The increasing networking and complexity of IT systems increase vulnerability to cyberattacks. With version 2.1 of the minimum standard (MST) for logging and detecting cyberattacks, the Federal Office for Information Security (BSI) is presenting a central guideline for security requirements in the federal administration. However, due to the increasing importance of cyber defense and legal requirements, companies can also derive key aspects from the MST.
Significance of the minimum standard
The standard is based on the requirements of the IT Security Act 2.0 and Section 8 BSIG and is aimed at IT managers, security officers and IT operating personnel. The aim is to ensure a uniform level of security to defend against cyber attacks.
The MST defines minimum requirements for the logging of security-relevant events (SRE) and their detection in order to recognize security incidents at an early stage and initiate suitable countermeasures.
The aim is to ensure the confidentiality, integrity and availability of IT systems. Legal requirements such as the General Data Protection Regulation (GDPR) are taken into account.
Logging: planning, collecting, documenting
Logging forms the basis for detecting cyber attacks. The process includes the identification of data sources, the collection of relevant event data and its structured documentation. Central requirements are
- -Data sources: All IT systems that can provide security-relevant information, such as firewalls, operating systems or applications, must be included.
- Events to be logged: These include logins, changes to access data, installations and system-critical processes.
- Documentation: The collected data must be stored in a central logging infrastructure that is both physically and logically protected.
Reading tip: BSI situation report 2024 - This is the current threat situation
Detection: Calibration, detection, evaluation
Detection is based on logging and includes automated and manual analysis of security-relevant events. The aim is to identify suspicious activities at an early stage.
- Calibration: The systems are set to normal conditions to minimize false alarms.
- Automated detection: Systems such as intrusion detection systems (IDS) or security information and event management (SIEM) help to analyze events in real time.
- Manual assessment: Qualified security incidents are reviewed by experts in order to initiate appropriate response measures.
In addition, security mechanisms and detection systems should be adapted to new threat situations.
Areas of responsibility and organizational framework conditions
The MST PD divides responsibilities between several areas:
- Operational IT security: planning and operation of the logging and detection infrastructure.
- IT operations: Ensuring the smooth operation of the IT infrastructure.
- Audit: Regular review of compliance with the specifications and protective measures.
Each institution must also ensure that employees are trained and that suitable resources are provided for implementation.
Legal and technical challenges
Compliance with the minimum standard requires consideration of the legal framework. This includes determining permissible storage periods for log data, which can vary depending on the protection requirements. In addition, the specifications of the MST must be contractually regulated when integrating third-party providers or IT service providers.
The minimum standard for logging and detecting cyberattacks is a central guideline for information security in the Federal Administration. Its strict requirements not only provide a legal framework, but also contribute to improving resilience against cyber threats. However, successful implementation requires close cooperation between all stakeholders involved and continuous adaptation to new threat scenarios.
Source: BSI minimum standard for logging and detecting cyber attacks, version 2.1 from 11.11.2024