These days, it seems cyber security is on everyone’s talking agenda – from CIO’s (or CISO’s), to IT Operations directors, to even the legal department (usually involved when a breach has occurred). While it has been widely recognised, there has been a surge in cyber breaches (especially due to ransomware exploring WFH employees), it does appear for the most part that companies are still unaware, or perhaps naive about how to not only protect themselves but to also mitigate further damage in the past by learning about what actually happened during a breach in their systems.
Take the latest Optus Australia security breach (click here if you haven’t read about it yet) – The second largest telecommunications company in Australia, announced on September 22 that details of up to 9.8 million customers were stolen from their customer database. The details, dating back to 2017, include names, birth dates, phone numbers, email addresses, and – for some customers – addresses and driver’s licence or passport numbers.
But to understand such security breaches as this and how it was caused, you also need to understand what damage occurred during the breach – that is exactly what activities or folders did the hacker accessed while he was gaining unauthorised access to the system in question.
Whether it is a financial database hosted in the cloud, or a CRM hosting your customer’s contact information, or even an online Sharepoint site with your customer’s personal files. Tracking the activity of who is doing what within these environments is crucial to understand how to protect and mitigate future attacks from reoccurring.
This is where Audit Logging comes in handy, and in M365 (depending on how many services you run there) – But when one thinks of the word audit, the thought of “compliance” springs to mind – but auditing and why we have ‘audit logging’ is not simply just about compliance!
What is Audit Logging ?
Wikipedia defines Audit trail (also referred to as Audit logging) as “An audit trail (also called audit log) is a security-relevant chronological record, set of records, and/or destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific operation, procedure, event, or device.”
In highly regulated industries (such as finance or government), being able to show exactly what chronological steps or pieces of data any user accesses or modifies is usually required by law to be able to operate in that industry.
So to put it simply, Audit logging helps keep these industries compliant.
So what is the difference between Audit logs and System logs?
Since most IT administrators deal with System logs daily, how do these differ from audit logs?
This really comes down to the nature of the information that they contain as well as their purpose. System logs are designed to help administrators and teams troubleshoot errors within their environment. Audit logs aid organisations to document a historical record of activity for compliance purposes and other business policy enforcement. Certain Security Compliance frameworks also generally require organisations to meet long-term retention policies and information on who has accessed (and potentially manipulated) any sensitive data held within the environment.
To enable audit logging is to comply –
For example, in the US, the Healthcare Insurance Portability & Accountability Act (HIPAA) requires that organizations “implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.” In order to protect patient information, it’s important that only authorised people have access to those records.
Similarly CIS Control 08 – emphasises the need for centralised collection and storage and standardisation to better coordinate audit log reviews. So the organisations that are governed by these sorts of security frameworks, deem it not only vital to have sufficient and accurate audit logging, but actually mandated by law.
Audit logs are proof to auditors that you are indeed sharing files securely and complying with privacy laws.
While researching the various security frameworks, and their interpretation of what is required by way of Audit logging, I found the National Institute of Standards and Technology (NIST) has published an interesting article that discusses in great detail how and the why you should use audit logs.
In an M365 Context, the same goes!
Even in Microsoft 365’s cloud, audit logging is a must for organisations operating in those regulated industries, and Microsoft 365 audit logs can help you find out what the users and admins in your organisation have been doing within the M365 tenant. You’ll be able to find activities related to email, groups, documents, permissions, directory services, and much more. Audit log requirements and mandatory obligations do not change if you move your data to the public cloud!
In fact, some could argue they are harder to manage and maintain as the data that needs to be governed by such frameworks is held in Microsoft’s data centre and not your own meaning you might not have as much control or say in how it is stored.
Luckily Microsoft provides some out-of-the-box audit logging capability that helps the organisation stay compliant, in an M365 context, the unified audit log feature contains user, group, application, domain, and directory activities performed in the Microsoft 365 admin centre or in the Azure management portal
Audit (Premium) in Microsoft 365 provides all organisations with a default audit log retention policy. This policy retains all Exchange Online, SharePoint Online, OneDrive for Business, and Azure Active Directory audit records for one year.
What are some of the benefits of audit logging?
Whereas in the past audit logging was more common in specific industries like finance and insurance, it is now front and centre for all types of companies with a digital footprint and an online presence. Across industries, audit logging can be used to achieve the following important goals:
- Ensuring compliance with industry regulations.
- Troubleshooting system issues
- Learning pathways to potential security gaps through previous breach behaviour
- Providing legal evidence in court hearings
Tying this all together
By now, one would understand not just how important audit logging is in regards to compliance whether in the cloud or in your own data centre (and how it can provide an organisation with a get-out-of-jail-free card when there are legal implications at risk), but also its relevancy in relation to cyber security. The number of security breaches post-pandemic is on the rise, and while this will continue to prove a headache for most CIO\CISOs, it’s important to not only protect against future attacks but to also learn from past attacks too.
Security continues to be the forefront topic of concern for most organisations in this post-pandemic Digital world, Microsoft M365 provided a platform to utilise the latest security platforms without having to provision any infrastructure and software in your own data centre.
But with the big migration to the cloud and specifically M365, came new realisations that compliance still exists, and an organisation’s obligation to provide evidence trail on important activity occurring within their M365 tenant.
Audit Logging remains just as important (and mandatory for some) as it did before your organisations move to M365. Only now, you need to factor in the physical and virtual constraints of running your data in someone’s else data centre.
