Site icon Graylog

Centralized Log Management for SOX Compliance

Over twenty years ago, a series of corporate financial scandals set off a chain reaction, culminating in criminal convictions and new legislation. After uncovering accounting fraud across public companies like Enron, WorldCom, and Tyco, the US Congress enacted the Sarbanes-Oxley Act of 2002 (SOX). As companies have become more reliant on technology, the Securities and Exchange Commission (SEC), the agency tasked with overseeing SOX Compliance, has updated the requirements to address cybersecurity and looks to implement further changes.

As SOX compliance increasingly incorporates cybersecurity risk, companies can use centralized log management to help with their audit and reporting requirements.


A Brief History of SOX and Cybersecurity

Unlike other regulations, SOX focuses on financial reporting and corporate governance, which means that its connection to cybersecurity requires a bit of explanation.

The Original 2002 Act

SOX was a direct response to fraudulent financial reporting and auditor malfeasance. The original sought to protect investors by improving corporate disclosure accuracy and reliability, by implementing:


Section 302 “Corporate Responsibility for Financial Reports” subparagraph (a)(4) states that the principal executive officer(s) and the principal financial officer(s) or those performing similar functions:

(A) are responsible for establishing and maintaining internal controls;

(B) have designed such internal controls to ensure that material information relating to the issuer and its consolidated subsidiaries is made known to such officers by others within those entities, particularly during the period in which the periodic reports are being prepared;

(C) have evaluated the effectiveness of the issuer’s internal controls as of a date within 90 days prior to the report; and

(D) have presented in the report their conclusions about the effectiveness of their internal controls based on their evaluation as of that date;


Section 404 “Management Assessment of Internal Controls” subparagraph (b) states:


INTERNAL CONTROL EVALUATION AND REPORTING .—With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.


When combined, Sections 302(a)(4) and 404(b) Act as the foundation for bringing cybersecurity under the purview of SOX requirements and independent audits. Cybersecurity and internal controls impact financial reporting accuracy in two different ways:


Commission Statement and Guidance on Public Company Cybersecurity Disclosures 2018

In 2018, the SEC published a guidance to help public companies prepare cybersecurity risk and incident disclosures. The guidance formalized these by incorporating reference to Section 302 and noting:

These certifications and disclosures should take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents and for assessing and analyzing their impact. In addition, to the extent cybersecurity risks or incidents pose a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed in filings, management should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.


OCIE Cybersecurity and Resilience Observations 2020

In January 2020, the SEC’s Office of Compliance Inspections and Examinations released its Cybersecurity and Resiliency Observations report.


Recognizing that cybersecurity risk management is essential to protect securities markets, the OCIE outlined the various industry cyber risk management and operational resiliency practices observed across its ecosystem, outlining the following seven categories:

The Future of SOX and SEC Cybersecurity Requirements

In May 2022, the SEC proposed new rules around cybersecurity risk management and incident reporting that included the following:


Companies that want more insight into the SEC’s approach to cybersecurity compliance can take a look at the  proposed new Rule 10 announced in March 2023. While the Market Entities are outside the SOX reporting requirements, the rule highlights the policies, procedures, and technical controls that the regulatory agency feels mitigate risk.


For organizations that must comply with SOX, the SEC’s proposed requirements for Market Entities look similar to those outlined in 2018, 2020, and 2022:


Centralized Log Management for SOX Compliance

SOX exists to hold executives accountable for their decisions and internal controls. As the SEC evolves its cybersecurity reporting requirements, organizations need technologies that enable them to address cyber risks while ensuring appropriate communication across senior executives and board of directors.


With a centralized log management solution that incorporates security analytics, companies can implement many of OCIE’s best practices for cybersecurity and resilience.


Access Rights and Controls

In complex environments, a centralized log management solution that ingests identity and access data from across your environment then pairs it with entity and user behavior analytics (UEBA) enables robust access monitoring.


By continuously monitoring user access and looking for anomalous behavior, organizations can handle security functions like:



Data Loss Prevention

Some of the data loss prevention tools and processes that OCIE identifies include:


Since every technology generates event and security log data, a centralized log management solution becomes a single source for aggregating, correlating, and analyzing data. Companies can implement robust security monitoring that correlates data generated by business applications and data from the cybersecurity technology stack.


For example, an organization can monitor inbound and outbound traffic with its firewall tools:



When combining this data with the IDS system, the team gains insights into potential evasion techniques.


With all the log data in a single location, the security team can correlate the network monitoring, antivirus logs, and anomaly detection capabilities for alerts around suspicious data downloads indicating a potential unauthorized exfiltration:

Incident Response and Resiliency

The faster a company can identify an incident, the faster it can respond to one. With centralized log management, the security team can incorporate threat intelligence and create queries using parameters rather than specific values. With parameterized searches, the team can proactively search for advanced threat activities like:


For companies that want to further mature their security posture, Sigma rules can help automate threat hunting processes and help identify incidents faster:


Once the team detects an incident, it needs a centralized log management solution with lightning-fast search capabilities and the ability to easily pivot during the investigation. With all evidence in a single easy-to-find place, users across all areas involved in the investigation can:


These capabilities enable faster time to contain and eradicate, reducing the incident’s impact.

Governance and Reporting

Although all compliance mandates incorporate governance, SOX exists solely to create accountability. With a centralized log management that provides easy-to-read dashboards, security teams can create reports that give senior leadership teams high-level metrics. For example, a dashboard showing that no logon failures were high severity alerts indicates that people forgot their passwords rather than the company facing a credential-based attack.


With the right centralized log management solution, security teams can:



Graylog Security: Advanced Analytics for SOX Compliance

With Graylog Security, organizations gain at-a-glance visibility that enables them to monitor and report on the effectiveness of their cyber risk management practices. Graylog gives security teams the functionality they need without the complexity and costs associated with traditional SIEM solutions. Combining centralized log management, data enrichment and normalization, correlation, threat detection, incident investigation, anomaly detection, and reporting in a single platform, Graylog enables teams to create high-fidelity alerts while shrinking investigation times by hours, days, or weeks.


Using Graylog’s power, lightning-fast features, security teams can use Graylog Security’s intuitive UI and out-of-the-box cybersecurity-focused content to gain actionable insights quickly.


For more information about how Graylog Security can help you comply with SOX, contact us today.


Exit mobile version