18. Event Logging Best Practices
Different tools are used depending on whether the risk from the attack comes from traffic coming into or leaving the infrastructure.
Ingress Monitoring
Ingress monitoring refers to surveillance and assessment of all inbound communications traffic and access attempts. Devices and tools used for ingress monitoring include:
- Firewalls
- Gateways
- Remote authentication servers
- IDS/IPS tools
- SIEM solutions
- Anti-malware solutions
Egress Monitoring
Egress monitoring is used to regulate data leaving the organization’s IT environment.
- The term used with this effort is data loss prevention (DLP) or data leak protection.
- DLP should be deployed so it can inspect all forms of data leaving the organization, including:
- Email (content and attachments)
- Copy to portable media
- File Transfer Protocol (FTP)
- Posting to web pages/websites
- Applications/application programming interfaces (APIs)