Softline IT

Minimum NGFW logging contract: How to investigate attacks and optimize costs

Why default NGFW logging settings are insufficient for attack investigation

Typical Next-Generation Firewall (NGFW) logging configurations often do not provide sufficient detail or retention periods required for comprehensive cybersecurity incident investigations. This creates significant visibility gaps, complicating the reconstruction of events during an attack and the identification of its source and impact.

For example, some vendors may default to logging only the start of a session, which can be insufficient as applications may change throughout the session's lifecycle. Also, overly detailed logging of all traffic can lead to massive data volumes, making it difficult to detect truly important events and increasing storage costs.

Industry standards, such as NIST Special Publication 800-92, emphasize the importance of effective logging and log analysis as a critical component of a comprehensive security program. They point to the need not only for collection but also for proper log management, including their storage and integrity protection. Without these elements, an organization risks missing signs of unauthorized activity.

Key NGFW log types required for investigation

For effective investigation of NGFW cyberattacks, it is critical to collect and analyze a certain minimum set of log types. These logs provide the information needed to understand what happened, who was involved, and how similar incidents can be prevented in the future.

Key log types to consider:

  • Connection logs / traffic logs: Record information about allowed and blocked traffic, including source and destination IP addresses, ports, protocols, and connection status. This is the foundation for understanding network activity.
  • Threat logs: Document detected and blocked threats, such as intrusions, malware, and exploit attempts.
  • URL filtering logs: Detail access to web resources, allowed and blocked URLs, which helps detect phishing attempts or access to malicious sites.
  • System logs: Contain information about the NGFW's status, configuration changes, reboots, errors, and hardware status.
  • User activity logs / authentication logs: Record login attempts (successful and failed), administrator actions, and account changes. This is important for tracking compromised accounts.

NIST SP 800-92 recommends establishing policies and procedures for log management, including their prioritization and the creation of a log management infrastructure. Vendor documentation, such as from Fortinet and Palo Alto Networks, also emphasizes the importance of comprehensive logging and centralized log management for analysis and reporting.

Defining optimal log retention periods: Balancing risk and cost

Defining the optimal log retention period is a critical decision for CISOs, requiring a balance between security requirements, regulatory obligations, and economic feasibility. Excessive retention increases costs, while insufficient retention increases the risk of being unable to investigate.

Regulatory requirements:

  • HIPAA: Requires audit logs and other documentation related to PHI (Protected Health Information) to be retained for at least six years from the date of creation or last use.
  • GDPR: Does not set fixed terms but requires personal data to be stored only as long as necessary for the purpose for which it was collected. Organizations must justify and document their retention policies. For security logs, a period of 6-12 months is often considered reasonable.
  • PCI DSS 4.0: Requires 12 months of log history to be retained, with 3 months readily accessible for payment card data processing environments.
  • CERT-In (India): Mandates the retention of system logs for a minimum of 180 days.

Storage costs and operational complexity:

Storing large volumes of logs can be expensive, especially in cloud environments where pricing is often based on data volume and retention periods. To optimize costs, it is recommended to use tiered storage strategies (hot, warm, cold storage), moving older, less frequently used logs to less expensive storage. Data compression and deduplication can also significantly reduce costs.

Typical incident lifecycle:

Most operational investigations and troubleshooting rely on recent log data, often within 14 days. However, detecting complex, long-term attacks that may go unnoticed for months requires longer retention periods. The compromise is to provide sufficient historical depth for forensic analysis without overstretching the budget. A general rule is to retain at least 12 months of data to comply with most regulatory requirements and support investigations.

Softline IT helps plan and implement cybersecurity solutions: from auditing the current state to an agreed-upon change plan.

Practical checklist for auditing and configuring NGFW logging

For CISOs aiming to optimize NGFW logging, this checklist will help assess the current state and identify necessary steps to improve visibility and incident response capabilities.

NGFW logging audit and configuration checklist

  1. NGFW generated log types:
    • Verify that the following log types are generated and collected: connection/traffic, threat, URL filtering, system, user activity/authentication.
  2. Log detail level:
    • Ensure logs contain sufficient detail: source/destination information (IP addresses, ports), protocols, actions (allowed/blocked), user identifiers, full URLs, detected threats.
    • For Palo Alto Networks: ensure logging occurs at the end of the session for more accurate application identification.
  3. Log retention period:
    • Define and document a retention policy for each log type, considering regulatory requirements (HIPAA, GDPR, PCI DSS) and internal investigation needs.
    • Consider tiered storage (hot, warm, cold storage) to balance availability and cost.
  4. Centralized log collection and aggregation mechanisms:
    • Ensure all NGFW logs are centrally collected in a SIEM system or on a dedicated log server (e.g., FortiAnalyzer for Fortinet, Panorama for Palo Alto Networks).
    • Use secure channels for log transmission (e.g., encryption, VPN).
  5. Log integrity and confidentiality protection mechanisms:
    • Ensure logs are protected from unauthorized access, modification, or deletion. This may include access control, hashing, digital signatures.
    • Consider encrypting logs, especially if they contain sensitive information.
  6. Procedures for regular auditing and review of logging settings:
    • Establish a regular schedule for reviewing logging policies and NGFW settings to ensure their relevance and compliance with changes in the threat landscape and regulatory requirements.
    • Verify that all firewall policies have logging enabled.

Softline IT helps teams plan and implement cybersecurity, from an assessment of the current environment to an agreed change plan.

Sources used

  1. 01reddit.comreddit.com
  2. 02tufin.comtufin.com
  3. 03knowledgebase.paloaltonetworks.compaloaltonetworks.com
  4. 04pan.devpan.dev
  5. 05sc1.checkpoint.comcheckpoint.com
  6. 06en.wikipedia.orgwikipedia.org
  7. 07publish.obsidian.mdobsidian.md
  8. 08srql.comsrql.com
  9. 09valuementor.comvaluementor.com
  10. 10netwisetech.aenetwisetech.ae
  11. 11exabeam.comexabeam.com
  12. 12youtube.comyoutube.com
  13. 13security.berkeley.eduberkeley.edu
  14. 14blumira.comblumira.com
  15. 15coralogix.comcoralogix.com
  16. 16docs.fortinet.comfortinet.com
  17. 17logicmonitor.comlogicmonitor.com
  18. 18snaresolutions.comsnaresolutions.com
  19. 19hipaajournal.comhipaajournal.com
  20. 20kiteworks.comkiteworks.com
  21. 21hipaavault.comhipaavault.com
  22. 22schellman.comschellman.com
  23. 23censinet.comcensinet.com
  24. 24last9.iolast9.io
  25. 25exabeam.comexabeam.com
  26. 26mezmo.commezmo.com
  27. 27cookiebot.comcookiebot.com
  28. 28gdprregulation.eugdprregulation.eu
  29. 29optro.aioptro.ai
  30. 30blog.anexgate.comanexgate.com
  31. 31answers.databricks.comdatabricks.com
  32. 32logzilla.ailogzilla.ai
  33. 33security.stackexchange.comstackexchange.com
  34. 34docs.paloaltonetworks.compaloaltonetworks.com
  35. 35plasmaticsun.complasmaticsun.com
  36. 36sc1.checkpoint.comcheckpoint.com
  37. 37discovercybersolutions.comdiscovercybersolutions.com
Tags