Logging for Accountability

Logging is used to provide a "source of truth" for activity that occurs on a network. Logging is most commonly used, but not limited to incident response and security monitoring. During the incident response process, a user may be held accountable for an action or behavior, and logging plays a crucial role in proving a user's actions.

Accountability is the final pillar of the Identification, Authentication, Authorization, and Accountability (IAAA) model. The model is used to protect and maintain confidentiality, integrity, and availability of information.

Accountability holds users and peers on a network responsible for their actions. Logging is a large part of this pillar and maintains a record of activities.

To ensure the efficacy of accountability, logs and other data sources must be protected, and their authenticity must be proved. If it cannot be proven that a log was kept in its original state, it loses its integrity for accountability and the incident response process.

Learning Objectives

• Understand where data originates, how it is stored, and how a security engineer can leverage it.
• Understand why accountability is important to security and how logging can help improve its efficacy.
• Apply logs and other data sources to incident response and the principle of accountability.

Before beginning this room, we recommend you understand logging capabilities and log data sources or complete Intro to Logs. We also recommend a basic understanding of Splunk or complete Splunk Basics.

Throughout this room, we will introduce how logging and data maintain accountability. We will break down best practices and explain accountability in different stages of the incident response procedure.