OWASP Top 10: Automate Logging & Monitoring for App Security

The Open Web Application Security Project (OWASP) lists out the Top 10 Web Application Security Risks, a global standard for developers and web application security. Many companies use this list to help start and guide their information security program focus in order to minimize web application risks.

A few listed include code injections, authentication and security misconfigurations, sensitive data exposure, using components with known vulnerabilities and many others. OWASP lists #10 as “Insufficient Logging & Monitoring,” citing the lack of proper monitoring coupled with ineffective integrations with incident response can leave systems and web applications at risk.

As a result, attackers may attack, maintain persistence within your environment, and potentially move laterally to access additional systems and tamper, extract or destroy data. According to IBM’s Cost of a Data Breach report, the average time to identify and contain a breach is 279 days. The faster a company can detect a breach, the lower the cost – if detected under 200 days, a breach costs $1.2 million less (37% savings) than those that exceeded 200 days.

OWASP provides more information on three areas to consider:

• Attack Vectors – Attackers rely on the lack of logging, monitoring and timely response to seek out data, destruction or disruption without being detected.
• Security Weakness – OWASP recommends examining your logs following penetration testing to ensure that the tester’s actions are documented to understand any damage they may have inflicted.
• Impact – Most attacks that result in compromise start with vulnerability probing, but allowing them to continue can raise the likelihood of successful exploitation to nearly 100%.

To determine if your application is vulnerable, OWASP lists the following conditions to consider:

• You aren’t logging auditable events, like failed logins or high-value transactions
• Your warnings and errors don’t generate any log messages, or they’re incomplete or unclear
• Your logs are only stored locally
• Your application or API logs aren’t monitored for suspicious activity
• You don’t have appropriate alerting thresholds or response escalation processes in place
• Pentesting doesn’t trigger any alerts
• You aren’t able to detect, escalate or alert on active attacks against your application in real time

How to Ensure Proper Logging & Monitoring

OWASP provides guidance on how to provide sufficient logging and monitoring, based on the risk of the data that is stored or processed by your application:

• Ensure that all logins or failure of access controls or server-side input validation is logged
• Ensure that logging includes enough user context to identify suspicious accounts
• Ensure that logging is held long enough to account for any delay in investigation
• Ensure that logs are generated in a format that’s easily consumed by a centralized log management solution
• Ensure high-value transactions have an audit trail and controls to prevent tampering or deletion
• Implement effective monitoring and alerting for timely detection of suspicious activities
• Adopt an incident response and recovery plan

Solution: Automated Threat Detection & Response

Getting to proper logging and monitoring is the first step, but often the hardest for organizations to achieve without a security team or dedicated resources. The complexity of logs, formatted differently by every system, makes it difficult to consume them and derive meaningful security insights through a centralized log management solution.

Typical security and information event management (SIEM) systems often don’t provide built-in parsing of firewall, endpoint, identity, server and other logs. Once you have the logs, you need to correlate them with threat intelligence feeds and write detection rules to analyze and alert on relevant security events. Finally, you need a security team to determine how to respond to threats, and do so quickly in order to contain it and minimize the impact on your organization.

Doing all of this without security automation can result in higher costs. IBM’s report shows that organizations with automated security solutions saw significantly lower costs after experiencing a data breach, with costs decreasing from 2018 to 2019 by 8% (from $2.9 million to $2.6 million). Those without automation experienced costs that were 95% higher, at $5.1 million.

With Blumira’s end-to-end integrated security platform, you can:

• Ensure sufficient logging and monitoring capabilities of an advanced cloud SIEM, complete with pre-built parsers to consume logs easily
• Ensure real-time, automated threat detection, with contextual information for every prioritized finding to save your team the effort of pulling relevant data from different systems
• Ensure threat hunting and analysis, provided by correlating data with multiple threat intelligence feeds and informed by our security analyst team for faster investigation
• Ensure automated threat response, with step-by-step playbooks that guide your team through response and remediation to help you contain threats quickly
• Ensure detection of unauthorized access and lateral movement, with easy-to-deploy honeypots that alert your team to malicious insider or external threats

We’ve built our platform so it doesn’t require a large team of security experts to deploy or maintain, and it’s easy to start realizing security value in a matter of days, not months. Learn more about our different integrations and reach out to schedule a demo.