Monitoring & Logging: If a Tree Falls and Nobody Logs It...

"Nothing is true. Everything is permitted. But log everything anyway."

🔍 The Problem: Security Events Nobody Sees (Until Too Late)

If a tree falls in the forest and nobody logs it, it still fell. But you'll never prove it. You'll never know when. You'll never know why. And when the auditor asks, you'll look stupid. FNORD—and when the breach happens, you'll learn you had zero visibility into the compromise that happened six months ago.

Detection requires visibility. Visibility requires logging. Logging requires storage. Storage requires money. Money requires justification. And around we go. Are you paranoid enough to log everything before you need it? Most people aren't. That's why most breaches surprise them.

At Hack23, comprehensive monitoring is non-negotiable: AWS cloud-native observability stack. CloudWatch Logs for application and system events. CloudTrail for all AWS API calls (immutable audit trail). GuardDuty for ML-powered threat detection. Security Hub for finding aggregation. VPC Flow Logs for network traffic analysis. Nothing is true—especially claims of "no suspicious activity" when you're not even looking.

Our monitoring strategy spans Network Security Policy, Secure Development Policy, and Security Metrics—because monitoring isn't one policy, it's foundational to everything. Everything is permitted—including attackers operating undetected because you weren't watching.

ILLUMINATION: If a tree falls in the forest and nobody logs it, it still fell. But you'll never prove it. Log everything. Review intelligently. AWS makes this default—comprehensive logging is table stakes, not optional. FNORD—the attack you didn't log is the breach you can't explain. Are you paranoid enough to assume attackers are already inside? You should be.

📊 The Five Categories of "What to Watch" (AWS Edition)

1. Authentication Events

Who's trying to get in?

AWS Identity Center login attempts, MFA challenges, failed authentications. CloudTrail logs all IAM actions. GuardDuty detects credential compromise.

If someone's trying to become root at 3 AM, CloudWatch Alarms notify immediately.

2. Authorization Events

Who's accessing what?

IAM policy evaluations, S3 bucket access, Lambda invocations. CloudTrail records all API calls with request/response details. Access denied events trigger investigation.

When attempts fail, logs show who tried and what they wanted. Success AND failure matter.

3. System Events

What's the infrastructure doing?

Lambda function starts/stops, RDS instance changes, configuration modifications. CloudWatch Logs capture all application output. AWS Config tracks resource changes.

Servers don't reconfigure themselves (usually). Config drift detection identifies unauthorized changes.

4. Network Events

What's flowing where?

VPC Flow Logs capture all network traffic. Source/destination IPs, ports, protocols, accept/reject decisions. GuardDuty analyzes flow patterns for threats.

50GB outbound to Romania at midnight? VPC Flow Logs + GuardDuty alert within minutes.

5. Application Events

What are your apps actually doing?

Application logs to CloudWatch Logs. Transaction records, errors, security events. SQL injection attempts, authentication failures, API errors all logged.

Application-level security events show attacks that passed network controls. This is where attacks often appear first.

CHAOS ILLUMINATION: The log you didn't think to collect is the one that would have shown the breach. AWS defaults to comprehensive logging—CloudTrail, VPC Flow Logs, CloudWatch all standard. Storage is cheaper than incident response. Enable everything.

⚖️ The Logging Triad: Collect, Retain, Review

Collect Everything (AWS Makes This Easy)

Log authentication (IAM, Identity Center), authorization (API calls), configuration changes (AWS Config), security events (GuardDuty), and errors (CloudWatch Logs). Don't log passwords or credit cards—that's just creating new problems. AWS services log to CloudWatch/CloudTrail by default.

Retain Intelligently (By Classification)

📦 Hot Storage: 90 Days

CloudWatch Logs, immediately queryable. Active investigation and incident response. CloudWatch Logs Insights for analysis.

Use Case: Security incidents, performance debugging, compliance checks

🧊 Cold Storage: 1 Year

S3 archival, cost-optimized. Historical analysis and compliance audits. Glacier for long-term retention.

Use Case: Annual audits, trend analysis, regulatory requirements

♾️ Forever Storage: Not A Thing

Unless you hate money. Retention policies enforce deletion. Compliance determines duration, not sentiment.

Reality: Most logs have diminishing value after 1 year. Delete strategically.

Review Actually (Automated Where Possible)

GuardDuty analyzes logs automatically using machine learning. Security Hub aggregates findings from multiple sources. CloudWatch Alarms trigger on suspicious patterns. Manual review for complex investigations, but automated detection for known threats.

