Logging and monitoring: the foundation of detection and response

Security7 min read·
K

Kees van der Vlies

Partner | IT Auditor

Also available in:Nederlands

Logging and monitoring are fundamental security controls that are tested in virtually every audit framework. Without adequate logging, an organisation cannot establish what happened during an incident. Without active monitoring, attacks and anomalies are not detected in time. Together they form the foundation of detection and response.

An auditor assesses logging at several levels. At infrastructure level: are login and logout events recorded? Are changes to configurations logged? At application level: are access to sensitive data, changes to records and error messages recorded? At network level: are firewall rules, VPN connections and network access recorded?

The quality of logging is at least as important as the quantity. The auditor checks whether logs contain a timestamp that is synchronised (NTP), whether the source of the action (user, IP address, system) is recorded, whether logs are immutable (write-once) to prevent tampering, and whether the retention period meets legal and contractual requirements.

Centralising logs is a best practice that auditors expect from mature organisations. A Security Information and Event Management (SIEM) system collects logs from various sources, correlates events and generates alerts on suspicious patterns. Popular solutions include Microsoft Sentinel, Splunk, Elastic Security and open-source alternatives such as Wazuh.

Monitoring goes beyond collecting logs. The auditor assesses whether security events are actively monitored, whether alerts are configured for critical events such as multiple failed login attempts, access outside working hours, privilege escalation or unusual data downloads, and whether there is a process to triage and follow up on alerts.

The response to detected incidents completes the picture. The auditor checks whether there is an incident response plan, whether roles and responsibilities are defined, whether the plan is tested periodically by means of tabletop exercises or simulations, and whether incidents are recorded and analysed for lessons learned.

Regulation strengthens the requirements for logging and monitoring. DORA requires financial institutions to detect ICT-related incidents in a timely manner. NIS2 sets requirements for the detection capabilities of essential entities. The GDPR requires that data breaches are reported within 72 hours, which is barely achievable without adequate monitoring.

Secure Audit tests logging and monitoring as a core part of every IT audit and advises on the design of detection capabilities. Contact us for a security assessment.

About the author

K
Kees van der Vlies

Partner | IT Auditor

Back to knowledge base

Have a question?

Get in touch for advice on IT audit, compliance and information security.

Contact us