2021-Security Logging and Monitoring Failures (Insufficient Logging & Monitoring:)

About
Security Logging and Monitoring Failures (Insufficient Logging & Monitoring) is a security weakness that occurs when an organization fails to properly configure mechanisms for detecting and identifying security risks.

This can occur due to a variety of factors, such as:

1. Missing auditable logs.
2. Missing warning messages and error messages.
3. Not having backups for disaster recovery.
4. Not having alerting thresholds.
5. Not configuring response escalations.
6. Not logging all critical events.
7. Not storing logs securely.
8. Not monitoring logs regularly.

Measures to be taken if an attack were to occur on your application:

1. Implement appropriate detection and escalation capabilities to receive alerts for the attacks.
2. Don't rely on third-party hosting providers as they often lack sufficient logging and monitoring, which can lead to data breaches.
3. Ensure that the logs are produced in a format that log management solutions can easily digest.
4. Guarantee that log data is securely encoded to prevent any attempts at injecting or attacking the logging and monitoring systems.
5. Protect high-value transactions, monitor for suspicious activity, and be prepared to respond to security incidents.
6. Ensure that any mishaps in login, access control, and server-side input validation are thoroughly logged, capturing enough user context to unmask any shady or malicious accounts. Ensure this data is retained for an adequate duration to facilitate later forensic investigations.

Here are some tools that can help you address the "Insufficient Logging & Monitoring" issue according to OWASP's guidelines:

1. SIEM Solutions: Use Splunk, Elastic Stack (ELK), or IBM's QRadar for real-time log analysis, alerting, and reporting.
2. Log Management & Analysis: Graylog, LogRhythm, or Loggly can help centralize logs and provide real-time analysis.
3. User & Entity Behavior Analytics (UEBA): Exabeam and Securonix utilize advanced analytics to detect abnormal user and entity behavior.
4. Threat Intelligence Feeds: MISP and STIX/TAXII enable the ingestion of structured threat data.
5. Incident Response: Platforms like TheHive and Demisto aid in incident management and automation.
6. Security Awareness & Training: Consider KnowBe4 and SecurityIQ for employee training and simulated phishing campaigns.