Security logging and monitoring
So far, we have looked at different zero-trust design principles and user life cycle management and how to ensure that users are using least-privilege access. Now, let’s take a closer look at the foundation of security monitoring, which is logging.
Regardless of how many security mechanisms we have in place, it is always important to have services or tools in place to monitor activities and events within our systems, regardless of whether they are on-premises running within our data center or cloud services. Once we have that monitoring capability in place, we should be able to use the data that has been collected to look for signs of known attacks, abnormal user activity, or unusual traffic.
For instance, to get an overview of what kind of traffic is flowing in and out of a virtual machine and be able to see that in the context of what is going on inside the operating system, you need multiple log sources, such as the following:
-
...
