What Is an Audit Log for Compliance? [Includes Solutions]
An audit log can help your organization with compliance and security. So, what are audit logs, how do you implement them and how do you use them for compliance?
Let’s start with the question–what is the function of an audit log? An audit log keeps track of information regarding who accessed the system, what they looked at, and what actions they took. This temporal information is important to proving compliance and security.
What Is an Audit Log?
An audit log is a record of events as they happen within a computer system. A system of log-keeping and records becomes an audit trail where anyone investigating actions within a system can trace the actions of users, access to given files, or other activities like the execution of files under root or administrator permissions or changes to OS-wide security and access settings.
On their broadest scale, an audit log can track nearly any change that occurs in a system. This makes them important, even necessary, in three major ways:
- The audit trail provides forensics of the system and how it works, or where things have gone wrong. This includes tracking bugs or errors in system configurations or identifying where unauthorized access of data has taken place. It can also help management audit the performance and activities of employees with sensitive data access credentials.
- Audit logs also provide forensic information related to breaches. An audit trail can show how security controls are in place and working to protect critical data. It can also provide critical information on how hackers have breached specific systems or circumvented controls as well as what data they have accessed.
- Finally, audit logs can help system administrators debug problems on a day-to-day basis.
The immutability of an audit trail is an important part of its usability. Logs are data, just like any other file on a computer, and if they are damaged, they can become useless. Best practices around audit logs suggest that you keep an audit trail for at least a year, or longer if required by regulatory compliance (for example, HIPAA requires at least 6 years of logs on systems containing ePHI).
What Are the Advantages of Using Audit Logs?
It goes without saying that if you work in an industry with a compliance framework that requires some form of data logging (such as HIPAA, GDPR, or FedRAMP) then logs aren’t just advantageous–they are necessary for operations.
However, there are several different ways in which audit logs provide support for systems administrators and IT managers in your organization:
- Demonstrating Compliance: as mentioned above, logs help you demonstrate to auditors that you are compliant within a given framework. This is precisely the reason that many frameworks require audit logs in the first place.
- Creating Chains of Evidence: As part of a security or compliance footing, many security frameworks call for logging as a form of evidence. An unbroken chain of evidence can show investigators the source of a security breach or prove that a company has implemented the security measures they say they have.
- Creating a Chain of Custody: In legal situations, how files are changed or handled can be considered evidence in a court of law. An immutable audit log provides such evidence for law enforcement.
- Insight and Optimization: On a more positive note, logs can show your management and specialists how a system operates under certain conditions, which can help them optimize several internal systems. Logs can reflect things like the time it takes to perform a task or any conflicting operations that could affect the stability or performance of the system.
- Managing Security and Risk: Managing your security and risk profiles requires information; information about partners, information about vendors, information about cloud systems and products, and so on.
- Business Process Tracking: The audit trail can show business users how their data was or was not used. For example, when an attorney sends a legal document to opposing counsel, and that opposing lawyer later claims they didn’t receive it, the sender can use the audit trail to prove it was received down to details like and exactly when and IP address and equipment used to download it.
Depending on your software setup and your network of computers (as well as your regulatory requirements), audit logging can help by providing one or more of these benefits.
What Is an Audit Trail?
Simply put, an audit trail is a series of logs that document a series of activities, actions, or users across a system. This can include time-based information on the work of an operating system, or a series of logs documenting a user accessing system resources and data.
Trails are critical to security because most often, a single log of an event is not going to help you manage anything previously discussed in this article. Instead, a trail of evidence can provide insight into what happened and how to address an issue.
For example, if a server crashes and data is lost or damaged, then an audit trail before, and leading directly up to, the event can help administrators piece together what happened.
Likewise, if a hacker breaches a system and steals data, IT security specialists can use audit trails to track the activities of that individual to determine what they have compromised, what they have damaged or stolen, and how they entered the system.
What Are the Components of an Audit Log?
That being said, logs aren’t a single entity. Different logs can have different components based on their relevance to the evidence they provide. International Standards Organization (ISO) publication 27002 provides guidelines for typical events and information that logs should contain for enterprise customers. In general, logs following this guidance will usually contain the following information:
- User IDs (those authorized for the system and those accessing the system)
- Dates and times for every event in the audit trail
- Any system information, including device location, MAC address, etc.
- Any attempts to log into the system, both legitimately and those rejected
- Changes to user privileges, ID numbers, or system configuration settings
- Access attempts to relevant (or all) files and folders
- Network information related to any system access (IP number, port accessed, protocol connected with)
- Alerts raised by security software (firewall, anti-malware software, intrusion detection systems)
- Any transactions, data sharing, or other external connections made by users through the system software
- Any access of secured or Personal Identifiable Information (PII)
Specific security logs might also include information about specific systems or events not covered here to provide additional documentation.
