Monitoring audit logs for all critical systems and devices in your environment is key to understanding what types of events and actions occur on a daily basis, allowing you to establish a baseline of what is considered normal system activity.
*This article was taken from our HIPAA Guide. For more information on this topic, download our free HIPAA Guide.
“Tools used for audit logging and log analysis are called system information and event management (SIEM) solutions.”
Monitoring audit logs for all critical systems and devices in your environment is key to understanding what types of events and actions occur on a daily basis, allowing you to establish a baseline of what is considered normal system activity. This will make it easier to identify anomalous and other abnormal events that can indicate malicious or undesirable activity taking place in your environment. The ability to identify and act on these events as they happen is critical to preventing breaches and data loss, or at the very least, reducing the duration and severity of such events.
Initially, the task of monitoring system logs can seem daunting, due to the volume of data that can be generated. In all but the smallest environments, it will likely be necessary to implement a Security Information and Event Management (SIEM) solution to aggregate and analyze log data in a way that provides you with usable information. Make sure to enable event logging functionality on your systems and configure them to export the data to your SIEM solution, allowing you to automate their powerful event correlation and issue tracking functions.
Then, configure the SIEM to alert you via email, text message, or even phone call, if certain predefined conditions are detected on any monitored system. Most SIEM packages come with a set of built-in triggers for such alerts, but make sure you spend the time to set up effective and useful triggers appropriate to your specific setup and system types. Another thing to consider when setting up your SIEM solution is making sure it has enough storage space to meet HIPAA and any other log data retention requirements you need to comply with.
Once your SIEM solution is set up and a baseline is established, it is important to assign responsibility for responding to the inevitable alerts that will be generated. Make sure alert messages are being received by appropriate personnel in a timely manner, and that they know what todo in the event an alert is received. Not having a response plan in place for alerts is like installing an elaborate security system in your office, but then leaving the alarm siren unplugged!
An effective audit log collection and alerting system is a key component of your overall security plan and is a very effective way to help you detect and prevent attacks before they lead to data compromise.
Since 2018, we’ve seen a decrease of 70% of organization’s storing system logs.
.svg)
