We have just published some guidance which highlights the importance of logging, and crucially, explains how to go about capturing the kind of data that’s central to understanding and recovering from a cyber breach.

This guidance comes in response to feedback from our incident response teams and external consultation work, where it’s all too common to hear that organisations either aren’t gathering any logs at all, or believe they are logging only to find out their system is broken or insufficient when an incident actually occurs.

Following a cyber incident, analysing log data is often the only way to identify how an attacker got onto a network and what their impact has been. An organisation facing a cyber attack with no stored logs will have to play catch up – deploying rapid changes to gather logs. This greatly lengthens the investigation time and reduces its effectiveness.


The audience for the guidance is relatively wide. It applies to small organisations without a logging system in place, trying to understand what’s appropriate, just as it does to larger organisations wanting to validate the types of logs that feed their current security monitoring.

Everyone’s network and IT are different, so we avoid focusing too much on technology. For example, collecting DHCP logs is useful in an on-premise office setup, but irrelevant in a digital cloud service.

Incident questions

Following the guidance to develop your own logging system, you’ll be equipped with the data you need for detailed post-event analysis. To achieve this, the guidance first considers the type of questions you may be asked during an incident, then suggests how you could answer them, given a varied set of IT systems.

With this logging capability in place, you’ll also be able to develop an effective detection activities. And indeed, this will be the subject of future guidance.

All comments are welcome, as always. Please tell us what you think by commenting below, through our contact us page, or via your usual NCSC contact.

Shane M

Lead Security Architect for Security Monitoring

Source: National Cyber Security Centre

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!