That being said, there aren’t a great deal of examples of commercial, stand-alone audit logging software. Many operating systems or third-party applications (including SaaS cloud services) will have built-in logging capabilities that may or may not be customizable. There is, however, a large market of solutions that can aggregate logs to provide critical insights into security, performance, bug tracking and employee alerts. These systems are called Security Information and Event Management (SIEM) solutions and include products like Splunk, IBM QRadar, LogRhythm, HPE ArcSight and others.
However, generally auditing tools in a system should be able to track events with the data listed above, and they should be able to produce secure and compliant data logs based on the activity of the platform or software, the compliance requirements in place, and the type of data managed (depending on industry or business).
How Can I Secure Audit Logs on my Servers?
Audit logs aren’t going to help you if they are not protected. Damaged or altered logs break the audit trail and make the information that you’ve collected to protect your system less effective.
It’s both unfortunate and fortunate that audit logs are just files, like any other file on your computer. Unfortunately, this means that they can be stolen, altered, or corrupted like other files. Fortunately, it also means you can protect them with common security controls, including:
- Encryption: Encrypting audit log files can help you keep that data out of the hands of hackers who breached your system. While these files can still be corrupted, it does mean that they are harder to read or manipulate.
- Protection Against Unauthorized Access: Files in a computer system are controlled by a system of access permissions that allow or disallow users to read, write, or execute files. By setting audit logs with specific authorization requirements, you can halt unauthorized users from doing anything with them.
- Control Access for Administrators: It is possible that an administrator can alter audit logs about themselves and their activities in a way that makes it difficult to track what they’ve done. You can set logs about specific users or admins to disallow reading or alteration by those users.
- Detection of Log Alteration, Deletion, or Shutdown: An attacker usually covers their tracks by shutting down and deleting logs as soon as they infiltrate a system. The system should immediately alert staff when an attempt is made to alter or destroy logs.
- Export of Logs to External Systems: Besides the analytical benefits of exporting logs to a centralized SIEM, it also ensures that should a log be deleted by error or by an attacker, another copy exists. Set the SIEM to alert staff if a system stops sending logs, since it is either down or under attack.
- Archiving and Journaling: Send logs to an external archiving service to maintain them through the years required by regulations, in spite of natural disasters, theft, or corruption of the original systems or data center.
The Kiteworks® Content Firewall for Data Logs
When you are leveraging a platform for activities like secure file sharing and storage, secure email, or secure forms and data collection, data logging is a huge necessity. Accellion’s Kitworks platform provides these services with secure and complete logging capabilities based on three key principles:
- Compliance: If your business needs secure MFT, SFTP or email for any of its operations, we can provide that service with the necessary logging capabilities in place to ensure that you remain compliant. We work with organizations in healthcare, government, finance, and more and support them with compliance in frameworks like HIPAA, FedRAMP, PCI DSS, and GDPR.
- Security: Our secure systems include all necessary logging to help serve as a forensic tool for any issues you may have, as well as a preventative tool to help you utilize the Kiteworks platform easily within your risk management positioning.
- Accessibility: Our products focus on data accessibility for members of your organization, and that includes access to data logs for the right people. When the time comes to perform audits (for security breaches or annual compliance demands) our tools provide streamlined access to the data you need.
- SIEM integration: The Kiteworks Enterprise platform continuously exports logs to your organization’s SIEM via a standard syslog, including integrations with IBM QRadar, ArcSight, FireEye Helix, LogRhythm and others. It also supports the Splunk Forwarder and includes a Splunk App.
- Clean, complete and usable log data: Our engineers test and improve the quality, completeness and usability of log entries in every product release. They use a comprehensive CISO Dashboard and reporting displays as a testbed to ensure customers can access the metrics and parameters needed to monitor activities, detect threats, and perform forensics.
- Unified, standardized log: Event streams from application and system components all funnel into a single log, with standardized messages that enable analysts and machine learning to detect and analyze patterns that cross multiple communication channels, such as email, MFT, file sharing, and SFTP, as well as administrative changes to policies, permissions, and configurations, and operating system activities, logins, repository accesses, and scans by DLP, anti-virus, ATP, and CDR products.
- Intelligence, analytics and notifications: AI technology detects suspicious events, such as possible exfiltration, and sends an alert via email and via the syslog.
- Extensive administrative reporting: The administrative interfaces utilize logs for human-readable dashboards, as well as custom and standard reports.
- End user audit trail: The platform provides user-friendly tracking displays so end users can determine whether recipients have accessed, edited, or uploaded content via secure shared folders, secure email, or SFTP.
Watch the secure file sharing video to learn how Accellion allows for collaboration, easy integration, and regulatory compliance.