Deepshikha Paty
DI-ASM
What is Insufficient Logging and Monitoring?
- It means your system is not properly recording security events, and you're not watching for signs of attacks or misuse.
- As a result, attacks can happen without you even knowing — and you can’t detect or respond to them in time.
How does it happen?
- Insufficient logging and monitoring occur when an organization doesn't properly track or log key activities on their system.
- For example, when an attacker does something malicious, like trying to hack into the system, there might not be enough data (such as the attacker's IP address or the actions they performed) to identify or track the intruder.
- This happens because some companies focus only on infrastructure logs (like network events) but fail to log important details about API activities, which are crucial for detecting suspicious activities
Example : Silent Brute Force Attack
Example
Imagine a bank's website:
- A hacker tries to log in with 1000 different passwords (brute force).
- The system doesn’t log these failed attempts.
- There's no alert to the security team.
Result: The attacker eventually logs in — and no one notices until it’s too late.
Real-world consequences:
- Data breaches go undetected for weeks or months
- Harder to investigate or recover from attacks
- No evidence to understand what went wrong
🎯 Why it matters:
- Without logs, you can’t see what happened
- Without monitoring, you can’t act fast
- It gives attackers more time and freedom to cause damage
✅ Good Logging and Monitoring should:
-
Log important events, like:
- Failed logins
- Access to sensitive data
- Changes in user roles or settings
-
Alert the security team in real-time
-
Store logs safely so attackers can’t delete them
-
Use SIEM tools (like Splunk, ELK, etc.) to analyze logs