NSE7_OTS-7.2 Logging and Monitoring

Logging and Monitoring Detailed Explanation

Logging and monitoring are critical components of OT security. They enable real-time visibility into network activities, helping identify security threats, performance issues, and abnormal behavior.

Definition

Logging and monitoring involve:

1. Recording network activities to create an audit trail of all actions.
2. Analyzing these logs to detect security incidents, such as unauthorized access or suspicious traffic.
3. Monitoring network performance in real-time to ensure optimal operation.

The ultimate goal is to provide both proactive and reactive security measures for OT environments.

Core Concepts

1. Logging

Logging refers to systematically recording all network activities for analysis, troubleshooting, and auditing.

What to Log

1. User Activities:

   • Record details of user logins, including successful and failed attempts.
   • Example: Track who accessed the SCADA system and what actions they performed.

2. Device Access:

   • Log which devices connected to the network, when, and their activity.
   • Example: Monitor when a PLC communicates with the control server.

3. Data Transmission and Anomalies:

   • Record network traffic patterns.
   • Identify anomalies, such as unexpected spikes in data flow.

Storing Logs

• Logs must be stored securely to prevent tampering.
• Use encryption to protect logs and ensure their integrity.

Benefits of Logging

• Creates an audit trail for compliance and forensic analysis.
• Enables investigators to pinpoint the root cause of incidents.

2. Real-Time Monitoring

Monitoring involves observing the network's status continuously to detect issues as they occur.

Key Monitoring Activities

1. Performance Monitoring:

   • Track the speed and efficiency of network operations.
   • Example: Ensure SCADA communication latency remains within acceptable limits.

2. Traffic Pattern Monitoring:

   • Monitor data flow to detect unusual patterns, such as large data transfers from unauthorized devices.

3. Alert Thresholds:

   • Set thresholds for anomalies, such as:
     • Excessive login attempts.
     • Sudden increases in traffic from a single device.
   • Example: Generate an alert if a PLC sends commands outside its normal operational schedule.

Benefits of Real-Time Monitoring

• Enables faster detection of issues or breaches.
• Reduces the time between detection and response.

3. Threat Detection

Threat detection is the process of identifying potential security incidents through log analysis and monitoring tools.

Key Practices

1. Log Analysis:

   • Use tools to analyze logs for suspicious patterns or activities.
   • Example:
     • A spike in failed login attempts might indicate a brute force attack.
     • Unexpected data transfers from critical devices could signal exfiltration attempts.

2. Attack Pattern Recognition:

   • Detect and flag behaviors matching known attack signatures.
   • Example: A known malware signature in a packet payload.

Benefits

• Proactively identifies risks before they escalate.
• Provides actionable insights for incident response.

4. Incident Response

Incident response involves taking immediate action to address identified threats or anomalies.

Automated Responses

1. Blocking Suspicious Traffic:

   • Configure firewalls or intrusion prevention systems (IPS) to block traffic that matches known threat patterns.
   • Example: If a device starts sending unauthorized Modbus commands, block its traffic automatically.

2. Alert Notifications:

   • Notify administrators immediately when a critical event occurs.
   • Example: Send an email or SMS alert if an unauthorized device connects to the network.

Benefits

• Minimizes potential damage by responding swiftly to threats.
• Keeps administrators informed in real time.

Key Technologies

1. FortiAnalyzer

• A centralized tool for:
  • Collecting logs from multiple devices.
  • Generating detailed reports on network activity and security events.
• Example:
  • Use FortiAnalyzer to create a weekly security event summary for compliance purposes.

2. FortiSIEM

• A Security Information and Event Management (SIEM) solution that:
  • Aggregates data from various sources.
  • Correlates events to identify security incidents.
  • Provides a dashboard for real-time monitoring and analysis.

Practical Applications

1. Weekly Log Audits

• Review logs weekly to identify:
  • Security events, such as unauthorized access.
  • Trends in network activity that could indicate emerging risks.

2. Configure Real-Time Alerts

• Set up alerts for specific events, such as:
  • Failed login attempts exceeding a set threshold.
  • Traffic to unauthorized IP addresses.
• Example:
  • Configure an alert to notify administrators if a new device tries to connect to a critical zone.

