Summary: Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.
This control is important because a lack of logging not only allows attackers to hide, but you also won’t know what they did or how they did it.
The first subcontrol is also the easiest, utilizing at least 3 time sources. There are multiple out there, I typically use pool.ntp.org, time.google.com and time.windows.com. The PDC controls the time for all the member machines and servers in Active Directory, so give the PDC 3 time sources and then any core routers or switches need to point to 3 as well. For other things, I’ll refer them to PDC to get their time.
The next 3 subcontols are to turn on audit logging, enable detailed logging and ensuring adequate storage. This is likely more time consuming than anything to go into each server and network device to make sure its turned on and logging. As for the ‘adequate’ storage, there doesn’t seem to be any concrete number on this unless you have a certain regulatory requirement. The next subcontrol is ship appropriate logs to a central log server. In Control 1, I recommended Kiwi Syslog Server for $300 and I still prefer it. The syslog server will allow you to store your logs for much longer as well.
The last couple subcontrols can’t be done well for free. They are to deploy a SIEM to correlate the logs and analyze the logs, regularly tune the SIEM and to regularly review the logs. Reviewing the logs regularly just takes time but its difficult to do without a good SIEM due to the volume of logs. I’ve used AlienVault OSSIM as a SIEM in the past and it’s free, but it’s also difficult to use in my opinion. Having a good SIEM is expensive, so like a lot of these other CIS controls, start with what you can and when you do get some budget, then get yourself a good SIEM.