper network hygiene for a variety of reasons:
Please contact your Cisco Account Team representatives or directly email Talos IR if you are interested or have questions regarding the Cisco Talos Incident Response Retainer Service or the availability of the Log Architecture Assessment service component.