Insufficient logging and monitoring is in the Top 10 OWASP for many different reasons. Not only is it hard to detect but it’s also hard to protect from. There are several ways we can protect ourselves from this vulnerability but we need to talk about what the vulnerability entails first.
Besides not logging enough log entries when events occur, this issue also entails the amount of detail that is logged as we should make sure we can trace back anything required in the event of an unwanted occurrence such as a cyberattack. Some common things we can think about are login, logout, requests and responses that are important to business users and things related to limited resources such as wallets.
Of course it’s not only about what is logged but also how it interacts with the system. If a log entry is made with the wrong characters it might cause the log entry to break the integrity of the logs. This is also known as log injection or poisoning.
Of course we need to also ensure sufficient monitoring is put in place to safeguard the application. After all, there is no use in logging things that do not get monitored. This goes further than just monitoring the logs of course, we need to monitor everything. This also includes APIs and connections to third party applications.
Make sure the logging is all secure and that malicious actors can not easily access it by replacing default passwords and locating the system in a secure location internally.
Detecting this vulnerability is definitely not an easy task as it will require a good inventory system that keeps track of not only what hardware is available in the system but also what software with their important flows that matter to the business stakeholders. Communication is certainly not an easy task and will continue to be a hurdle for many companies so actually expecting so many teams to work together is hard without proper oversight. This system needs to be centralized and managed by 1 instance within the company that regularly provides updates to the system.
It is important to also investigate new vulnerabilities and CVEs as they arise since they might affect the organization. This can be narrowed down to investigate the components that are running without our organization, for example we can go to exploit db and search for “microsoft” and see that there are many practical vulnerabilities still being discovered quite often.
Of course we can perform our monitoring with the use of tools but with so many out on the market. Which do you pick?