KR addresses the challenge behind insufficient logging and monitoring, highlighting that specific actions taking place in the cyber environment, such as logins, login failures, and critical transactions are not logged. This means that in case of an error, there will be no log message, or if there is, it will be inappropriate or unclear.
Consequently, in case of a suspicious activity it will be difficult to closely and carefully monitor an application and API logs, leading to the fact that logs may only be stored locally.
In light of the above challenges, KR recommends the launch of an automated process, so that the users will be informed of when certain alerts are triggered or for where certain alert thresholds are reached so that appropriate action can be taken.
Moreover, it is also recommended that logs should be saved in a back up and synchronize with other servers.
Additionally, the attacker should not be able to clear all logs after hacking the server.
Review the system and verify that all the important actions have been recorded. The verification should include logins, important transactions, and password changes for future forensics
... KR proposes.