As networks become more distributed and cloud-based, you should consider changing servers to UTC time to ensure proper syncing. This will help with forensics investigations. Credit: Ryan McGuire The concept of time zones is a relatively one. In England, to organize trains and schedules, the concept of railway time was introduced to overcome the confusion caused by having non-uniform local times in each town and station stop. It was also used to reduce accidents and issues in scheduling trains entering and leaving stations. As travel increased in scope and type, the need for standardization demanded that we had time zones. As we added technology, we just built on the concept of the need for local time.Once upon a time we set the logging for servers in the local time of wherever they were located. This made correlation of events, especially to local computers, consistent and relatively easy. Then the internet was born, and we moved our servers to the cloud and data centers. Suddenly, setting logging to local time made no sense at all. Add to that having help desks and distributed organizations and making the correlation across organizations means that moving logging to Coordinated Universal Time (UTC) may be wise.What is UTC and why is it important to security?UTC is a 24-hour time standard that helps the world’s timing centers keep their time scales synchronized. It is based on Universal Time (UT1), which uses the speed of the Earth’s rotation to measure time.As I explained earlier, if you cannot properly sync time across your network, it can have negative effect on security updates, authentication and forensics investigations. Moving logging to UTC helps keep your entire network in sync. As with any decision, you need to evaluate what makes sense for your organization. If you are a small firm and all your administrators and users are in one time zone, logging into that time zone might be more appropriate. If all of the logs are pulled into a central location from various time zones for analysis, you might choose UTC to do a cross analysis. You should also check with your logging and firewall vendors to see what they recommend for selection of time.Often applications choose a time zone for you. Thus, it’s wise to investigate ahead of time what time zone is chosen. For example, for many years Microsoft’s web server, Internet Information Services (IIS) would by default choose UTC time based on a specification. As noted in KB271196, the extended log file format used by IIS was defined in the W3C Working Draft WD- logfile-960323 specification by Phillip M. Hallam-Baker and Brian Behlendorf. This document defined the date and time files to always be in Greenwich Mean Time (GMT), which shares the same current time as UTC. You had to make an adjustment if you wanted a local time zone. Microsoft’s cloud platform Azure bases its system on UTC now, but that wasn’t always the case. In 2009, the decision was made to move Azure off of Pacific time zone logging time and onto UTC. Azure and the Windows Defender Advanced Threat Protection (ATP) portal uses UTC for their logging and tracking information. While the local computer is in its local time zone, the logging in the ATP portal is always UTC. However, it’s easy to click on the global icon on the menu to flip between the local time zone of the computer and UTC. Susan BradleyTime zone setting for Windows Defender ATP Often in forensics, you use the registry to determine what time zone a computer is located in. As noted, you can look at HKEY_LOCAL_MACHINEControlSet001ControlTimeZoneInformation (in a mounted image) or on a live computer look at HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTimeZoneInformation to determine what time zone a computer is set for. Susan BradleyWindows registry key showing time zoneAs you can see, the registry key identifies what time zone the computer is in.As noted in a recent article, when dealing with time and Azure and especially SQL, consider GETUTCDATE and SYSUTCDATETIME instead of using functions like GETDATE and SYSDATETIME. Older SQL applications often were written without cloud platforms in mind and using local time. Before migrating applications to the cloud, evaluate if they can handle a transition to UTC time.Finally, you can use PowerShell to determine the exact time zone of the computer and use it to determine the time zone from a series of remote computers. The command Get-TimeZone will respond with the time zone of the computer. It can be combined with a list of servers to determine the time zone of numerous systems. Susan BradleyDetermine the time zone with PowerShellBottom line: Evaluate applications, logging and anything else that might be time sensitive and determine if they can be moved to UTC time or have an easy conversion from the local time to UTC time. Determine what makes sense for you and what provides you with the best information. You might find as you add more cloud services that moving logging across your network to UTC makes the most sense to allow you to best correlate events. Related content brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security news Gitlab fixes bug that exploited internal policies to trigger hostile pipelines It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. By Shweta Sharma Sep 21, 2023 3 mins Vulnerabilities Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe