Security Logging and Monitoring Failures // Tech ramblings

OWASP security logging/monitoring failure means not properly keeping an eye on potential threats, missing unusual activities, slow responses, or not watching everything closely, which can lead to security breaches.

Description

Without proper logging and monitoring, detecting breaches becomes impossible. Meaning:

❌ Important events like login, failed login, and critical transactions are not logged.
❌ Warning and errors produce unclear or no log messages.
❌ Suspicious log activity is not monitored.
❌ The logs are not being persisted. I.e. when you deploy your service all old logs are being discarded.
❌ The application do not detect nor alert based on thresholds set in the monitoring system.
❌ No incident response or recovery plan to handle all above.

Prevention

Developers in cooperation with the platform and/or security team should go through your application(s) and make sure the following has been implemented

✅ Log important events. Remember if you log critical data i.e. health care, make sure to mask the sensitive data from the logs.
✅ Make the log events readable and clear. If you pollute the logs with errors and warnings not related to anything, it will make it even harder to find what you are looking for.
✅ Set up a monitoring dashboard that will keep track of suspicious activity. This can be everything from brute force attempts to injected strings in your logs.
✅ Persist all logs for x months/years. Often people are using containers / VMs which will discard all logs after a new deployment. Make sure to pipe the logs to a third party system.
✅ Set up alerts in your monitoring system for suspicious activity, and push messages to a platform such as Slack which will make it easier to follow.
✅ Create a incident response and recovery plan for your team or organization. This will make it easier for everyone to know what to do when something happens.
✅ Make sure logs are never exposed in your application to the end user.

Example

Your application deals with personally identifiable information (PII), but the developers didn’t carefully plan the logging. Currently, the service logs all HTTP POST requests, including user PII data, which is now visible in the logs. If there’s a vulnerability in the app and it’s exploited by attackers, and they get access to these logs, it is not going to be a fun time for anyone.

Note

There are so much more to this, so have a look at the official OWASP documentation.

Resources

https://en.wikipedia.org/wiki/Personal_data

https://owasp.org/Top10/A09_2021-Security_Logging_and_Monitoring_Failures/

Tools

Elastic: https://www.elastic.co/

AWS: https://aws.amazon.com/opensearch-service/

Grafana: https://grafana.com/

Datadog: https://www.datadoghq.com/

Sentry: https://sentry.io/welcome/

New relic: https://newrelic.com/

Splunk: https://www.splunk.com/