Why Logging and Monitoring are Critical

1. Improves Visibility:
   • Provides a detailed view of all activities in the network.
2. Enhances Security:
   • Detects threats early, minimizing potential damage.
3. Supports Compliance:
   • Meets regulatory requirements by maintaining logs and incident records.

Summary

Logging and monitoring are essential for maintaining OT network security. By recording activities, analyzing logs, and monitoring performance in real time, organizations can identify and respond to threats swiftly. Tools like FortiAnalyzer and FortiSIEM simplify these processes, making it easier to manage large-scale OT environments efficiently.

Logging and Monitoring (Additional Content)

1. Log Retention Policy and Compliance Requirements

In OT environments, logging is not only essential for operational visibility and incident detection—it is also a compliance mandate. Understanding how long logs should be retained and how to secure them is crucial for audit-readiness and regulatory alignment.

Key Retention Guidelines

1. Minimum Log Retention Periods

• Industry standards like NERC CIP and IEC 62443 recommend retaining logs for at least 90 days, with some environments extending this to one year or more, especially for critical infrastructure.

2. Secure Storage Mechanisms

• Logs should be encrypted, access-controlled, and tamper-evident.
• Best practices include:
  • Exporting logs to a centralized and hardened server (e.g., FortiAnalyzer).
  • Using digital signatures or hash chains to detect log tampering.
  • Creating backups in geographically separate locations for disaster recovery.

Why This Matters in Exams

You may encounter exam questions that ask:

"Which log management practice best supports compliance with regulatory frameworks?"

The correct answer must include both retention period and security of storage.

2. Alert Prioritization and Incident Response Levels

Monitoring systems often generate large volumes of alerts. Without prioritization, security teams may overlook critical events. Effective alert management in SIEM systems like FortiSIEM involves classifying alerts into severity levels and associating them with predefined response actions.

Example: Three-Tier Alert Prioritization

1. High Priority

• Indicators of actual or imminent compromise.
• Examples:
  • Unauthorized write attempt to a PLC.
  • Malware signature detected in OT protocol traffic.
  • Unknown device attempting to access a restricted VLAN.

2. Medium Priority

• Potential policy violations or behavioral anomalies.
• Examples:
  • Multiple failed login attempts from a known engineering workstation.
  • User accessing the SCADA interface during non-working hours.

3. Low Priority

• Non-critical or transient events.
• Examples:
  • Temporary device disconnection.
  • Minor packet loss on a redundant link.

Mapped Response Actions

• High: Immediate investigation, device isolation, incident escalation.
• Medium: Notify SOC, monitor behavior, consider escalation.
• Low: Log and review during weekly audit.

Why This Matters in Exams

You may be asked to choose the appropriate response strategy based on alert severity. Questions could look like:

"An alert indicates an HMI has accessed a PLC using an unauthorized Modbus function code. What is the appropriate response?"

Correct answers involve high-priority classification and immediate mitigation, possibly via automation.

3. Integration with Access Control, IPS, and FortiGate

Logging and monitoring are only as powerful as the actions they trigger. To achieve a closed-loop response system, logs must be correlated and acted upon through integration with other Fortinet security modules.

Key Integration Scenarios

1. Access Control + Logging

• NAC detects an unknown device → logs the connection → FortiNAC isolates the device via VLAN re-assignment.

2. IPS + Logging

• FortiSIEM detects an attempt to exploit a known vulnerability in a PLC (e.g., Modbus function abuse) → logs it → triggers FortiGate IPS to block traffic from the offending source.

3. FortiAnalyzer + FortiGate

• Periodic policy audit shows unauthorized protocol use in SCADA zone → security team uses FortiAnalyzer data to refine FortiGate rules.

Benefits of Closed-Loop Integration

• Enables automated, policy-driven response to threats.
• Improves MTTD (Mean Time to Detect) and MTTR (Mean Time to Respond).
• Promotes cross-functional visibility across access control, detection, and enforcement layers.

Why This Matters in Exams

You may face scenario questions requiring you to connect the dots between logs, alerts, and system actions:

"Which set of actions ensures a full-cycle response when an unauthorized command is detected in protocol traffic?"

The best answer would include: logging → alert → IPS policy enforcement or NAC isolation.