Here is something you may not think of on your website: Do you know how many failed login attempts have occurred in the past day? Do you know how many of those were for each account? If not, you may have a deficiency when it comes to event and security logging. Of course, something like an event log might not directly protect your site or data, but, were something like a breach ever to occur, you may have a much harder time containing that potential threat actor due to the lack of event information.
For example, if you knew that an IP address that you don’t recognize was attempting to log into many accounts on your website, in a type of password spraying attack, it would probably incline you to check the rest of your controls and audit the rest of your data and systems to ensure you are not compromised already. Once confident of that, you can “contain” the IP address in one way by blocking it.
It’s true what they say, ignorance is bliss. If you did not know about those failed attempts, and you were previously compromised, there may be data slowly leaking from your website and customers without your knowledge! This example is a little extreme, but it illustrates one of the ways this kind of data should be taken seriously.
What Should You Log?
While it’d be great if we could log everything, for many of us the amount of data that would be generated would be too great to effectively use and triage in a serious situation. Instead, there are some critical events that should be taken into account, and then others that are more optional, but very nice to have.
One of the most important things to log, as mentioned above, is login events. These can be login failures, login successes, and lockout events. If you don’t need to guess the password into your account and don’t fail the login process often, then it would be out of the ordinary for it to fail without your knowledge or multiple times. In this case, even sending emails for high privilege account logins is a good idea.
Another critical log you would benefit from is account creations and deletions. This can help identify potentially rogue accounts and give you more breadcrumbs to lead to the source of the issue.
If you run an eCommerce site, another piece of data for logging would be transactions. Audit trails are great and sometimes required for this kind of business. You can log all of them, but it may be better to do ones that are over a certain dollar amount if it’s too much data. Just don’t let anyone know that’s how you do it!
According to an IBM report, it took companies an average of 191 days to find a breach in 2016. That’s a LOT of time for someone to poke around, steal data, and gain a comfortable foothold. We can’t know about something if we don’t track it, and the implications can be serious. On top of that, the more you can “shut down” probing and recon by a cyber threat actor, the better off you and your customers will be.