This NIS2 Finding HAUNTS Everyone

Playback speed

Share post at current time

Share from 0:00

0:00

This NIS2 Finding HAUNTS Everyone

Jetro

Jan 31, 2025

In the last few months, I've done over seven security assessments for SecWise.

Whether NIS2 assessments or Azure Cloud Security assessments, one of the findings always comes back:

The lack of centralized logging or leveraging logs.

Let me explain.

Imagine you have to secure a building because inside are very valuable crown jewels. It's in the middle of the night; it's pitch black outside.

You know there are gates and fences, and you may even have some security guards patrolling, but there are no cameras, sensors, or communication between the guards.

How will you efficiently detect an attack?

You're blind.

That's the equivalent of an organization that does not log its events.

Digital Real Estate

In the digital real estate, events or activities happen all the time:

🔸 Users log in from all over the place

🔸 New devices connect to your environment

🔸 Data flows in and out of your network

If you're not logging these things, you're blind.

So, rule number one is to log these events.

Rule number two is to centralize these logs.

I still see too many organizations with these log files scattered everywhere, which is inefficient when performing post-processing and analysis. So, centralize, normalize, and baseline the timestamps to apply post-processing.

The third rule is to store these logs for a long enough time.

I recommend three to six months.

Why?

Because most breaches are only discovered after weeks or even months. If you only log in for one month, you're still basically blind to how the attacker accessed your environment.

So, three to six months.