Introduction:
Auditing and accountability’s primary objectives are to ensure there are sufficient controls in place that provides evidence that can be audited in addition to ensuring the availability of records for sufficient amounts of time. This guarantees that when a system gets hacked, crashes, or gets a fat fingered input, there is a process in place to expedite the recovery of data, rollback changes, or perform tracebacks. Auditing and accountability has far reaching effects many of which that can bring light to instances of concealed activity hidden deep within the network.
Findings:
The auditing and accountability process will help us enhance our overall architectural design of existing infrastructure by instituting a continuous tracking system based on performance metrics that have been previously established. The subsequent analysis of the recorded data will help us formulate new and continuously evolving defensive strategies that will drastically reduce or eliminate criminal hackers from successfully beaching our data networks.
As new and emerging technologies evolve so do criminal hackers who are on a seemingly never ending quest to find new and innovative ways to successfully exploit these technologies. Our organization is tasked with keeping up with new threats that perpetuate continuous change in policies, procedures and organizational structure. Change is best achieved through frequent IT security audits, which essentially takes a snapshot of the organization’s current security posture that best identifies potential weaknesses new technologies may have introduced into existing infrastructure. Auditing also ensures that users, administrators, and management are in compliance with current security controls and standards.
Some of the tools used in the auditing process include Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). Other more advanced automated logging tools such as Splunk, LogRhythm, ArchSight, and others can help maximize the efficiency of mining data contained within massive log files.
The benefit to having an audit trail is that it provides a means for accomplishing several objectives including:
- Individual accountability
- Reconstruction of events
- Intrusion detection
- Problem analysis
Properly identifying “After-the-fact” intrusion attempts, whether successful or not, allows special attention to be given to damage assessments and/or the review of security controls that were attacked.
Recommendations:
We’ve identified several areas in our networks that will greatly benefit from an overhaul and expansion of our current auditing and accountability processes. Among the many areas where our network will benefit from these processes includes, Core router and switch backbone CPU and memory utilization, centralized repositories of device logs (includes Core backbone devices, edge devices, and all support mechanisms that interact with users who engage the network at every level).
Currently, our way of doing things is piecemeal and inefficient. We recommend utilizing an all encompassing and fully integrated Security Information and Event management system (SIEM) as part of our core network operations. Although we have logging in place at every level of network activity, we lack a centralized management system that collects, analyses, sorts, stores, notifies, and acts upon specific metrics and metadata that security administrators designate. We will see an uptick in network performance by reducing outages and network downtime by having the ability to know exactly what the current state of affairs is at every corner of the network.
References:
NIST. (2016, October). Security Controls and Assessment Procedures for Federal Information Systems and Organizations. Retrieved October 27, 2016, from https://web.nvd.nist.gov/view/800-53/Rev4/family?familyName=Audit%20and%20Accountability
Musa, S. (2014, May 28). Cybersecurity: Audit and Accountability. Retrieved October 27, 2016, from http://evolllution.com/opinions/cybersecurity-audit-accountability/
Bigueur's Blogosphere 