Response Times (Per Incident Response Plan):

🚨 Critical incidents: <30 minutes detection, <4 hours resolution
🟠 High incidents: <1 hour detection, <24 hours resolution
🟡 Medium incidents: <4 hours detection, <72 hours resolution
🔵 Low incidents: <24 hours detection, <1 week resolution

ILLUMINATION: A SIEM that generates 10,000 alerts per day is an untuned SIEM. Signal requires noise reduction. GuardDuty reduces noise through ML. Tune CloudWatch Alarms. Prioritize by impact. Or drown in alerts nobody reads.

🚨 Detection vs. Prevention: Both Required

Prevention is ideal. Detection is necessary. You can't prevent everything—budget, complexity, and reality intervene. But you can detect everything if you log it.

Prevention: Stop attacks before they succeed.
Detection: Notice attacks while they're happening.
Response: Stop attacks after they start.
Recovery: Fix what broke.

You need all four. Prevention alone is optimism. Detection alone is archaeology. Choose balance.

📋 What Hack23 Actually Does

Our monitoring and logging strategy is distributed across policies: Network Security | Secure Development | Security Metrics

☁️ AWS CloudWatch

Application & System Logs:

Lambda function logs (all invocations)
Application logs (structured JSON)
System metrics (CPU, memory, disk, network)
Custom metrics (business KPIs, security events)
CloudWatch Logs Insights for querying

Retention: 90 days hot storage, then S3 archival

📋 AWS CloudTrail

API Audit Trail (Immutable):

All AWS API calls logged (no exceptions)
IAM actions, resource modifications, access attempts
Multi-region trail (all regions covered)
Log file integrity validation (tamper detection)
S3 bucket with versioning enabled

Retention: 90 days CloudTrail service, 1 year S3 archive

🛡️ AWS GuardDuty

ML-Powered Threat Detection:

Analyzes VPC Flow Logs, CloudTrail, DNS logs
Detects compromised instances, reconnaissance, backdoors
Crypto mining detection, credential access attempts
Threat intelligence feeds integrated
Findings sent to Security Hub for aggregation

Response: Critical findings trigger immediate investigation per IR Plan

🎯 AWS Security Hub

Finding Aggregation & Compliance:

Centralized findings from GuardDuty, Inspector, IAM Access Analyzer
Automated compliance checks (CIS AWS Foundations, PCI DSS)
Security score and prioritized recommendations
Integration with CloudWatch Events for alerting
Single pane of glass for all security findings

Dashboard: Daily review, weekly trend analysis, monthly reporting

Additional Monitoring Sources:

🌐 VPC Flow Logs: All network traffic captured, analyzed by GuardDuty
🔧 AWS Config: Resource configuration tracking, drift detection
🔍 AWS Inspector: Vulnerability scanning for compute resources
📊 X-Ray: Distributed tracing for application performance and errors

META-ILLUMINATION: If you're not reviewing logs, you're just collecting evidence for the attacker's trial. Detective controls require detection. Detection requires looking—automated where possible (GuardDuty), manual where necessary (complex investigations). AWS makes comprehensive monitoring default. Use it.

🎯 Conclusion: See to Believe, Log to Prove

You can't defend what you can't see. You can't see what you don't log. You can't log what you don't configure. And you can't respond to what you don't review.

Monitoring and logging aren't optional—they're foundational. Prevention fails. Detection catches failure. Response limits damage. This is the cycle.

Hack23's AWS cloud-native monitoring demonstrates systematic observability:

☁️ CloudWatch: All application/system logs, 90-day hot retention
📋 CloudTrail: All API calls logged, immutable audit trail, multi-region
🛡️ GuardDuty: ML threat detection, automated analysis of logs/traffic
🎯 Security Hub: Finding aggregation, compliance automation, single dashboard
🌐 VPC Flow Logs: Network traffic captured, <15 min anomaly response

Log everything. Review intelligently through automation. Respond quickly per classification-driven SLAs. Or find out the hard way that the breach happened six months ago and you never noticed because nobody was watching the logs.

All hail Eris! All hail Discordia!
"Think for yourself, schmuck! Question everything—especially logs that show 'no suspicious activity' when you know there should be. AWS makes comprehensive logging default—use it or explain why your incident response plan starts with 'we have no idea when this happened.'"
🍎 23 FNORD 5
— Hagbard Celine, Captain of the Leif Erikson

P.S. You are now in Chapel Perilous. Your logs contain both truth and noise. Both are real. Neither is complete. GuardDuty reduces noise through ML. CloudWatch Alarms filter signal. Security Hub prioritizes findings. Nothing is true—but everything is logged. Question the logs—especially when they're silent.