The examination of an authentication (or auth) log; an auth log captures every attempt to prove a user’s identity to a system; this includes logins, privilege escalations and the time boundaries of every access session.
Just a normal day at the office
Emails came in, the CRM was working, projects were assigned, email responses went out, onsite employees and remote employees were checking in with their projects’ progress, questions were asked and answered.
And yet there was an uninvited and hidden observer to all the normalcy, who was exfiltrating data, installing criminals’ tools, gathering intel, like credentials, to loot or otherwise mount an attack.
The average amount of dwell time (how this state of surreptitious criminal activity is known) is 14 days, per Mandiant1 – two weeks of unseen criminal activity on a network before detection.
The thing is, unless you’re looking for it, unless you know what to look for, you cannot tell.
Bad instincts
Many smaller organizations, when they become aware of an attack, shut down their machine and try and reboot. If the reboot fails to get them back, they search for a set point prior to the incidence in their backup and try to restore their systems to that date. The problem may be that in doing a reset, you’re only back far enough to where the attack was visible – still granting the criminal their gateway, and that most backups are not set up to retain the complete set of logs.
A lack of logs can come back to bite your business if you’re looking to file a cyber-insurance claim – logs that inform a forensic examination of what transpired – is a common part of an insurance investigation. Similarly compliance with standards, such as imposed by military compliances CMMC, DFARS and the credit card industry’s PCI, often require access to logs to reconstruct the circumstances of a breach.
The $300,000 question
Six weeks after that seeming normal day at the office, the breach was discovered. Cyber-insurance carriers typically need untouched evidence for their investigators before they can process a claim. Were the logs retained or were they overwritten in the scramble to restore systems to a previous point-in-time? The $300,000 in recovery costs can come from the insurer or can come out of the business2.
The elements of forensics
Without the following three in place before a criminal event, an organization’s ability to conduct its own forensics or comply with an outside investigation is hampered:
- A policy and practice of log retention. How will logs be generated and stored? And for how long will your organization retain the logs? This is the evidence trail.
- A policy and practice of not disturbing the discovered scene of an incursion. This is your crime-scene protocol.
- A policy and practice of how to forensically handle an incident: who to call and what steps need to be taken to ensure the integrity of the logs.
How does forensics fit in?
In the first part of this series we looked at the ability to detect an incoming attack, whether that’s through an EDR and SOC or through finding your organization’s leaked credentials trading online.
In the second part we saw how putting up a wall, paralleling the physical world, was the foundation of any cyber-defense. These walls can include firewalls and signature-based antivirus defenses and backups that can undo damage by getting to a pre-attack state.
Forensics are then the ability to prove what actually happened so you can learn from true knowledge (and not just guessing at the cause) and shore up the discovered weaknesses, so such an attack is unlikely to happen again.
Getting it together
The tools to meet forensics scrutiny start with Managed EDR (Endpoint Detection and Response). EDR identifies and stops threats from spreading – and in its managed form, analysis and reporting is sent to a SOC (Security Operations Center), where generated data is assessed, handled, and retained for an agreed-on period.
SIEM (Security Information and Event Management) consolidates your security data into comprehensive logs, drawing from cloud services, firewalls, networked devices, and applications. Managed SIEM adds expert analysis and handling at a SOC.
Together, EDR and SIEM produce a whole-picture timeline – what compliance auditors and cyber-insurance examiners need to verify the integrity of your organization’s data and calculate risk.
But tools aren’t a strategy. For larger organizations there is a dedicated CIO or CTO who thinks about the big picture. This role includes connecting detection, defense and forensics into a coherent security posture.
Bryley Systems in its vCIO/CTO role can work with you to see your security investments are coordinated, your obligations are understood, and your exposure is managed. To explore what that might look like for your organization, reach out to Bryley’s Roy Pacitto at 978•562•6077 x 217 or email Roy at rpacitto@Bryley.com to assess your organization’s forensics-readiness.
What did you take away from our look at detection, defense and forensics?
1 https://cloud.google.com/security/resources/m-trends/
2 Cyberattacks cost 27% of organizations more than $500,000/year, per Huntress.
by Lawrence Strauss, March 24, 2026
Lawrence has written for Bryley since 2015. His coverage of cyber-scams appears on moneywise.com
