When delivering a service, you need to be aware of the warning signs of an impending attack so you can appropriately respond by proactively adding or adapting security controls.
This is achieved through observability, which is the capability to track the security health of your service through the processes of logging, monitoring, and alerting. This enables you to gain insight into your service’s state, users, and data.
Good observability will allow you to:
Security observables (including information and events) are identified changes (or triggers) within your system that may indicate a security issue that requires your attention.
You should begin identifying observables (such as security alerts generated by applications and networks) from the service design stage so you can build and integrate these within the organisation’s overall security monitoring capabilities. You should regularly review your observability processes to ensure any changes to the service or new threats have been considered.
Managing observability should be led by your technical team (such as security and technical architects, developers and DevOps) who will have a detailed understanding of your system’s infrastructure and be able to configure the appropriate data logging, monitoring and alerting capabilities. They should consult with security professionals to ensure information is being collected and interpreted correctly.
There may be dedicated cyber security incident response teams or a Security Operations Centre (SOC) within your organisation who could require access to observable data to allow them to detect potential threats, investigate security events, and take appropriate actions to mitigate risks.
Your organisation may already have templates for the information and events they expect you to capture. Use these as your starting point, considering what additional information and events are required to provide good observability of the service.
You should begin by identifying what security related information and events to capture within your systems. This may include:
Document the relevant observables for your service assets. You should investigate whether you have the appropriate capabilities set up to collect and monitor observables, and what you may need to implement to give you full visibility. Speak with your organisation to see what capabilities and resources may be available to support you.
Logging and monitoring systems will allow you to track and record activity such as user access and changes made to the system. Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS) and Security Information and Event Management (SIEM) tools can help you detect suspicious activity and create alerts.
If you are using third-party vendors to deliver components within your system, they should provide cyber security monitoring, logging and alerting as part of their service. Explore the options and expertise available to see how it can complement your own observability processes.
All observables should be collected and stored securely. It should also be easy to search and analyse so potential security issues can be identified.
Your service's observables and their outputs should be treated with a high level of security so they don’t compromise the assets they’re being used to protect. There are various measures you should put in place to maintain the integrity and confidentiality of this information.
Implement strict access controls to limit access to log files and event data. Ensure that only the necessary authorised personnel have permission to view, modify, or delete logs. Strong authentication mechanisms, such as multi-factor authentication, should be considered mandatory for access to view, modify or delete logs.
Log files and event data should be encrypted when being transferred and stored. Use secure transport protocols (such as HTTPS or SSH) when transmitting logs across networks and encrypt log databases to protect data from unauthorised access if storage systems are compromised.
Consider using dedicated log management solutions or SIEM platforms that provide built-in security features for data storage. Regularly back up information and implement appropriate disaster recovery measures.
Separate log files from the systems or applications they originate from. Storing logs on a separate server or dedicated log management system helps protect them from being compromised if the source system is breached. It also allows for centralised and controlled access to log data.
Regularly back up log files and establish appropriate policies for retaining data. Backups can help restore log data in case of accidental deletion, system failure, or data corruption. Retention policies should align with regulatory requirements and the needs of your organisation.
Educate employees about the importance of observable data protection and the role they play in maintaining the security of log files. Train employees on proper handling, storage, and disposal of data.
Your observability process should consist of regular checks to identify potential security issues and attacks within systems. The output of these should result in specific actions. These may include:
Applying the right actions to each observable will help to increase visibility of known events and allow retrospective analysis of unknown events.
Integrate your observability processes into your threat model so it can become part of your ongoing plan for identifying and managing cyber security threats.
This activity is part of the ‘Anticipate and respond to vulnerabilities’ stage of Secure by Design, which also includes:
The Secure by Design approach will evolve to reflect the needs of government digital services. Your feedback will help us to improve it.
Last update: 31 January 2024